Thursday, November 27, 2008

TDSS Rootkit Removal

I got a call the other day from a friend asking if I could take a look at his computer. Based on what he described, it sounded like a pretty standard combo infection of Anti-Virus 2009 and FakeAlert. He gave me the box, and a few days later I took a look.

The box would only boot into Windows successfully about one out of every 4 times. Once into windows, I found Antivirus 2009 and FakeAlert. As always, I tried the easiest things first, install Spy Sweeper and or Hijack This. Neither would install normally, so I changed the HJT folder name and .exe name, still would not run. Although Spy Sweeper would install, upon reboot it would say that the install was corrupt or something. At this point I should have realized there was a Rootkit.

I booted the box into a Slax live CD and went about removing AntiVirus2009 manually. Slax doesn't mount NTFS drives with write privileges by default, in order to accomplish this I ran the following commands:

umount /dev/hda2
ntfsmount /dev/hda2 /mnt/hda2

Now, had I know there was a rootkit and know a little about it TDSS, I could have probably killed it this time around. As I didn't, the process ended up taking quite a bit longer. Instead of simply removing Antivirus2009, I should have tried something like:

cd /mnt/hda2/windows/system32/drivers
ls tdss*
rm tdss*

cd ..
ls

and delete all .exe and .dll files with dates of 2009 on them (this may not work in a few months!)



Since I didn't realize there was a rootkit I simply removed Antivirus 2009 and rebooted.

Once I booted back into Windows I saw that fakealert was still there (and re-installing Antivirus2009) I decided to run rootkit revealer and see what it came up with. Sure enough there were a few entries for TDSSserv.sys and TDSSdata, and then two errors where it said it couldn't mount the the C and D driver. Did a little research on TDSS and realized that the box was most definitely rootkitted.

I played with the registry through regedit, but guess what, the only TDSS entries that were showing up were legacy data that would not stop the rootkit. No surprise. I searched the intewebs, read a variety of posts, grabbed a bunch of tools, Gmer, Icesword, and a bunch of others that I didn't end up using. I also created a UBCD4WIN boot disk based on this http://www.s-t-f-u.com/2008/10/29/rootkit-tdsssys-sucks-worse-than-a-2-dollar-whore-remove-it/ excellent post.

Now since I removed antivirus 2009 manually through Slax, I had created some discrepancies or problems with the disk. It still booted, into windows, but would not run a scheduled CHKDSK and I could no longer mount the volume in Slax because it gave some error, saying the volume was dirty and needed a chkdsk run.

I guess I really didnt need the UBCD4Win, as after like 15 mins it still hadn't booted, and because I'm impatient I just killed it and and used it to boot into the recovery console, but still, seems like something I will most definitely be using in the future.

After booting into the recovery console, I did what I should have done though Slax the first time around, and went to system32 removed all .exe's and .dll's with 2009 timestamps on them (at the time of this writing, that worked great, but probably wont soon as its almost 2009), and then into system32/ drivers got rid of all the TdssXXXX.sys files (where X= equals random characters). There were also some .ini files with 2009 dates on them that I probably could have removed, but didn't.

Rebooted into windows, to find that fakealert was still there. Opened Icesword (which is a fuking cool app) and killed the fakealert .exe manually (bratsk.exe or something). Since I couldn't find a way to search the registry though Icesword I just used regedit to search for "tdss" then navigated to those locations in IceSword (it takes care of permissions so deleting keys is far easier than in regedit) and delete the fuk out of anything tdss. The most interesting by far was the disallow section of TDSSDATA (I think that was it). It contained all the hooks that kept SS, Gmer, and all those other apps from running. I was able delete all TDSS entries. Rebooted.

Still had Fakealert. Searched the registry for TDSS. TDSSDATA was still there, but it looked like it hadn't fully set up as the keys were not there. Deleted it. At this point I was able to successfully install my prefered malware removal app (and inserted newest def set manually cause I work for them) and when I rebooted, the CHKDSK that I had scheduled many boot cycles actually kicked off.
The malware removal app install went through this time and I ran a full scan. Still waiting to see what all it found and removed, but at this point i'm pretty confident that the TDSS rootkit is dead. Big ups to the TDSS guy though, thats a pretty nice rootkit, and I know for a fact that you have at least one major malware vendor re-working their engine to accommodate removal (even if you hit after the engine was installed).

So, for the first time after getting the box, i feel safe connecting it up to the intewebs to get some likely much needed updates which is my guess where this came from.

Also, I heard that Microsoft released an update this week that removed over 1 million copies of rogue Antivirus apps? very interesting.

Tuesday, November 11, 2008

Enabling VNC in Ubuntu Intrepid

If you want to use the VNC viewer client in Ubuntu Intrepid but its greyed out, simply run:
sudo apt-get install xtightvncviewer

and you should be all set.

Saturday, November 8, 2008

DarkIce with Darksnow Debian Etch

Ugh. This was slightly painful process, heres what I ended up doing:

apt-get source darkice
apt-get install liblame-dev
apt-get build-dep darkice
cd darkice*
vi debian/rules
# remove --without-lame
dpkg-buildpackage
cd ../
dpkg -i darkice*.deb



apt-get install libgtk2.0-dev

Find and download Darksnow, as of this writing, i was able to get the latest deb release here:http://www.twiki.ufba.br/twiki/pub/RadioFACED/ComoFunciona/darksnow_0.5.2-1_i386.deb

unzip

cd darksnow-0.X.X

./configure
make
make install

Added these to /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse

sudo apt-get install lame liblame0



This will need some updating, still tweaking...use at your own risk.

Wednesday, November 5, 2008

Upgrading Snort Schema from 1.06 to 1.07

Use this if you need to update you snort DB Schema from 1.06 to 1.07:

USE snort;

ALTER TABLE signature ADD sig_gid INT UNSIGNED;
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());
DELETE FROM `schema` where vseq = '106';

The only change to the tables comes from the second line. The last two lines are just for updating the version number.

Install Base and Apache2 Ubuntu 8.10 interpid

sudo apt-get install apache2 php5-mysql libphp-adodb

If you get a message about the path to adodb changing, take note on what the new path is.


cd /var/www
sudo wget http://downloads.sourceforge.net/secureideas/base-1.4.1.tar.gz?modtime=1217804205&big_mirror=0

You might not want to copy and paste the above code as it could be outdated. Just download the newest version and drop it in /var/www and unpack.

sudo tar -xvzf base-1.4.1.tar.gz

sudo rm base-1.4.1.tar.gz
sudo mv base-php4 base

Change "base" to whatever you want your path to base to be: IE http://mywebserver/base

sudo apt-get install php-pear php5-gd
sudo pear install Mail Mail_Mime Image_Color Image_Canvas-alpha Image_Graph-alpha

Open a web browser and navigate to you website, http://localhost/base/ which should take you to, http://localhost/base/setup/setup1.php

Make sure it says that your config file is writable. If not, you could try something like:

sudo chmod -R 777 base


The next screen will ask you for the path to adodb. If you are not sure what that is, you could try something like:

sudo find / -name adodb


The next screen will ask for your DB connection information. Since this guide does not cover getting snort set up I will assume you already have snort set up and know you database information. Add information as necessary.

The final screen will ask if you want would like to require authentication to access the BASE website. I highly recommend setting up a user.


Should be all set up after that. Depending on how many snort alerts are in your DB and various other hardware related factors, it could take some time for BASE to query the data in the database, so be patient if it doesn't come up right away!