1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Hijack of epic proportions!!!

Discussion in 'Networking & Security' started by Steevo, Dec 16, 2011.

  1. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,107 (2.55/day)
    Thanks Received:
    1,123
    Dear fellow TPUers.


    I just spent yesterday cleaning a system at work from a java exploit that resulted in a very serious infection that AVG failed to catch, MSE, Malwarebytes, Blacklight, Sophos, Combofix, and many others failed to remove the infection as well.


    The symptoms were, browser redirect, fake system issues, closing programs, hiding all files on HDD, removing all administrative tools and ending their processes when launched, BSOD from thread/memory hijacks when other rootkit tools were ran, system lockup, and full CPU utilization, also it infected the bootsector of the harddrive and rendered the system unable to boot cleanly even in safe mode to run any tools.


    Infection started from the one java exploit as a installer that managed to get a rootkit in, the rootkit then downloaded a remote control trojan, system event fake hijackers, and damaging software.


    Please http://www.java.com/en/download/index.jsp uninstall all instances of java and update if you need to run java. Java is evil, I know this, you know this. We need it for work.

    Please download the following tools.

    http://support.kaspersky.com/faq/?qid=208283363 TDSS Killer, anti-rootkit. If you do happen to get infected you must rename the extracted file on a USB stick and insert it and run it as soon as possible as the new variant it catches will check the signature of this file and prevent its launch even when launched from a system level account from the registry on boot.

    http://www.bleepingcomputer.com/download/anti-virus/combofix Combo fix, it will clean up the effects of the infection plus any remaining secondary infections that make it past anti-virus or anit-malware.

    Malwarebytes, as if you shouldn't have a clean copy of this somewhere on a CD or non-writeable media.

    Hijackthis, see above. If you are unsure how to use it you can get a log and post that using a USB stick to transfer it.




    The best practices with any infection is immediate isolation of the infected machine, as in physically unplugging the network cable, turning off the switch for wifi, or powering down any access point to limit any secondary infections, or transfer of data. Once the machine is clean a full system scan with each tool and a test of active connections to and from it with a firewall or any modern router to make sure nothing is left to phone home.


    Please update all anti-virus signatures and run at least a malware/rootkit scan once a month. For those without anti-virus, get some. There are many free versions, and your belief you are immune or your would "know" is worthless.

    Avast
    MSE
    AVG

    There are at least three well known free anti-virus products that are easy to use, and little to no maintenance is required.



    ******************************************************


    Attached is a removal tool that can be copied to a USB stick and it must be copied to the C:\ drive and extracted there.


    Extract the zip file after copying by double clicking, then inside the extracted folder double click the "fixit.reg" file to add a runonce line to the registry for the next boot, that then runs a .bat file that renames the anti-rootkit tool and then runs it. Alternately you may double click the bat file and see if it runs.


    This removes ZeroAccess rootkit among others, however the damage done by some of the secondary infections will still be present, please download and run the above mentioned tools to help the cleanup and include them on the USB stick to prevent recurring infection after running this tool.

    ******************************************************************


    Neither I, or techpowerup or its members are responsible for any damages from fixing your computer, so after running this if you are still infected, have issues, decide to kill your dog or family, thats your problem.

    Attached Files:

    Last edited: Dec 17, 2011
    stinger608, SaiZo, DannibusX and 4 others say thanks.
    10 Million points folded for TPU
  2. Cold Storm

    Cold Storm Battosai

    Joined:
    Oct 7, 2007
    Messages:
    15,014 (6.07/day)
    Thanks Received:
    2,999
    Location:
    In a library somewhere on this earth
    Thanks for the post Steevo

    :toast:
  3. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.85/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Shouldn't JAVA be protecting us from there shit ?
  4. Widjaja

    Widjaja

    Joined:
    Jun 12, 2007
    Messages:
    4,819 (1.86/day)
    Thanks Received:
    636
    Location:
    Wangas, New Zealand
    Haven't seen malware like this before and I've come across some nasty ones.

