Announcement

Collapse
No announcement yet.

Windows users beware!!!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Windows users beware!!!

    Reports of an SQL injection attack that affects only Windows computers and leaves behind a root kit...

    Successful exploit leads to the silent delivery of hxxp://windowssp.7766.org/down/down.css. The file ‘down.css’ is actually a Win32 executable that is a variant of the Backdoor.Win32.Buzus family of trojans.

    Malware description
    Threatname: Backdoor.Win32.Buzus.croo
    Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

    Drops the following files to the specified folder:
    %UserProfile%\ammxv.drv
    %ProgramFiles%\Common Files\Syesm.exe

    Modifies the Registry to load when Windows is started:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller\Security
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller\Security

    The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.

    Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.
    Normally I don't concern myself with Windows vulnerabilities but I've read were several Kubuntu users also dual boot with Windows. This rootkit is installed by merely browsing the infected web page because the HTML engine will execute this code: "<script src=hxxp://318x.com>" while rendering the page.

    I am writing this post to remind Windows users that you can clean your infected Windows partition from your Kubuntu partition and because the Windows OS is NOT running the rootkit cannot stop your clean up. Open up Dolphin and click on the disk icon in the places panel to mount and open your Windows partition. Locate the two files:

    %UserProfile%\ammxv.drv
    %ProgramFiles%\Common Files\Syesm.exe

    and write down their timestamp before you delete them. Search your Windows directories for other files with the same year, month, day, hour and minute, plus or minus a couple or minutes. Among the list is the rootkit component. You can rename them in a consistent way, using AAAAnameoffile.extensionoffile.

    Reboot Windows. IF it comes up then run regedit.exe and remove the registry entries listed above. If Windows doesn't come up you can reboot into Kubuntu and restore the names of files one at a time, renaming the previous file with the "AAAA" so that only one file is tested at a time, until Windows comes up. Continue running Windows but watch the alert logs for strange "can't fine xxxx" messages.

    IF the malware has infected your unlabeled 5GB partition where Microsoft stores the Windows backup files that are called upon when you envoke the Windows Repair Utility, then you are hosed. More than likely it means that your MBR is also infected. You have my condolences.

    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Re: Windows users beware!!!

    just incase ne one is wondering who that ip is reged to

    Originally posted by whois 121.14.136.5
    inetnum: 121.8.0.0 - 121.15.255.255
    netname: CHINANET-GD
    descr: CHINANET Guangdong province network
    descr: China Telecom
    descr: No.31,jingrong street
    descr: Beijing 100032
    country: CN
    admin-c: CH93-AP
    tech-c: IC83-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CHINANET-GD
    mnt-routes: MAINT-CHINANET-GD
    status: ALLOCATED PORTABLE
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks: This object can only be updated by APNIC hostmasters.
    remarks: To update this object, please contact APNIC
    remarks: hostmasters and include your organisation's account
    remarks: name in the subject line.
    remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed: hm-changed@apnic.net 20060518
    source: APNIC

    route: 121.8.0.0/13
    descr: From Guangdong Network of ChinaTelecom
    origin: AS4134
    mnt-by: MAINT-CHINANET
    changed: dingsy@cndata.com 20060707
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: dingsy@cndata.com 20070416
    mnt-by: MAINT-CHINANET
    source: APNIC

    person: IPMASTER CHINANET-GD
    nic-hdl: IC83-AP
    e-mail: ipadm@gddc.com.cn
    address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
    phone: +86-20-83877223
    fax-no: +86-20-83877223
    country: CN
    changed: ipadm@gddc.com.cn 20040902
    mnt-by: MAINT-CHINANET-GD
    remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
    source: APNIC

    Mark Your Solved Issues [SOLVED]
    (top of thread: thread tools)

    Comment


      #3
      Re: Windows users beware!!!

      Rootkits are nasty. Very difficult to remove. I am working on a XP machine now with the tdss rootkit. I am to the point where I am considering "nuke and pave" as the only solution.

      Comment


        #4
        Re: Windows users beware!!!

        After skimming the linked article it appears that trojan relies on exploiting either Internet Explorer or Adobe Flash. Is that correct? If so then using Firefox combined with NoScript will protect you.
        Welcome newbies!
        Verify the ISO
        Kubuntu's documentation

        Comment


          #5
          Re: Windows users beware!!!

          yea FF w/ no script should be a default for ne on on windows
          Mark Your Solved Issues [SOLVED]
          (top of thread: thread tools)

          Comment


            #6
            Re: Windows users beware!!!

