Quick effective Rootkit infection test (e.g. TDSS and some others)

vbimport

#1

A Rootkit is a type of infection that is designed to hide its presence, such as from the user, antivirus & antimalware software, etc. Of course this also makes it very difficult to tell if your system is infected by just running an AV/Malware scan or looking for suspicious files as the Rookit hides its presence from the file system, task manager, etc.

After dealing with some past Malware infections (mainly from users of dodgy P2P networks such as Frostwire and the former Limewire), one thing I noticed in common with many of them is that when the Malware involves a Rootkit infection, it often interferes with low level disk access, usually causing problems with partition managers, disk defragmention, etc. The main utility that usually always gets affected is Windows disk management, which interestingly leaves a tell-tale sign that the system likely has a Rootkit infection.

Here’s the test: (Requires administrator access)

[ol]
[li]Go into the Start menu.[/li][li]Right-click on Computer (“My Computer” in XP) and click “Manage”.[/li][li]If you get a UAC prompt, click ‘Yes’ to continue.[/li][li]On the left, go into Storage -> Disk Management.[/li][li]Do you see your OS hard disk on the right (e.g. Drive ‘C’)?[/li][/ol]

Try this, even if you don’t think you’re infected. You might be in for a surprise. :slight_smile:

If you do not see your operating system hard disk (or even any hard disk), this is a suspicious sign that the computer has a Rootkit infection. If this is the case, try running GMER (link) which should hopefully reveal more details about it.

To following gives a past example of where this trick uncovered a Rootkit:

I recently went into disk management on someone’s PC to look at a partition and noticed the hard drives were missing, i.e. listing appeared blank. Even though the PC did not show any sign of an infection, I started to get suspicious. The PC had Avast AV running and up to date, yet it didn’t show anything suspicious. So just to double check, I ran Malware Bytes and no sign of any infection either. Figuring there still must be an infection, I then tried GMER and it showed a second tell-tale sign with a list of “Copy of MBR” results. However, it didn’t report anything else suspicious.

At this stage, I was convinced that there is definitely something there after two tell-tale signs, so the next “weapon” I tried is Combofix. Sure enough, it did report Rootkit activity, but all it deleted in the end was an inf file and the hard disks were still missing in disk management. Another scan in Malware bytes found nothing and another scan with Combofix also didn’t reveal anything. After recently reading about the deadly TDSS MBR infection, I decided to just give Kaspersky’s TDSS killer utility a try and sure enough it found the MBR infection, removed it and Windows disk management started working again.

What this also shows is that once your system is infected, especially with a silent rootkit like this, the only way you can be certain the infection is gone is with a total disk wipe (to also remove the MBR) and a fresh Windows installation. For example, had I not known about the TDSS utility, I may likely have believed that this computer had some special utility (e.g. full disk encryption that was not set up) that prevented disk management from working.

However, hopefully this simple method above should help reveal if there is a nasty in the system. :wink:

Update: 25th September 2012

Another trick I recently saw is where the Rootkit is placed in a separate tiny 10MB partition. So if the system partitions are shown in disk management along with an unusually small ~10MB size partition at the end of the drive, this is a also a pretty sure sign of a Rootkit.


#2

Very good information Sean.

Thanks
Mr. Bill :clap:


#3

Another possible sign of a Rootkit infection is the inability of the system to access Microsoft/Windows Update.

Again, easily rectified by Kaspersky’s TDSS Killer.


#4

Another possible sign of a Rootkit infection is the instability of your IDE/SATA/SAS/SCSI drivers. If the drivers are suddenly unsigned (when previously signed) or show exclamation marks next to them, you can be sure something has been tampering with them.


#5

Seán, thank you for this. I had what was likely a false positive on a rootkit last month, & this was 1 more confirmation that it likely was false.


#7

Just a quick update after encountering a computer with a Rootkit that does not hide the volumes in disk management. The computer experienced a familiar Malware sign where Google results were being intermittently redirected to advertisements, yet had Microsoft Security Essentials with the green castle icon and no Malware scanner found anything suspicious.

It was a pretty sophisticated Rootkit where both FixTDSS and tdsskiller won’t run, as nothing happens when double-clicked or renamed. GMER could not run either, just giving a LoadDriver error. Interestingly, when I connected the HDD to another PC to check with Avast, it did not find the infection.

After some reading around, I came across a post suggesting to run MBRCheck, which gave a fake MBR warning. However, any attempt to restore the MBR just resulted in the MBR being reverted back, confirming the infection was still present.

Finally, with the HDD attached to another PC, I noticed an unusually small 10MB partition at the end. I deleted this and marked the first partition as active. I then ran the Windows OS disc to repair the MBR once again and this time when booted, not only did the computer start much quicker, but no more sign of the redirection when browsing the web. TDSKiller, GMER, etc. could all run again, although coming up clean.


#9

Great update, Seán!!


#10

Seán , Would you take a look at this & give an opinion:

I cut the Hash numbers from the image.
This computer has only ever had Vista installed .
Drive 1 is the boot drive .
Drive 0 is a clone of Drive 1 & that is all it’s use for .
Drive 2 is just an extra drive & has never had an OS installed on it.

I fortunately made a backup before I tried to replace the MBR with MBRCheck . I tried to replace it with the Vista one & then Drive 1 wouldn’t boot.

Also what does “Legit MBR code detected” mean ?

If anyone else knows please answer as well.




#11

It’s quite likely your OS HDD had an MBR and bootloader from another OS or from another boot manager, even if it has since been removed. Another possibility is that the boot sector of the partition is from another OS (or third party boot manager), especially since your MBR was not the default Windows Vista MBR. If let’s say it was an MBR from a third party boot manager, then replacing the MBR with the default Windows MBR will likely result in an unbootable HDD due to the MBR looking for Microsoft’s boot loader. As far as I’m aware of, TrueCrypt also uses its own MBR and bootloader.

The best workaround I can think of is boot your Windows Vista installation CD and go through the recovery steps to bring up a command prompt. From here, type in “bootrec /FixMbr” to apply the default Windows Vista MBR and “bootrec /FixBoot” to apply the default Windows Vista boot sector to the OS partition. If you had a third party boot loader (e.g. dual Windows / Linux boot), you can restore the Windows boot loader by typing in “Bootrec /RebuildBcd”.

This Microsoft support article goes a bit more detail about the BootRec command line tool.

I’m not sure what the Legit MBR bootloader means. One possibility is a non-Microsoft bootloader that it has in its database as a known-good MBR, as opposed to an MBR not seen before.

Even if a HDD has no OS, Windows will by default put its own MBR on the HDD, usually when it’s first initialised.


#12

Thanks for answering Seán .
I bought this computer new . Is it possible that Lenovo installed the Windows 98 MBR & then used a Vista upgrade on this computer ?
Like a lot of “new” computers this one came without a Windows Vista installation CD ,
Vista being pre-installed.

As I said above the drive with the “Legit MBR code detected” is a clone of drive 1 .
It was a used drive I got from a friend but he passed away so I can’t ask him about it.
Drive 2 is a WD HDD that was also new when I installed it. I’ve never had Windows 2008 so it had to already be there. I thought I formatted it with Vista but it’s been a while.
I’m not using encryption like TrueCrypt .

It’s all working OK since I did a fresh Acronis backup right before I started messing around with the MBR . It restored back to then.

I also didn’t get the :

Found non-standard or infected MBR.

Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.
So maybe all is OK & I jsust don’t have enough information about using MBRCheck.