From: Pete Sass
To: tushar Kanvinde
Tuesday, December 25, 2012 8:29:55 PM
This message was rated by:
> > Hi Foxitians,
> > Just a wondering you some of you system folks are dealing with the on-slot of
> > RootKit and RansomWare infections?
> > Some of the RootKits I have recently been involved with are:
> > Rootkit.Boot.Pihar.c and the . . .
> > Trojan0Access.
> > and the . . .
> > RansomWare "Ukash".
> > Also, in the past 2 weeks got around 15 computers into my shop with the Trojan0Acess RootKit.
> > In the worst case scenario a couple of these have gotten into the MBR of the client's hard drive.
> > Even after deleting the partition and reformatting, the Virus/Trojan rootkit still comes back
> > after a couple of re-boots.
> > Even after restoring the MBR on the hard drive some of these still come back. I have tested
> > this with Acronis and performed a full MBR restore and still after 2-3 reboots the RootKit
> > infection manifests itself again.
> > So in a couple of cases thus far I have had to replace the physical hard drive and reinstall
> > the OS clean. I was not able to eliminate these kinds of Trojan/Virus' in a couple of cases.
> > This is getting rather "scarry" for a computer service company like mine.
> > I am starting to think back in the old days where we were able to go into debug and perform a
> > low level format of a hard drive. With the new SATA drives this is not an option, so we are
> > really facing a big issue here my friends.
> > I am not sure where all of this is going, but in the past 2 weeks I have dealt with 15 computers
> > infected with very hard to remove "RootKit" infections.
> > Today I am dealing with a client's Exchange server totally down AND infected with:
> > Rootkit.Boot.Pihar.c
> > Trojan0Access
> > and the Ukash ransom Trojan.
> > In this case there were over 1,000 infections detected.
> > After 3 hours of trying do get rid of these infection, I have decided to rebuild this
> > Exchange server from scatch after 3 hours of tring to eraticate the infections!
> > I removing all the partitions and reformatting the hard drives did not fix the issue.
> > I had to replace the OS boot hard drive completely!
> > I would sure like to meet up with one of the folks that created these infections to see
> > what in fact they did to add code right into the hard drive Master Boot Record.
> > This is being done at a very low level indeed and these folks know what they are doing
> > probably in 100% low-level assembly to target the Intel processor detected.
> > These infections are getting past MacAfee Entereprise, Norton Enterprise and AVG Server
> > Enterprise Editions.
> > Needless to say the cost of something like this is a lot for any client to swallow!
> > The omly thing I can offer in defence to this kind of infection is my main file server
> > and web server back at my shop are running under Unix.
> > Hard to get a client to move off to a linux/unix OS for sure and the main issue is interal
> > IT departmental training!
> > Jikes ... what a day!
> > Pete "the IceMan", from the Great White North of Canada.
> > Home of the Canadian and US download for Chen's VFP C++ Compiler
> Maybe you could procure a External Hard Disk Enclosure. Then on another computer (preferably an old retired machine) , boot with a Linux Distro ( You get some that will boot from a DVD). Attach the drive externally and change the MBR, change the partitions, and format them. If not to NTFS then the ext3 or ext4. In which case you will have to format them again when you reinstall the windows.
Yes I still have the old infected drives with the RootKit in the MBR.
I did have Acronis BartPE images of systems to restore the operating system back again.
Acronis does have the option to over-write the MBR which I selected. But it seems
the RootKit still exists even selecting to over-write it with Acronis.
I am going to play around with these infected drives after Xmas and let you and Jun
know the outcome.
Pete "the IceMan", from the Great White North of Canada.
Home of the Canadian and US download for Chen's VFP C++ Compiler
Posted by Pete Sass @ 12/23/2012 10:12:46 PM
Posted by Jun Tangunan @ 12/24/2012 1:53:12 AM
Posted by Pete Sass @ 12/24/2012 4:29:41 PM
Posted by Rick Hodgin @ 12/24/2012 8:49:38 PM
Posted by tushar @ 12/25/2012 5:46:46 AM
Posted by Pete Sass @ 12/25/2012 8:29:55 PM