Thursday, November 27, 2008
TDSS Rootkit Removal
The box would only boot into Windows successfully about one out of every 4 times. Once into windows, I found Antivirus 2009 and FakeAlert. As always, I tried the easiest things first, install Spy Sweeper and or Hijack This. Neither would install normally, so I changed the HJT folder name and .exe name, still would not run. Although Spy Sweeper would install, upon reboot it would say that the install was corrupt or something. At this point I should have realized there was a Rootkit.
I booted the box into a Slax live CD and went about removing AntiVirus2009 manually. Slax doesn't mount NTFS drives with write privileges by default, in order to accomplish this I ran the following commands:
umount /dev/hda2
ntfsmount /dev/hda2 /mnt/hda2
Now, had I know there was a rootkit and know a little about it TDSS, I could have probably killed it this time around. As I didn't, the process ended up taking quite a bit longer. Instead of simply removing Antivirus2009, I should have tried something like:
cd /mnt/hda2/windows/system32/drivers
ls tdss*
rm tdss*
cd ..
ls
and delete all .exe and .dll files with dates of 2009 on them (this may not work in a few months!)
Since I didn't realize there was a rootkit I simply removed Antivirus 2009 and rebooted.
Once I booted back into Windows I saw that fakealert was still there (and re-installing Antivirus2009) I decided to run rootkit revealer and see what it came up with. Sure enough there were a few entries for TDSSserv.sys and TDSSdata, and then two errors where it said it couldn't mount the the C and D driver. Did a little research on TDSS and realized that the box was most definitely rootkitted.
I played with the registry through regedit, but guess what, the only TDSS entries that were showing up were legacy data that would not stop the rootkit. No surprise. I searched the intewebs, read a variety of posts, grabbed a bunch of tools, Gmer, Icesword, and a bunch of others that I didn't end up using. I also created a UBCD4WIN boot disk based on this http://www.s-t-f-u.com/2008/10/29/rootkit-tdsssys-sucks-worse-than-a-2-dollar-whore-remove-it/ excellent post.
Now since I removed antivirus 2009 manually through Slax, I had created some discrepancies or problems with the disk. It still booted, into windows, but would not run a scheduled CHKDSK and I could no longer mount the volume in Slax because it gave some error, saying the volume was dirty and needed a chkdsk run.
I guess I really didnt need the UBCD4Win, as after like 15 mins it still hadn't booted, and because I'm impatient I just killed it and and used it to boot into the recovery console, but still, seems like something I will most definitely be using in the future.
After booting into the recovery console, I did what I should have done though Slax the first time around, and went to system32 removed all .exe's and .dll's with 2009 timestamps on them (at the time of this writing, that worked great, but probably wont soon as its almost 2009), and then into system32/ drivers got rid of all the TdssXXXX.sys files (where X= equals random characters). There were also some .ini files with 2009 dates on them that I probably could have removed, but didn't.
Rebooted into windows, to find that fakealert was still there. Opened Icesword (which is a fuking cool app) and killed the fakealert .exe manually (bratsk.exe or something). Since I couldn't find a way to search the registry though Icesword I just used regedit to search for "tdss" then navigated to those locations in IceSword (it takes care of permissions so deleting keys is far easier than in regedit) and delete the fuk out of anything tdss. The most interesting by far was the disallow section of TDSSDATA (I think that was it). It contained all the hooks that kept SS, Gmer, and all those other apps from running. I was able delete all TDSS entries. Rebooted.
Still had Fakealert. Searched the registry for TDSS. TDSSDATA was still there, but it looked like it hadn't fully set up as the keys were not there. Deleted it. At this point I was able to successfully install my prefered malware removal app (and inserted newest def set manually cause I work for them) and when I rebooted, the CHKDSK that I had scheduled many boot cycles actually kicked off.
The malware removal app install went through this time and I ran a full scan. Still waiting to see what all it found and removed, but at this point i'm pretty confident that the TDSS rootkit is dead. Big ups to the TDSS guy though, thats a pretty nice rootkit, and I know for a fact that you have at least one major malware vendor re-working their engine to accommodate removal (even if you hit after the engine was installed).
