Spyware: now with 200% more suck.
Mar. 17th, 2005 10:43 pm![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
coyoteden.livejournal.com posting in ![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
techrecoveryWow... I just cleaned up one tonight that had some sort of nasty shiite on it. The machine was getting t3h popups constantly, and everything had been cleaned expect for one little thing.
It showed up in hijackthis as "[etbrun] c:\windows\system32\elitepmm32.exe". If you removed that startup entry it would come right back. There was no running process by that name, and in fact no file by that name in that location... but something odd, if you went to a command prompt and tried "del c:\windows\system32\elitepmm32.exe" you would get something like "the environment variable is incorrect". WTF, whatever happened to "file not found?"
I fired up regmon and filemon. Sure enough, there IS an elitepmm32.exe replacing that [etbrun] entry every few seconds. But apparently that file doesn't exist and it's still not listed in processes.
I booted the machine from a BartPE and in c:\windows\system32 there's an elitepmm32.exe and about a dozen other identical files of the pattern elite???32.exe. Deleted them and the [etbrun] line, and it never came back. The popups stopped.
How nice. Spyware is now using rootkits. A rootkit injects itself into the kernel and can totally hide files and processes. System calls to list files and processes get intercepted by the rootkit and all references to the nasty stuff are removed. No application can see something that the kernel doesn't tell it about, so antispyware programs simply don't see it. There is no way to remove a rootkit without booting the machine from a clean OS. Now, in this case, you might be able to remove it from safe mode, because it installs via a usermode startup. If it has a boot-loading driver component, it's all over.
Try as you might, you just can't see the fnord.
It showed up in hijackthis as "[etbrun] c:\windows\system32\elitepmm32.exe". If you removed that startup entry it would come right back. There was no running process by that name, and in fact no file by that name in that location... but something odd, if you went to a command prompt and tried "del c:\windows\system32\elitepmm32.exe" you would get something like "the environment variable is incorrect". WTF, whatever happened to "file not found?"
I fired up regmon and filemon. Sure enough, there IS an elitepmm32.exe replacing that [etbrun] entry every few seconds. But apparently that file doesn't exist and it's still not listed in processes.
I booted the machine from a BartPE and in c:\windows\system32 there's an elitepmm32.exe and about a dozen other identical files of the pattern elite???32.exe. Deleted them and the [etbrun] line, and it never came back. The popups stopped.
How nice. Spyware is now using rootkits. A rootkit injects itself into the kernel and can totally hide files and processes. System calls to list files and processes get intercepted by the rootkit and all references to the nasty stuff are removed. No application can see something that the kernel doesn't tell it about, so antispyware programs simply don't see it. There is no way to remove a rootkit without booting the machine from a clean OS. Now, in this case, you might be able to remove it from safe mode, because it installs via a usermode startup. If it has a boot-loading driver component, it's all over.
Try as you might, you just can't see the fnord.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2005-03-18 04:31 am (UTC)no subject
Date: 2005-03-18 04:54 am (UTC)