I have a computer that seems to have been compromised. When I do a full
system scan with Norton Antivirus, I see files such as:

expl0rer.exe
ixplore.exe
_dll.exe
hooker.exe

and many others being scanned. As well as a directory called c:\programs\
that seems to have a lot of files in it.

Unfortunately, I can't see any of these files on the server. It's Windows
2000 Advanced server. I have tried:

- looking at the server over the network
- booting in safe mode
- booting in safe mode with dos prompt
- booting with the windows 2000 advanced server CD and going into a
recovery console
- booting with a linux boot cd and mounting the volume in linux
- scanning the drive with various rootkit scanning tools

None of these things revealed the hidden files. Looking through the
registry reveals no trace of them either. Am I crazy? Do the files not
really exist on the computer? Why would NAV scan them if they didn't
exist? And why do they not show up when I mount the drive in linux? How
could these files still be hidden?

More importantly, what can I do to see these files so I can get rid of
them?

Any help is greatly appreciated!

Sincerely,
Matt Schwartz

From: "Matt Schwartz" <matt@nelix.com>

| I have a computer that seems to have been compromised. When I do a full
| system scan with Norton Antivirus, I see files such as:
|
| expl0rer.exe
| ixplore.exe
| _dll.exe
| hooker.exe
|
| and many others being scanned. As well as a directory called c:\programs\
| that seems to have a lot of files in it.
|
| Unfortunately, I can't see any of these files on the server. It's Windows
| 2000 Advanced server. I have tried:
|
| - looking at the server over the network
| - booting in safe mode
| - booting in safe mode with dos prompt
| - booting with the windows 2000 advanced server CD and going into a
| recovery console
| - booting with a linux boot cd and mounting the volume in linux
| - scanning the drive with various rootkit scanning tools
|
| None of these things revealed the hidden files. Looking through the
| registry reveals no trace of them either. Am I crazy? Do the files not
| really exist on the computer? Why would NAV scan them if they didn't
| exist? And why do they not show up when I mount the drive in linux? How
| could these files still be hidden?
|
| More importantly, what can I do to see these files so I can get rid of
| them?
|
| Any help is greatly appreciated!
|
| Sincerely,
| Matt Schwartz


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Matt Schwartz wrote:
stealth malware cannot actively hide itself when you boot from a known
clean bootable medium - since that's what you did there are only 3
possibilities...
1) you misread the output from norton and somehow got the file locations
wrong...
2) you misread the output from norton in such a way as to mistake
scanning inside a compressed archive for scanning files in a directory...
3) the files are generated at run-time by some as yet unknown app that
runs on normal startup and cleans up after itself before you shut down...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Matt Schwartz wrote:
You could go to one of Kurt(the censor)Wismers favourite
educational websites http://rootkit.com and gen up on how
these file hidding stealth techniques are implemented.

Checkout 'Chapter 6. Layered Drivers' ( File Filter Drivers )
from Hoglund & Butlers book
'ROOTKITS - Subverting The Windows Kernel'


You're welcome
4Q ;]]

Matt Schwartz wrote:

Try 'Rootkit-Revealer' from Russinovich & Cogswell
at http://www.sysinternals.com

"It can detect hidden Registry entries as well as hidden files."



4Q

There are other Anti Rootkit software available from
http://www.antirootkit.com ,

regards
Zoned

4Q wrote:
[snip]
and you could read his description a little better and realize he took
steps to see through any active hiding techniques...

when you boot from a linux boot cd there ain't no way a windows
stealthkit can hide itself... malware can't hide itself if it isn't
running...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kurt wismer wrote:
Censoring again aye Kurtie? http://rootkit.com

*HAHA* Some expert you are.

Try an embedded system within a system *wink* A hidden filesystem
within a filesystem. The hidden filesystem can remain inactive like
a spore until some kind of reactivation event. Even when the rootkit
is inactive the 'files' still exist (the rootkit can read them even
if XP, W2K, W9x, Linux can't ;]]). All you need is the trigger event
to bring the domant trojan entity back to life.