            Originally posted by Detonate
            Rootkits are nasty. Very difficult to remove. I am working on a XP machine now with the tdss rootkit. I am to the point where I am considering "nuke and pave" as the only solution.
            That's what I had to finally do to remove a keyboard logger from the MBR & Recovery partition. He didn't have any Windows left, hadn't made the four backup XP diskettes, and didn't have an XP install CD, so before I did it I asked if he wanted to install Linux, otherwise my gratis computer fixing days were over for him. He agreed. It's been over a year and his PC is still functioning perfectly with PCLinuxOS 2007. (His was one of the dozen or so Linux boxes I support that I didn't convert to KK).

            After you do it you'll have to recreate at least one new physical partition and flag it as bootable before you can install KK. I made two, one for Linux and one equal to his RAM for a swap partition.
            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
            – John F. Kennedy, February 26, 1962.

            Comment


              #7
              Re: Windows users beware!!!

              The computer I'm working on does nnot have the backup CD"s either, but it does have the recovery partition, so I should be able to restore it to it's original configuration. I do plan to install a linux distro on it. They will be happy if I can get WOW to work in linux.

              Comment


                #8
                Re: Windows users beware!!!

                Only if the malware didn't install itself in the recovery partition, like the keyboard logger I removed did.
                "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                – John F. Kennedy, February 26, 1962.

                Comment


                  #9
                  Re: Windows users beware!!!

                  Originally posted by Detonate
                  The computer I'm working on does nnot have the backup CD"s either, but it does have the recovery partition, so I should be able to restore it to it's original configuration. I do plan to install a linux distro on it. They will be happy if I can get WOW to work in linux.
                  wow should work check out its appdb entry looks like it should work, there is even an howto at the bottom of the page.

                  back on topic, any word on what versions of windows are affected.?
                  Mark Your Solved Issues [SOLVED]
                  (top of thread: thread tools)

                  Comment


                    #10
                    Re: Windows users beware!!!

                    Thanks for the link. The computer I am working on is XP Media Edition. I don't know if other versions are susceptible.

                    Comment


                      #11
                      Re: Windows users beware!!!

                      All of them.

                      The most common keyboard logger is Zeus, and it is least likely to be detected by AV products:
                      http://kubuntuforums.net/forums/inde...opic=3108779.0
                      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                      – John F. Kennedy, February 26, 1962.

                      Comment


                        #12
                        Re: Windows users beware!!!

                        I have a question. If I do a clean install via hp recovery disc? That would solve any problem right? That is what I did the last time I installed windows and I rarely use windows since. Also does malwarbytes remove these infections. I have that and the latest norton. Plus I never use IE.

                        Comment


                          #13
                          Re: Windows users beware!!!

                          Originally posted by BigCityCat
                          I have a question. If I do a clean install via hp recovery disc? That would solve any problem right? That is what I did the last time I installed windows and I rarely use windows since. Also does malwarbytes remove these infections. I have that and the latest norton. Plus I never use IE.
                          A CD can guarantee a clean installation ONLY if the manufacture didn't release it pre-infected, which HAS happened in the past and can happen again.

                          I suspect that HP's install CD is clean, but we do have evidence that Sony sent out a rootkit on one of its CDs.

                          I have no personal experience with Zeus, but according to "thePCSecurity" website most AV products cannot detect it or remove it. I would wager that malwarbytes is among the useless AV products, because the major AV products fail.
                          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                          – John F. Kennedy, February 26, 1962.

                          Comment


                            #14
                            Re: Windows users beware!!!

                            Malwarebytes found the infection on the machine I am working on, but the removal was unsuccessful. Ir removed ti, and everything seemed fine for a couple of days, then it reappeared. Ditto for Spybot. I even ran Combofix, and did a close examination of the Hijack this file, which I am pretty good at reading those, and the thing still came back. This is the tdss rootkit I am talking about. I would completely wipe and reformat the hard drive before installing. I would also run fixmbr.

                            Comment


                              #15
                              Re: Windows users beware!!!

                              I appreciate your answers. I didn't think I had something like that. I don't use that windows drive often, but when I hear something isn't being found by av. I get a little worried. I f you say malwarebytes will find it. I did a scan with that and it's clean. If I had something like that I would just reinstall. I keep my important info stored anyway. I spend very little time using windows.

                              Comment

                              Working...
                              X