Svchost.exe and email exploit troubles... [Closed]

[Guest]

[Gaming4JC]

Ok... first off... something seems to be really messing with Comodo. Everytime I go to add a rule the whole window turns white and I can't left click on the icon in my taskbar. It usually unlocks after a time, but is causing a great nuisance...

I ran MSRT and it found nothing. Setting Comodo rules now *fingers crossed*....
I scanned those files via VirusTotal. This is the only one that found anything: http://www.virustotal.com/analisis/03216be35dbfae3ae543201f69fa9433

I'm seeing if we can't contact some others who would know something about it too. Some people who know about botnets.

[grue155]

Even that is more useful data. If it is a Storm variant, then it is one of the newer variants if MSRT didn't catch it. And it seems to have some kind of defensive ability against CFP v3, which isn't that old. Which again implies a newer variant. That should narrow the research area a bit. Looks like I've got a research hobby this weekend.

Here's hoping those revised rules for svchost will help. As long as the malware can update itself and has a command channel, it's going to be much tougher to nail it down. Not impossible, though.

Again, end of my day. I'll be back tomorrow, at the usual 1800 GMT.

[Gaming4JC]

Hello Again,
My Dad started researching "Storm" a bit with us also and says he appreciates all of your expertise.   
Our first spyware that we knew of started in 1998/1999 when we had TSADBot and it's Dialer connecting to a remote location, turns out this spyware was picked up from a game we purchased by the company e-Games. We also had been using OptOut by Steve Gibson before he turned it over to Lavasoft, but we've never seen anything quite like this...

Also, you may find this Wikipedia page of interest on explaining the original botnet:
http://en.wikipedia.org/wiki/Storm_botnet

Also, some information on it here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079653

And a poisoning technique here:
http://www.techworld.com/security/news/index.cfm?newsid=12094

I think it may be possible to take over the botnets command and control tunnel. If possible I may be able to remove it from my computer and trace back the guy doing it.

BTW: You know anyone that wants to give us a few $$$ and a new hardrive to take a security anaylisis on my this computer? lol. 

[grue155]

A couple of more diagnostics to try.

Deckard's System Scanner, available for download at http://www.techsupportforum.com/sectools/Deckard/dss.exe is a more extensive version of HiJackThis. It will produce two files, a main.txt and an extra.txt. Run the scan, and post both files.

And something a little more esoteric, PrevxCSI Free which can be downloaded from their web page at http://www.prevx.com/freescan.asp It's about 600kbytes in size, and runs in just a couple of minutes. It tends to check things that over scanners don't check. If it finds something, then post the report back here.

I looked at the VirusTotal report. One entry, saying "Blockreason.0", which I don't understand. Nothing else tagged the file as a virus, meaning it's either a legit file, or something so new that nobody recognizes it (which seems to happen more often these days).

[Gaming4JC]

I ran DSS, and uploaded the 3 output files here:
http://rapidshare.com/files/117314736/DSS_Logs.zip.html
Nothing seems overly unusual, I reset my homepage to my ISP instead of google.com. 

Anyhow, I ran PrevxCSI it said no detections found on their real time database scanner.

I am also trying to get in touch with Steve Gibson and the NetTools guy. A malware like this requires several g33ks input.   


Edit: I may head out for a bit of fresh air later this afternoon and take a walk. Meanwhile, I am wondering if you (or some one you know) is able to compile Nepenthes for windows. Check it out here: http://nepenthes.mwcollect.org/

It was able to catch a few botnets, I'm wondering if it could dump any information on ours.

[Gaming4JC]

Two things I forgot to mention:
First off PrevxCSI is running in background and keeps trying to update.

And secondly while I was running some nmap tests on that server 67.210.97.77 last night, my ISP had a DoS. It knocked them offline for quite a few hours and my Dial-Up kept saying "All Circuits are busy now"... Just before it happened Remote Access Dialer was detected trying to Launch Remote Access Dialer via Comodo.

Edit Again: There may be other tools besides Nepenthes...
http://www.honeynet.org/tools/index.html <-- List of them. Just tell me if I should run one of them.

[grue155]

The Deckards log has a couple of anomalies. I've doing some digging trying to make sense of them. What's your H: and Z: drives? There's some registry entries defined for them, and I need to some context to make sense of it.

If you read down the page on the Wikipedia entry on Storm, you'll see that a DDos attack is one of it's defense mechanisms. To properly trace the C&C hosts back, the safest way to do it, is physically getting your hands on the machine, and that usually takes law enforcement powers. There are botnet research and investigation efforts underway that do that very thing, with those powers. If you want to get some sense of Storm (and it's variants, and competitor botnets) defensive capabilities, I'll refer you to this article from last year http://www.networkworld.com/news/2007/102407-storm-worm-security.html

Re PrevxCSI. You can let it update, or kill off the process. Your choice. It may be useful later, so it'd be good to keep it around, for now.