Btw my Linux distro won't read this M$ FATX (out of the box), but I'm
sure I just put some secret data on the fucker. My NX can read the
FAT16, FAT32, NTFS files I have on the standard IDE disk even though
I have 'NO' microsoft partitions at all. *WOW!* *It's like magic!*

*How?* 'loopback device'

# dd if=/dev/hda of=/dev/hda skip=4136547 seek=89988765 count=100000
# dd if=/dev/hda of=/dev/hda skip=23417465 seek=4136547 count=100000
# mount hostfile.exe /tmp -t vfat -o loop=/dev/loop1
# do_business
# reverse_the_process


hidden data on disk at offset 23417465x512 (rootkit system)
victim file (hostfile.exe) at offset 4136547x512


You really need to go back to r00tkit 101 school.
try http://rootkit.com or read some VX zines
at http://vx.netlux.org

4Q

p.s. Kurtie if they can land a broken spacecraft
safely on the surface of Saturns Titan moon, billions
of miles away I think hiding an undetectable rootkit
on the most insecure PC OS ever isn't going too be too
hard. Just because you don't know how it's done doesn't
mean other people don't *grin*

4Q wrote:
inactive like a spore? have you heard yourself talking lately?
filesystems are not active or inactive, they are there or not there...
if they are there they can be examined, if they are not there then they
are not a problem...

you're taking biological analogies way too far...

if they're on the physical disk they can be read, and if the malware
isn't running there's nothing to interfere with that reading...

more with the biological analogies... trojans don't come back to life,
they were never alive in the first place... they are there or not there,
running or not running... that is all...

[snip]
they don't hide it on the OS, they hide it on the disk - nothing goes
*on* the OS... it's precisely this kind of imprecise thinking/speaking
that makes you sound like a crackpot...

it goes on the disk or in memory... if it only goes in memory then it
goes away when you shut down... if it goes on the disk (so that it can
get back in memory the next time you start up) then it's findable when
booting from a known clean bootable medium...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Thanks for all the great advice! It's all very interesting stuff. Whoever
designed whatever it is that hit me must really know what they are doing!

Anyway, I took the easy way out and just picked up a new harddrive and
rebuilt everything from scratch.

Thanks again for all the help!

Sincerely,
Matt Schwartz

kurtie scribbles:

*


**

***



Kurtie,

I have given you way too much credit (my private accessment of
VX/AVers)
in the past.

Real life Virus aren't alive. They only have aliveness properties
when they come into physical contact with target host molecules. This
analogue can be compared to a computer runtime virus. No aliveness
when they aren't actively replicating.

Similarly a trojan (in this case a r00tkit). Can remain inactive on
a storage medium, and remain hidden inside that storage system. That
can be files, structures, slacks or just unused sectors. They can use
an unknown proprietry method of hiding and therefore remain undetected
until an AV/Malware R&D technician has had the chance to examine them.
(then update their AV/Malware tool).

A generic test to see if anything alien has entered the system would
be to have a known snapshot of every byte on the storage medium then
to take another snapshot after invasion to see any differences. However
this does not necessarily mean the changes can be meaningfully
analysed.

The spore analogy comes into play after the initial invasion and the
virus/trojan/r00tkit (http://rootkit.com) has established itself.
Once the system has been compromised, the alien entity can now go into
a sleep stage (an inactive spore state). There are many possibilities
to trigger or reanimate the alien entity (bring back to life - if ya
like) and one such simple method would be to take a normal OS
executable
file and modify some branch in its executable instruction (i.e. running
the periodic housekeeping routines). When the routine is run the
r00tkit/trojan/virus entity would spring back into life from its
hibernated spore state and carry out its next stage of active execution
(then maybe it has been programmed to go back to sleep - AS A SPORE)


Now fuck off back to 101 VX school
try http://rootkit.com or http://vx.netlux.org
and read up on a subject you are finding hard
to grasp.

4Q

4Q wrote:
[snip]
don't worry, the feeling is mutual...

more with the biological analogies... it's long been understood that
there is a limit to how far biological analogies apply to the computer
virus world... only the loosest of analogies apply, anything more
specific breaks down (probably because the people who coined the term
were not biologists)...

oh, fer cryin' out loud... stealth by novelty? if the only thing that
has to happen to unhide the malware is that it has to be analyzed by the
av'ers and a signature created then it's not really _hiding_ itself,
it's just *new*... if we're going to start calling newness a form of
stealth, *everything* becomes a so-called 'rootkit'...

perhaps not, but they can definitely be detected, isolated, and found...
it is the nature of generic tests that they cannot always give us
specific answers on their own...

let me ask you something - are you able to explain this using *just*
(appropriate) computer terms?

so far what you've got seems to translate to "the malware can be running
and then stop running, and then maybe something will execute it again"...

no thanks... although i was reading 40hex back when gheap was writing
about hex editing other people's work, i long ago lost patience with vx
zine authors' frequent inability to express cogent technical thought...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kurt(simply censoring)wismer wrote:

<snip most of Kurties crap>

You're a novelty idiot. ;]]


<more crap, more snip>


Censoring again aye Kurtie? http://rootkit.com

I have studied descriptive methodologies in CS.
Discrete mathematics, formal language translation,
principles of compiler design, lexical analysis etc
The most "appopriate" ways to describe a comp sci
phenomenon but...

