Saturday, September 8, 2007

Windows plus Worms plus Trojans equals Nightmare

I do remember the time when antivirus programs were not obligatory if you were careful and didn’t run “suspicious” applications. Back then, firewall was considered a useless resource consuming application. Over the past few years though, with the broadband evolution, things have changed. Nowadays one receives hundreds of mails, most of them spam which may contain a virus. Even worse, since the Blaster worm in August 12 2003, firewall became a necessity in order to be able to surf on the net without having windows restart every minute or so. Things have changed and we have to adapt… Even if you think you are safe, you may not be. Everyday new vulnerabilities arise from guys who check each and every array to find a buffer overflow which may crush the victim’s computer (DoS attack) or even worse, detect a loophole which will give them remote access to the victim’s computer. But then again, everyone knows these things. Why mention them once more?
Well, I am a windows user (developer to be more precise) and this is my quest for Trojan removal. All started yesterday while I was wandering in the Event Viewer. I noticed that the maximum TCP/IP connections limit was reached twice for that day. Immediately I realized that the web browsing was slow not because someone in the same rooter was downloading, but because my laptop was communicating with someone intensively.
I freaked out. I opened a command prompt (Start-->Run-->type “cmd”) and executed the most useful command in such occasions:

Netstat –ano

A table appeared listing all open ports, the destination ip and which process is handling this port (PID). Needless to say that my laptop was communicating with a lot of (more that 10) web servers (it was connecting to port 80) and all connections where made by a PID 1448. In order to find out the process’s id (PID), normally you may run the “tasklist” command. In my case it displayed an empty list which is equivalent to no processes running. That was impossible, so the tasklist command was modified which verified my virus suspicion. So how do you match a PID to a process without tasklist? Through the Windows Task Manager. You open it, go to the Processes panel and press “view-->select columns…”. From there you may display a lot of useful info concerning the running processes including their PID.
As most worms, the guilty process was svchost.exe. In over simplified words, this process encapsulates many many many libraries and applications. As you may have noticed there are several svchosts running in your windows installation. That is normal. Each is responsible for a totally different task and all together provide windows with network support, encryption, web server, file system etc…
Closing the svchosts also terminated the connections to the remote server and gave me time to go check my firewall settings. I do use the build in firewall of windows XP sp2 which blocks all incoming traffic besides the programs or ports defined in the list of Exceptions. There I came across the third sign which indicated I have picked up a Trojan. A port was open to public under the disguise of “messenger” which is ridiculous in my case since I don’t even have windows messenger installed! Disabling this exception or removing it from the list would not do any good since in every restart in would be recreated and the port would change.
Back in the college days (the days when firewall was not a necessity) we were fooling around with Trojans. These programs provide control of a victim’s pc. You may browse his/hers files, capture video, show funny pop up messages etc. What we did was a contest. Every one who dared to enter the contest would have to get a private file from the computer of the opponent. Our motives were pure educational. No civilians were attacked, only the contestants. Back then, the best Trojan was sub7 which was undetectable by Norton and McAfee. I got a lot of wins but I also ended up formatting my computer too, since a contestant created a Trojan by himself. That was not detectable even by Kaspersky which could detect sub7. When this madness came to an end and we realized that it doesn’t worth reformatting every two days, we got together and started discussing the experiences we had. The one who beat me told me the architecture of the Trojan he created. It was simple. A small process which would be melted into (combined with, in common words) a system process and would listen to a specific port. Actually it would only open the port for thirty seconds every five minutes in order to be stealth. That process would expect a specially crafted message which would contain a port. By receiving that, it would start another bigger process which would be listening to the received port and expose the whole windows api. It was brilliant.
A variant of the above architecture must have hit me now. A small process had melted into something that was loaded by the svchost. That process was responsible to report my online presence in some free web servers (send my ip on a script so that the attacker gets notified that I am online and where to find me) and more over it was opening the port so that the main Trojan could communicate with the attacker and provide him with remote access.
Anyhow, I opened my swish army toolbox which is mostly downloaded from and started poking with the contaminated svchost. With process explorer I could suspend the process and monitor any threads running. Unfortunately the only suspect process that was executed under the svchost was C:\WINDOWS\system32\wbem\wmiprvse.exe which I verified the hash and seemed to be ok. With Procmon I noted the registry keys and the files modified by the specified process and its children. That was exhausting I must say and it didn’t lead to anything useful. Finally, I tried running the RootkitRevealer but with no luck since I had killed the svchost and the RootkitRevealer could not be executed (actually no installation could begin). By the way, if you kill an svchost, it is almost certain that the annoying “Windows will shut down” message will pop up giving you one minute to save your work. Do not panic. Press Start-->run-->type “shutdown –a” and the message disappears.
I did also try spybot and Adaware but they are specialized in worms and malware rather than Trojans, so nothing came up (besides a couple of hundreds of spy cookies).
In my despair, I started downloading every antivirus available, every Trojan removal tool I could find in trusted web sites. Nothing came up. So I started taking drastic measures. Safe mode and delete any “useless” dll such as the C:\Program Files\Bonjour\mdnsNSP.dll which was referenced a lot by the infected svchost. Nothing happened. The port was still opening and my laptop was socializing with every free web server on the net!!! I installed wireshark (which is a packet sniffer) but the packets I was interested about were encrypted.
I did a lot of google search and I read a lot of opinions. None seemed to fit exactly to my case. As a desperate move, I downloaded a program that would clean up the temp folders, internet history, useless log files in windows etc and then run an antispyware. When the cleaning finished, it managed to remove 250Mb of useless files and I started the file checking. The antispyware didn’t find anything (although it tried hard I may say) and told me that I had to reboot. That was the last time I saw my desktop. Since then after the welcome screen an exception occurred in winlogon.exe and that’s about it… BSOD.
I got my windows XP cd, and repaired the existing windows installation. This process took about 40 minutes. After that I had a windows installation which would once again throw the Blue Screen Of Death after the welcome screen!!!
It was 4 a.m. and I hadn’t copied my files from c:\. I didn’t have a small Philips screwdriver to remove the disk and pick up the data from another pc and leaving the laptop as is was not an option. I had to have the laptop fixed by today. In order to retrieve my data I resorted to Knoppix live dvd. For no apparent reason (actually a driver incompatibility between Toshiba A100-912 and Knoppix) I had to avoid pcmcia auto detection in order to boot. Through the KDE I mounted my file server’s shares and copied everything I needed (basically the whole c:\ partition besides the Windows folder). By 6 o’clock in the morning all data had been transferred. Reboot, format, and here we go again… setup, setup, setup…
To conclude this scary story, I have to admit that I should have listened to my colleagues who told me that since Nod32 could not detect it, it is useless to try to defeat it by myself. That would have saved me a lot of hours since the format was imminent. The moral of this story is that we are never secure. I don’t know if I by mistake executed the infected application or someone else did it for me, the point is that since there are web sites like the where a script kid can buy an undetectable Trojan, we have to use our minds in order to protect our digital data. Be always alert, and constantly check your systems. A rootkit could compromise your privacy and cause data loss. Although I used to say that and used to have daily computer checks (with nessusd etc), I got careless since no incident had occurred. On the bright sight, this incident will place me back in track…

No comments: