Spyware: now with 200% more suck.

[coyoteden.livejournal.com]

Wow... I just cleaned up one tonight that had some sort of nasty shiite on it. The machine was getting t3h popups constantly, and everything had been cleaned expect for one little thing.

It showed up in hijackthis as "[etbrun] c:\windows\system32\elitepmm32.exe". If you removed that startup entry it would come right back. There was no running process by that name, and in fact no file by that name in that location... but something odd, if you went to a command prompt and tried "del c:\windows\system32\elitepmm32.exe" you would get something like "the environment variable is incorrect". WTF, whatever happened to "file not found?"

I fired up regmon and filemon. Sure enough, there IS an elitepmm32.exe replacing that [etbrun] entry every few seconds. But apparently that file doesn't exist and it's still not listed in processes.

I booted the machine from a BartPE and in c:\windows\system32 there's an elitepmm32.exe and about a dozen other identical files of the pattern elite???32.exe. Deleted them and the [etbrun] line, and it never came back. The popups stopped.

How nice. Spyware is now using rootkits. A rootkit injects itself into the kernel and can totally hide files and processes. System calls to list files and processes get intercepted by the rootkit and all references to the nasty stuff are removed. No application can see something that the kernel doesn't tell it about, so antispyware programs simply don't see it. There is no way to remove a rootkit without booting the machine from a clean OS. Now, in this case, you might be able to remove it from safe mode, because it installs via a usermode startup. If it has a boot-loading driver component, it's all over.

Try as you might, you just can't see the fnord.

Comments

[kallell.livejournal.com]

im sure my friend got this loaded in my number two machine :p

[residentgeek.livejournal.com]

CoolWebSearch also does something a lot like that. The last couple of times I had to try to remove it, I spent forever deleting and rebooting to no avail. I ended up reimaging the box. I never thought about a bootable CD OS. I'll have to try that next time.

[axessdenyd.livejournal.com]

A few do similar things.

I think CoolWebSearch is the one that installs itself as a System Service in XP, or at least has a service that automatically reinstalls itself all the time.

[residentgeek.livejournal.com]

Yeah, it spawns new copies every time you try to delete it, and if you leave it on long enough, it invites it's friends over to play. Nasty and annoying piece of shit.

[abstrak-tokatl.livejournal.com]

guess the "safest" bet is to have a system that is completely fucked over with personal habits that don't conform to the norm. play the odds as it is.

[tmercenary.livejournal.com]

build a better mouse trap, they build better mice...It is a perpetual cycle I'm afraid.

[jahbulon.livejournal.com]

Who is building these better mice of doom?

[tmercenary.livejournal.com]

Probably a company affiliated with the mouse trap builders.

[jacobine.livejournal.com]

Gyah. That's even worse than the nasty I got on my own machine that kept reinstalling itself every bootup.

[jecook]

For all those that need a link, BartPE is teh bomb. It's part of my tolkit (along with it's companion, Bart's Corporate Bootable CD (BCD))

http://www.nu2.nu/bootablecd/

There are a few additions that one will need to get a hold of (like a free version of Mcafee's command line Win32 virus scanner, and Ad-aware), but instructions are there.

If I ever see the person who came up with CoolWebSearch and some of the other nasty spyware, I shall do unspeakable things to them, and I'll video tape it and share the torture.

[eightofspades.livejournal.com]

I wouldn't call it a full-blown rootkit. Most spyware apps I've seen that do it (a few even from safe-mode) actually hide the executable with another process running, at user-level, so if you kill the hider process you can see the hidden processes.

It's clever manipulation, but not a true rootkit.

VX2's latest variants actually embed the restore function somewhere to initialize on shutdown, so it's not running to stop until after you've done your scans. There are some very useful tools I've grabbed to deal with that, but I lost the thumbdrive I put them on ):.

[coyoteden.livejournal.com]

It is a rootkit, but not a very good one, because it has a usermode startup. It does inject itself into kernel memory space to hide files and processes tho.

CoolWebSearch, on the other hand, pulls no punches. It installs Hacker Defender to hide. Now THAT's a real rootkit.