1) I'm not trying to be accurate like a Dr. Fred Cohen thesis
2) The audience is ACV, hackers, coders and people interested
enough to follow the links you keep *censoring*, so they can read
a more concise description of how these systems work.
3) This isn't 'C'omputing it's 'H'acking

The hacking subject(s) has moved on quite a lot since 40hex days
and more cogent technical treatment has been applied in this field.
There are plenty of really good articles and books about.
However it is 'hacking' (an ARTFORM of stealth and anything goes
survival).

So stop talking more shite Kurtie, r00tkits and stealth trojans
exist and they can hide themselves in ways your square head doesn't
seem to comprehend. Sorry you can't to appreciate there are no CS
rules in this game. Go get a clue from http://rootkit.com and read
some VX zines with later vintage then "40hex" *wink*

Hackers 0wn cyberspace, now fuck off. ;]]

4Q

On 26 May 2006 20:08:41 -0700, "4Q" <paul_zest@hushmail.com> wrote:

It must be true. Otherwise, how did Jeff Goldblum manage to interface
his laptop with that orbiting alien mothership?


Jim.

James Egan wrote:
Exactly Jimbo! Hackers have devious ways of doing the
seemingly impossible, right after the square heads say
"it can't be done"

)

4Q

4Q wrote:
this again... who exactly have i censored? whose voice is not being
heard? who have i silenced? no one... i am under no obligation to
include all of your material in my replies just as you are under no
obligation to include all of mine in yours... the originals stand,
unedited, uncensored - it is only the in quotations that it gets edited
and i've made my redactions as clear as you have made yours...

argumentum ad hominem...

[snip]
and i have a cs degree, so what... are we going to whip 'em out and
compare or something?

then you really should be capable of explaining it using appropriate
terminology, shouldn't you...

no, you're trying to show that i'm wrong, trying to express ideas, and
*failing* to make yourself understood by the person you're responding to...

a) i have been an active (vociferous even) participant in acv for nearly
11 years now...
b) i have been a coder for the past 20 years now... a hacker (not the
bad kind) for most of those years...
c) the links you posted were to *domains*, not to articles explaining
what the heck you're talking about...
d) i have been to those domains - just because i won't link to them
doesn't mean i won't visit them myself...

i *AM* every bit your audience...

no, it's the overuse of terminology from an unrelated field to obfuscate
your meaning... it's generally done to hide one's ignorance - it is
classic 'poseur' behaviour...

40hex is where i started, not where i stopped... and your links do not
point to the information you claim they do... i'm not about to go
digging around those sites looking for articles that support *your*
argument - if you want to back up your argument with meaningful
citations, feel free...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kunt wisarse wrote:
<snip wannabe pseudo AVer and computer
expert poseur crap>


Having been busy with other projects for the past few
months I have had to put down my Usenet projects. Luckily
for you Kurtie I'm going to take you up on your challenge
and give people the opportunity to see you for the flakey
computer expert you really are.

Sorry it will have to be dragged out over an extended
period of time, as I have other matters to deal with at
the moment. You can expect to join Barlev and Bryant on
the heros of ACV to-do-list. Thanks for posting so much
of your crap on the Internet for the past 11yrs.

*hehe* I'm looking forward to the anonymous posts that
will surface over time on you Mr. Wisarse. Your busy time
in cyberspace pissing people off with your crap is going to
be your own petard.


4Q (Your Friendly Bastard Archivist)

4Q wrote:
and now for some comparative googology

expert (http://tinyurl.com/ql6u3) or not (http://tinyurl.com/rdoe8)...

i'm not an expert, i never claimed to be an expert... i'm just a guy who
knows more about malware than the average person, and who happens to be
sure of himself... last time i checked, confidence and expertise were
not the same thing...

flakey? lemme guess, you're going to dredge up those posts where i said
i surf nekkid...

seems i've struck a nerve... i'm not sure what you think you're going to
accomplish in the long run but whatever - it's your time to spend as you
see fit...

and when you're done i'll still be here...

http://tinyurl.com/jabht

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kunt wismer wrote:

I won't be done for a very long time. Once you've managed
to properly piss me off you'd better hope purgatory is the
place you wanted to be.

*We* in AL legion are looking forward to getting to know
you very intimately.


4Q

p.s. Haven't found any of your publications in ACM or IEEE
yet. I thought you'd have at least a dozen security related
articles and a handful of rigorous theorms. Any pointers or
do you want your purga-meter to just clock up more search
miles? *grin*

4Q wrote:
doesn't matter...

i think you'd have to make me a believer first...

so you have a cadre of lackeys, do you? i suspect you'll all get rather
bored by what you find...

and you thought i'd have such articles because...?

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"