Rootkit!

At one of my side-projects that consumes about 30 hours each week (also known as my "day job"), there were a few systems that fell victim to the recent WMF exploit. While, I spent the 6AM to 9AM the morning of January 3rd patching systems, a few users had managed to get themselves into trouble before I deployed the patch.

As a side note, the "patch" in question was the unofficial one released by http://www.hexblog.com/. Thank goodness someone was looking out for the security of Microsoft Windows users. Rumor has it Bill Gates and Steve Ballmer were recovering from their annual winter-solstice peyote binge.

Many users were curious what the WMF exploit, "looked like." The problem is that dozens if not hundreds of different generally evil folk use the WMF exploit to install whichever malware packages would generate them the most money. Sometimes systems were signed up to botnets to blast millions of messages past junk mail filters. More commonly, the software would display unwanted pop-up advertisements.

On another side note, this story would seem to follow the old, "do as I say, not as I do" parable. If anyone asks me, the right thing to do in case of exploitation is to, "burn" the system in question. It's just not possible to be 100% sure that you've eliminated all remaining backdoors left by whatever malicious software was installed. That said, a seasoned professional can clean a system to the point where it's, "good enough for government work." It's twice as easy to rationalize this argument when there is other work that needs to be done.

To continue the story, one of the systems was cleaned up by the standard decontamination process. Running Ad-aware, followed by HijackThis followed by SpyBot Search and Destroy followed up a by a traditional virus / trojan scan seemed to clean things up over the course of a few-dozen reboots. The key thing is to do a number of reboots - then closely examine HijackThis's reports for any changes.

The other system seemed to be cleaned up by the same process. Oddly, it continued to exhibit strange behavior. Clicking a link from a page of Google results would often bring up a different page than intended, or a page with advertisement overlaid upon the original content. Clearly, something malicious remained on the system, even though traditional scanning techniques were failing to detect it.

After reading similar reports on the internet, I became concerned the system had been subjected to a rootkit.

The name rootkit suggests that it's a piece of software that allows a hacker to gain root level access. That's not exactly the case. A rootkit is something that is deployed to hide malicious activity from the user.

A rootkit may do some or all of the following:

- Modify the system so that files can be hidden from the user
- Modify the system so that running tasks can be hidden from the user
- Delete suspicious event log entries generated by the malicious activity
Sony recently deployed a rootkit to prevent users from finding its DRM software. More concerning, their rootkit allows for other software writers to easily hide files.

Further research indicated that F-Secure had recently released a beta of its upcoming Blacklight product for free evaluation. Like a real black light, it can show nasty stuff you need to know about, even if you don't really want to see it. For example, pest exterminators use black lights to detect rodent urine.

Specifically, Blacklight detects files hidden by rootkits on Windows systems. I'm not sure of the exact mechanism, but it does work. Blacklight found about a half-dozen hidden files that were somehow masked, allowed me to rename them to visible files and then delete them. These files didn't just have the hide attribute enabled, they were really hidden.

This still doesn't answer the question of "how" the files were hidden on the system, so it would seem some further cleanup on that system is in order. It occurs to me now, that perhaps Sony's rootkit had been inadvertently installed.

Back