    Hope this doesn't become a trend.
    It was bad enough having those foreign people calling up claiming they are from Microsoft saying their computer is at risk whether they own a computer or not.
  5. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.85/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    So should we all now uninstall all of java ? How do we know we are infected ? MSE is running and always updated on my computer . I see nothing going wrong at all . I do not have java running nor update java . I really have no idea why java installed on my computer in the first place but it is .
  6. FreedomEclipse

    FreedomEclipse ~Technological Technocrat~

    Joined:
    Apr 20, 2007
    Messages:
    13,402 (5.07/day)
    Thanks Received:
    2,189
    a lot of websites and programs require that Java be installed to run. You cant really avoid it
  7. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.85/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    Ok so then what ? I mean if it is this bad then what can you do ? Is Sun Java going to fix there shit or is it up to us to do all this work ? I am not all that good at doing stuff like this and can not afford some one else to do it . How do I know I am not infected ? :banghead:
  8. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,107 (2.55/day)
    Thanks Received:
    1,123
    Uninstall old versions and install only the new version, and run in sandbox mode.


    It really sucks as I now have 50ish more machines that are running old versions as Java is such a fucking piece of shit it never uninstalls the old version when updating. So the computer that we had infected had almost 500MB of 6 versions installed.


    DL and run the TDSS and keep your MSE up to date with a full scan scheduled to run at least once a week and you should be OK.
    10 Million points folded for TPU
  9. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,821 (4.07/day)
    Thanks Received:
    3,479
    I saw an article a few weeks back, where some security expert said that it's nuts to install JAVA, especially on corporate PC's, because of the vulnerabilities, so I'm not that surprised this happened.

    If I can across an infected system, I wouldn't waste time trying to reimage. I would simply rescue any data on it and reinstall/reimage the thing. The problem is you can never be sure to have got rid of every last infection, plus the OS might be damaged such that it'll never be the same, no matter what you do to it.
  10. trickson

    trickson OH, I have such a headache

    Joined:
    Dec 5, 2004
    Messages:
    6,494 (1.85/day)
    Thanks Received:
    956
    Location:
    Planet Earth.
    I can not find were there is a problem at all with java ! Nothing at all is wrong on my system .
  11. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,107 (2.55/day)
    Thanks Received:
    1,123
    If I weren't leaving all next week for training, have my own new laptop to stage, and lots of other things to do I probably would have reinstalled and copied last weeks image over, but it is a critical machine, so 8 hours of cleaning and fixing is better than the 14-20 hours of a reinstall and restage and testing. Plus with our nice firewalls here at work I just put a trace on its IP and can see all active connections and resolved names, ports, etc.... so I put the block on all the bad IP's out there it was trying to connect to.

    get-answers-fast dot com was the biggest hijacker redirect and about 12 others, and most were hosted on the same subnet, so it all got blocked.

    So I'm sure its clean after 24 hours of monitored connections and all scans came up clean and a rewrite of the bootsector and using a hex editor to peek directly at the disk from a live linux distro. int13 was clean.
    10 Million points folded for TPU
  12. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,107 (2.55/day)
    Thanks Received:
    1,123
    Bump for removal tool.
    stinger608 says thanks.
    10 Million points folded for TPU
  13. _JP_

    _JP_

    Joined:
    Apr 16, 2010
    Messages:
    2,681 (1.73/day)
    Thanks Received:
    734
    Location:
    Portugal
    Thank you very much for this, Steevo. Really valuable information.
    I have Java on my computer, though I think I never used/needed it. Maybe I'll consider uninstalling it.
  14. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,821 (4.07/day)
    Thanks Received:
    3,479
    Dang, sounds like you know what you're doing. :respect: Yes, I can see how this "compromise" is a good solution for your situation, especally as you can put the damned thing on probation afterwards with the firewall. :p
  15. snuif09

    snuif09 New Member

    Joined:
    Nov 29, 2007
    Messages:
    964 (0.40/day)
    Thanks Received:
    66
    Location:
    hoorn, Netherlands
    I have encountered one of the Java exploit rootkits on a pc that a customer turned in for repairs, me being an intern and a total idiot I hooked it up on the network without checking it out first.

    1 minute later our ISP blocked our internet connection saying we had a botnet.
    4 Other Windows XP machines were infected within a couple of minutes as well because they were also connected to the same network, Luckily windows 7 wasn't vulnerable for that type of rootkit or we would have had a huge problem.

    That is why my boss always tells us to run TDSS and Combofix first on every computer before we hook it on the network.

    Still havent seen the virus steevo was talking about, but I can say that the tools he recommends are awesome I now use them everytime and Combofix pretty much catches all the bad stuff(It is updated EVERY day so dont use old versions)

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page