From: Pete Sass
To: Jun Tangunan
Monday, December 24, 2012 4:29:41 PM
This message was rated by:
> > Hi Foxitians,
> > Just a wondering you some of you system folks are dealing with the on-slot of
> > RootKit and RansomWare infections?
> > Some of the RootKits I have recently been involved with are:
> > Rootkit.Boot.Pihar.c and the . . .
> > Trojan0Access.
> > and the . . .
> > RansomWare "Ukash".
> > Also, in the past 2 weeks got around 15 computers into my shop with the Trojan0Acess RootKit.
> > In the worst case scenario a couple of these have gotten into the MBR of the client's hard drive.
> > Even after deleting the partition and reformatting, the Virus/Trojan rootkit still comes back
> > after a couple of re-boots.
> > Even after restoring the MBR on the hard drive some of these still come back. I have tested
> > this with Acronis and performed a full MBR restore and still after 2-3 reboots the RootKit
> > infection manifests itself again.
> > So in a couple of cases thus far I have had to replace the physical hard drive and reinstall
> > the OS clean. I was not able to eliminate these kinds of Trojan/Virus' in a couple of cases.
> > This is getting rather "scarry" for a computer service company like mine.
> > I am starting to think back in the old days where we were able to go into debug and perform a
> > low level format of a hard drive. With the new SATA drives this is not an option, so we are
> > really facing a big issue here my friends.
> > I am not sure where all of this is going, but in the past 2 weeks I have dealt with 15 computers
> > infected with very hard to remove "RootKit" infections.
> > Today I am dealing with a client's Exchange server totally down AND infected with:
> > Rootkit.Boot.Pihar.c
> > Trojan0Access
> > and the Ukash ransom Trojan.
> > In this case there were over 1,000 infections detected.
> > After 3 hours of trying do get rid of these infection, I have decided to rebuild this
> > Exchange server from scatch after 3 hours of tring to eraticate the infections!
> > I removing all the partitions and reformatting the hard drives did not fix the issue.
> > I had to replace the OS boot hard drive completely!
> > I would sure like to meet up with one of the folks that created these infections to see
> > what in fact they did to add code right into the hard drive Master Boot Record.
> > This is being done at a very low level indeed and these folks know what they are doing
> > probably in 100% low-level assembly to target the Intel processor detected.
> > These infections are getting past MacAfee Entereprise, Norton Enterprise and AVG Server
> > Enterprise Editions.
> > Needless to say the cost of something like this is a lot for any client to swallow!
> > The omly thing I can offer in defence to this kind of infection is my main file server
> > and web server back at my shop are running under Unix.
> > Hard to get a client to move off to a linux/unix OS for sure and the main issue is interal
> > IT departmental training!
> > Jikes ... what a day!
> > Pete "the IceMan", from the Great White North of Canada.
> > Home of the Canadian and US download for Chen's VFP C++ Compiler
> Hello Pete,
> I always take into consideration that any malware can temporarily reside in RAM that even removing a harddisk partition and recreating a new one, as long as the unit is on or it has power, may result to immediate reinfection. So for cases of strong malwares like what you are describing, here is what I do:
> a. Boot on clean CD with repartitioning capability
> b. Remove partition of the harddrive in question
> c. Immediately turn off computer
> d. Unplug the power cable at the back. Even when the computers are turned off, while the power plug is still there, a weak power is still supplied to the motherboard (and maybe that will keep RAM intact), just to be sure that RAM will be totally wiped out. Leave that unplugged for around 2 to 5 minutes depending on the brand of the unit.
> e. Put back the plug, power it back, boot it back on that CD
> f. Create new partition, if possible not the same as the previous one. If there is only single partition before, make it 2. If there are 2 partitions before, at least change the sizes of each partition.
> Just suggestions based on how I do things on my end.
Thanks for you reply.
Yes, I power off as well and hold in the power button to totally discharge. I also do
unplug the unit and even go so far as to remove the 3 volt motherboard battery.
I see one thing that you are doing different than me and that is create 3 partitions
where there were 2 or change the partition sizes. This I think will force the over-writting
of the MBR on the drive. So this is a good tip with stuborn virus/Trojan infections.
Pete "the IceMan", from the Great White North of Canada.
Home of the Canadian and US download for Chen's VFP C++ Compiler
Posted by Pete Sass @ 12/23/2012 10:12:46 PM
Posted by Jun Tangunan @ 12/24/2012 1:53:12 AM
Posted by Pete Sass @ 12/24/2012 4:29:41 PM
Posted by Rick Hodgin @ 12/24/2012 8:49:38 PM
Posted by tushar @ 12/25/2012 5:46:46 AM
Posted by Pete Sass @ 12/25/2012 8:29:55 PM