Saturday, March 31, 2012

ZeroAccess x64 consrv.dll


             The consrv.dll infection has picked up a partner recently. There is now a service that is paired with both the 32 and 64-bit version of zaccess. We are able to see the infection easily on 64-bit already just by searching for the dll via the start menu, now we can verify with TDSSKiller.


                As always, this is the time to create a system restore point. It is not advisable to continue forward without creating a restore point.

               Open up the registry editor and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Select. We want to look for the value "Default" - Do not confuse this with the one on top which is "(Default)". This value will tell us which control set will be loaded the next time Windows boots up. The "Current" value tells us which of the control sets are currently loaded. In my case, ControlSet002 is currently loaded (this will be different on each different PC). The rootkit is watching the current control set to ensure that no changes are made to it. This makes ControlSet002 impossible to modify, so I need to modify the other one. For example, If ControlSet002 is loaded, I need to modify either ControlSet001 or ControlSet003. If ControlSet001 is loaded, I need to modify either ControlSet002 or ControlSet003, etc.

We will now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager\SubSystems


The value that we are interested in here is the "Windows" value. It may or may not be modified. Here is what the data will look like with an active infection:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16


The key should look like this when it is clean:


%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

                We are particularly interested in the ServerDll part of this data. You may notice that the order of the ServerDll data (if you omit the other data) is: basesrv, winsrv, consrv, sxssrv. We want to change it back to the default configuration which is: basesrv, winsrv, winsrv, sxssrv. Once you have changed the data, click ok and then press f5 on your keyboard to refresh your view of the registry. Open the value back up to make sure that it was not changed back by the rootkit. If it was, you will have to try another control set such as ControlSet001. If your changes were successful, we can refer to this control set as "fixed", go to the key: HKEY_LOCAL_MACHINE\SYSTEM\Select. We will now change the "Default" value's data to match our "fixed" control set, mine is ControlSet003 so my "Default" value's data will be changed to "3".

                I recommend that you familiarize your self with the NT startup process to get a better understanding of what we are doing here and why. A good source of reading to better understand how this all works can be found here at wikipedia in the "Loading Windows NT Kernel" section of this article:




               
                We can now delete C:\Windows\system32\consrv.dll. The next step is to handle the service, we will need to open up a notepad and take a look at our TDSSKiller window again. Copy the name of the service into the notepad and then copy that to your clipboard. Open up your registry editor and make sure that 'Computer' is selected in the left pane. Go to Edit > Find and paste the service that you just copied into the find box. Click 'find next' and you should arrive at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost


              We are looking for the service listed in the 'netsvcs' value. Find the line that contains the service and delete that line only. Then press the 'f3' key on your keyboard to continue the search. You should get either 1 or 2 more results. Once you find the service registry keys, delete the entire key. Press 'f3' until you see the message "Finished searching through the registry." Close the registry editor and reboot. Run a full scan with MalwareBytes' Anti-Malware to remove any remaining files.

A link to the html format of this video can be found here

Unzip the folder and launch the html file that is contained inside.
  



Sunday, March 4, 2012

Windows Telemetry Center



Windows Telemetry Center has been renamed quite a few times. Here are some of the other names:

Windows Attacks Defender, Windows Attacks Preventor, Windows Threats Destroyer,Windows Firewall Constructor, Windows Stability Guard, Windows Basic Antivirus, Windows PRO Scanner, Windows Shield Tool, Windows Trojans Inspector, Windows Performance Catalyst,Windows Smart Partner, Windows Smart Warden, Windows Functionality Checker, Windows Protection Master

This one in particular does not have any type of activation code. However, the sample that I tested was older, so there are activation codes that work with the newer iterations. Here is one of them thanks to Xylitol:

0W000-000B0-00T00-E0020

This one is a bit harder to remove if you do not activate it. I had trouble with MalwareBytes' in particular, it kept freezing during removal. The best way that I found to remove this one is using Hitman Pro 3.6. Here are the links to this tool:


I found that running Hitman in Breach Mode was the way to go. To do this, you need to hold down the Ctrl key on your keyboard, and then double-click to open the program. You will see your explorer shell disappear and Hitman will be the only thing on the screen. Let it scan and remove. You will need to do a supplemental scan with MalwareBytes' after Hitman does his job. 



Registry Keys (list shortened for relevance):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (about 750 of these)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegedit
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Inspector

Files:
C:\WINDOWS\system32\at.exe
C:\WINDOWS\system32\cmmon32.exe
C:\Documents and Settings\<User>\Application Data\Protector-<random>.exe




Friday, March 2, 2012

Personal Shield Pro


Today we have Personal Shield Pro. To help removal, you can activate it with the following key:

8945315-6548431


This one stops other processes from running by telling us that we are "infected". To counteract this, locate "C:\Windows\System32\taskmgr.exe". Copy to the desktop and then rename to "explorer.exe". 


Find and kill the process.


Run MalwareBytes' quick scan to finish removal. 



Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | <random>


Files:

C:\Documents and Settings\All Users\Application Data\<random>\<random>.exe