So, for the first time after getting the box, i feel safe connecting it up to the intewebs to get some likely much needed updates which is my guess where this came from.
Also, I heard that Microsoft released an update this week that removed over 1 million copies of rogue Antivirus apps? very interesting.
Tuesday, November 11, 2008
Enabling VNC in Ubuntu Intrepid
sudo apt-get install xtightvncviewer
and you should be all set.
Saturday, November 8, 2008
DarkIce with Darksnow Debian Etch
apt-get source darkice
apt-get install liblame-dev
apt-get build-dep darkice
cd darkice*
vi debian/rules
# remove --without-lame
dpkg-buildpackage
cd ../
dpkg -i darkice*.deb
apt-get install libgtk2.0-dev
Find and download Darksnow, as of this writing, i was able to get the latest deb release here:http://www.twiki.ufba.br/twiki/pub/RadioFACED/ComoFunciona/darksnow_0.5.2-1_i386.deb
unzip
cd darksnow-0.X.X
./configure
make
make install
Added these to /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse
sudo apt-get install lame liblame0
This will need some updating, still tweaking...use at your own risk.
Wednesday, November 5, 2008
Upgrading Snort Schema from 1.06 to 1.07
USE snort;
ALTER TABLE signature ADD sig_gid INT UNSIGNED;
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());
DELETE FROM `schema` where vseq = '106';
The only change to the tables comes from the second line. The last two lines are just for updating the version number.
Install Base and Apache2 Ubuntu 8.10 interpid
If you get a message about the path to adodb changing, take note on what the new path is.
cd /var/www
sudo wget http://downloads.sourceforge.net/secureideas/base-1.4.1.tar.gz?modtime=1217804205&big_mirror=0
You might not want to copy and paste the above code as it could be outdated. Just download the newest version and drop it in /var/www and unpack.
sudo tar -xvzf base-1.4.1.tar.gz
sudo rm base-1.4.1.tar.gz
sudo mv base-php4 base
Change "base" to whatever you want your path to base to be: IE http://mywebserver/base
sudo apt-get install php-pear php5-gd
sudo pear install Mail Mail_Mime Image_Color Image_Canvas-alpha Image_Graph-alpha
Open a web browser and navigate to you website, http://localhost/base/ which should take you to, http://localhost/base/setup/setup1.php
Make sure it says that your config file is writable. If not, you could try something like:
sudo chmod -R 777 base
The next screen will ask you for the path to adodb. If you are not sure what that is, you could try something like:
sudo find / -name adodb
The next screen will ask for your DB connection information. Since this guide does not cover getting snort set up I will assume you already have snort set up and know you database information. Add information as necessary.
The final screen will ask if you want would like to require authentication to access the BASE website. I highly recommend setting up a user.
Should be all set up after that. Depending on how many snort alerts are in your DB and various other hardware related factors, it could take some time for BASE to query the data in the database, so be patient if it doesn't come up right away!
Thursday, October 30, 2008
Keys not working In VMware
Function/arrow keys, etc. not working
This is an upstream bug in VMware’s code. If your keyboard is not functioning correctly in VMware, add this line to ~/.vmware/config
(create file if necessary):
xkeymap.nokeycodeMap = true
http://www.ultimalinux.com/wiki/VMware
Worked like a charm. Awesome.
Thursday, October 23, 2008
Microsoft Emergency Patch
"Microsoft is about to issue an emergency security update to plug a vulnerability which could allow an internet worm to be spread via a computer without the user doing anything.
The update is rated as critical for users of Windows 2000, XP and Server 2003 and the less severe rating of "important" for users of Windows Server 2008 and Windows Vista. The patch is scheduled for 10.00am Pacific Time (6pm BST).
There will be a webcast at 1.00pm Pacific Time (9pm BST) explaining the issue in more detail.
The exploit potentially allows remote code to be executed.
The Advance Notification is here.
Microsoft tries to make life easier for administrators by bundling its updates into one monthly slot, known as Patch Tuesday, in the second week of every month. It has broken this cycle before, but it is unusual. "
http://www.theregister.co.uk/2008/10/23/windows_emergency_update/