[ghostrider]

Try this here Norman Maleware Cleaner http://download.norman.no/public/Norman_Malware_Cleaner.exe

Also try a-squared Free http://www.emsisoft.com/en/software/download/ and there a-squared HiJackFree http://www.emsisoft.com/en/software/download/

Post a log here if those pick up anything. Also post a log from a-squared if it picks up anything and one from HiJackFree on emsisoft's forum and let them look at it.

Anyway hope those help.

[Gaming4JC]

[ at ]grue155: I have MagicISO and virtual Drive F:. But to my knowledge there is no drive H: or Z:.   
I guess I'll need to contact the FBI to stop the C&C computer though, lol.

Ermm... about those honeypots? What do you think of setting one up, if it infects the virtual computer we will know what was infected and I can send it to some computer forensics lab.

[ at ]ghostrider: I have had a-sqaured before as well. Also, I have ran 3 versions of hijack this. But I guess I'll give it a go anyhow... thnx for the post.

Edit: Here's the a-squared log
http://analyze.hijackfree.com/analyze/?id=3ddd797b-5930-41a9-983e-8b7a7decfa2a
"It will stay online for 7days" or so it says.

[grue155]

I should have picked up on this some time ago...

Upload C:\WINDOWS\SYSTEM32\uniime32.dll to virustotal and see what it is. Google search says you're the only person on the planet that has one, and that's a real bad sign for a legit file.

Deckards is showing residual entries in your registry for H and Z drives, at the end of the main.txt. there's also a reference to "portableapps" on G:. Could be a bunch of legit things like USB sticks or network shares. Or it could be bad news.

Honeypots can be very entertaining, but time consuming. From what I've seen being used, honeypots work best on a LAN with at least two or three machines (one bait, one monitor, and something as a firewall or packet trap). And then, with the collected data, what to do with that data. There are botnet tracker forums, but I haven't had the time to follow thru.

[Gaming4JC]

Hmm good eye there! It is infected with something:
http://www.virustotal.com/analisis/10c5df1374e559164f3e2f0b60e51a11

I do run portable apps from a USB stick, and when I had Daemon Tools (several months ago now), it made virtual drive Z but I no longer have it soo...

Honeypots are sounding a bit g33ky but I may be able to make a Windows build by contacting the right folks and getting them to help. Even if it would take forever on my on line Dial-Up connection...

[grue155]

It's a little bit of progress, like a finger that just touched a tail. Now to figure out how to grab it without getting    bitten.

This uniime32.dll is loaded at machine boot time. Virustotal says it is a compressed (using UPX techniques) executable. It's like a run-in-place zip file, and probably encrypted. There are several different kinds of malware that will do that, and all of them protect their startup code, so just dimply deleting it won't work. "Vundo" is an example. If we can successfully disable the startup, then cleanup will be fairly simple. Rather, it's supposed to be simple. I need to do some research on the available techniques and tools, which may take a little while.

Re honeypots. Definitely can be a g33ky thing. Some of the more elaborate setups I've read about have folks with corporate backing and get paid to do it. Lucky beggers...

[grue155]

First pass on the research hasn't been encouraging. Several variants of polymorphic "winlogon notify" malware, ranging from (relatively) easy to remove like Vundo, to zero and reformat like some virut variants. I don't know enough of which version you've got to know which direction to go.

So, are you game for an experiment? What I'm thinking, is to use CFP Defense+ to block the boot load sequence of uniime32 from being executed. It's the code execution equivalent of the svchost firewall rules, trying to bottle up a process.

To do this, in CFP go to Defense+ -> Advanced / Computer Security Policy, and the Add an entry.

The application path is C:\windows\system32\uniime32.dll. Select "Custom Policy". As a safety measure for testing, for "Access Rights" to allow everything, and "Protection Settings" set to no. That's taking the defaults. Meaning that everything should still run unchanged. Since this is a boot load thing, you should reboot to see if anything gets unhappy. This malware has some kind of defense code, and if it senses something, it'd be best to have an easy way to back out by just deleting the CFP entry.

If that is working, meaning nothing happened. Then change the Access Rights to everything blocked, and the Protection Settings to yes. Reboot again.

If that worked, then the malware cloaking device just got disabled. Run a Deckards Scan and post the result. There should be some new processes running around.

Does that make sense on what I'm describing?

[Gaming4JC]

Yes, I'm game. I'll go ahead and try it out now.
Mean time here's the infected dll, if your game (and very cautious), you may be able to decompile it with win32dasm:
http://rapidshare.com/files/117388841/uniime32.dll.html <-- Infected file.

[grue155]

Got it. I'll eyeball it on one of the FreeBSD boxes here.

[Tags:]