Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!!

TheMSsForum.com: The Microsoft Software Forum

Hello!

Last week one of my home systems was seriously compromised with than
brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
bitter credit from KasperskyLabs for discovering malware but they did
not manage to provide any solution to removing all payloads installed
by it. Due to fortunate errors made by rootkit programmer which allows
for easy spotting of its presence with system abnormal behaviour
symptoms I coul easily spot presence of malware on compromised system.

For thread discussing infection pls check: http://tinyurl.com/zxrg8

All tools but one used to search for malware/rootkit failed. Only SVV
(System Virginity Verifier by Joanna Ruktowska) managed to discover
infection which most probably employs Shadow Walker technology. Pls
find below results from running SVV.

Note that kl1.sys and klif.sys driver modules are part of Kaspersky
Antivirus installation.

Removal of unprotected haspnt.sys still leaves symptoms and gives svv
check result posted below original one.

Any help on forensic investigation and removal of rootkit would be
greatly appreciated.

rgrds


__________________________________________________
Original SVV check:

C:\svv check /m
WARNING: Service Table redirection detected
origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
currKiServiceTbl: 0x829b1b58 - 0x829b1ffc
ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
file :c3
memory :90
verdict = 1

0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dbaba (section .text) 1 byte(s): exclusion filter:
KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1

0x804de8ea (section .text) 1 byte(s): exclusion filter:
KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1

0x804e2878 [KiServiceTable[116]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
target module path: kl1.sys
file :e3 0c 57 80
memory :3e f2 a4 f7
verdict = 2

0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
byte(s):
JMPing code (jmp to: 0xf521ff3b)
address 0xf521ff3b is inside klif.sys module [0xf5209000-0xf5237000]
target module path: \SystemRoot\System32\drivers\klif.sys
file :8b ff 55 8b ec
memory :e9 32 41 d2 74
verdict = 2

IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[6] points to 0xf79c116d which is inside Haspnt.sys module
[0xf79be000-0xf79ca000]
target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
verdict = 5
UNFIXABLE!

IDT[14] points to 0xf79c0fc2 which is inside Haspnt.sys module
[0xf79be000-0xf79ca000]
target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
verdict = 5
UNFIXABLE!

module ntoskrnl.exe: end of details
kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
= 2).
module kernel32.dll [0x7c800000 - 0x7c8fb000]:
0x7c802f58 (section .text) 15 byte(s): Inside EAT
file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
verdict = 2

module kernel32.dll: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

___________________________________________________
Check after disabling haspnt.sys

svv check /a /m
WARNING: Service Table redirection detected
origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
currKiServiceTbl: 0x82b9db58 - 0x82b9dffc
WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM
CRASH!
Do you want to continue (yes/no)?
yes
ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
file :c3
memory :90
verdict = 1

0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dbaba (section .text) 1 byte(s): exclusion filter:
KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1

0x804de8ea (section .text) 1 byte(s): exclusion filter:
KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1

0x804e2878 [KiServiceTable[116]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
target module path: kl1.sys
file :e3 0c 57 80
memory :3e f2 a4 f7
verdict = 2

0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
byte(s):
JMPing code (jmp to: 0xf510bf3b)
address 0xf510bf3b is inside klif.sys module [0xf50f5000-0xf5123000]
target module path: \SystemRoot\System32\drivers\klif.sys
file :8b ff 55 8b ec
memory :e9 32 01 c1 74
verdict = 2

IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[14] points to 0x83f9507a (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

module ntoskrnl.exe: end of details
dump_atapi.sys (f5092000 - f50aa000)... Image file not found!
dump_WMILIB.SYS (f7cce000 - f7cd0000)... Image file not found!
hardlock.sys (bac50000 - bacc1000)... Wrong PE image format!
kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
= 2).
module kernel32.dll [0x7c800000 - 0x7c8fb000]:
0x7c802f58 (section .text) 15 byte(s): Inside EAT
file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
verdict = 2

module kernel32.dll: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!
Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! by karl

karl
Sat Jul 15 08:17:57 CDT 2006


"Polanski24" <infodate@aster.pl> wrote in message
news:1152955474.459968.263370@b28g2000cwb.googlegroups.com...
> Hello!
>
> Last week one of my home systems was seriously compromised with than
> brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> bitter credit from KasperskyLabs for discovering malware but they did
> not manage to provide any solution to removing all payloads installed
> by it. Due to fortunate errors made by rootkit programmer which allows
> for easy spotting of its presence with system abnormal behaviour
> symptoms I coul easily spot presence of malware on compromised system.

Question, I'm curious what was the name of the file you submitted to
Kaspersky?

You're certain there's no chance the SVV could be incorrect? It doesn't
look like there are any guarantees made with that tool. You don't have a
similarly configured system you could run SVV against and compare the
results, do you?


Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! by Polanski24

Polanski24
Sat Jul 15 10:28:26 CDT 2006


karl levinson, mvp wrote:
> "Polanski24" <infodate@aster.pl> wrote in message
> news:1152955474.459968.263370@b28g2000cwb.googlegroups.com...
> > Hello!
> >
> > Last week one of my home systems was seriously compromised with than
> > brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> > bitter credit from KasperskyLabs for discovering malware but they did
> > not manage to provide any solution to removing all payloads installed
> > by it. Due to fortunate errors made by rootkit programmer which allows
> > for easy spotting of its presence with system abnormal behaviour
> > symptoms I coul easily spot presence of malware on compromised system.
>
> Question, I'm curious what was the name of the file you submitted to
> Kaspersky?
>
> You're certain there's no chance the SVV could be incorrect? It doesn't
> look like there are any guarantees made with that tool. You don't have a
> similarly configured system you could run SVV against and compare the
> results, do you?

OMG

If IDT (Interrupt Descriptor Table) entry No 14 is redirected to memory
area which has no module with executable code in there system should
crash with blue screen of death at first page fault (even without that
since it will happen immediately after memory manager starts running).

I would recommend reading:

"IA-32 Intel Architecture Software Developer's Manual Volume 3 -
System Programming Guide" item No - 253668-16 in particular chapter 5.

And after that phrack #63 article on raising the bar for rootkit
detection.

rgrds

Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! by Karl

Karl
Sat Jul 15 14:53:12 CDT 2006


"Polanski24" <infodate@aster.pl> wrote in message
news:1152977306.356950.33150@75g2000cwc.googlegroups.com...

>> You're certain there's no chance the SVV could be incorrect? It doesn't
>> look like there are any guarantees made with that tool. You don't have a
>> similarly configured system you could run SVV against and compare the
>> results, do you?
>
> OMG
>
> If IDT (Interrupt Descriptor Table) entry No 14 is redirected to memory
> area which has no module with executable code in there system should
> crash with blue screen of death at first page fault (even without that
> since it will happen immediately after memory manager starts running).

... assuming the results from the tool are accurate, hence my question.

What was the name of that file you submitted?


Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! by Polanski24

Polanski24
Sat Jul 15 16:43:14 CDT 2006


Karl Levinson wrote:

> ... assuming the results from the tool are accurate, hence my question.

The SVV tool is open source - pls find short blog entry on it and link
to source code

http://theinvisiblethings.blogspot.com/

If you do not trust IDT and kernel module scanning code its easy to
verify. I do not think that Joanna would make any flop and would
introduce major errors here.

I do not see anything esoteric in calling SIDT assembler instruction
and than walking IDT and comparing it to locations of loaded modules in
system memory either. So detected IDT redirections are trustworthy (it
was spotted at the very beginning as a "Shadow Walker" diagnostic
feature) indicating that page faults are processed by hidden code.

Name of file submitted to Kaspersky is of no significance as it was
loaded with www page content and activated by user action on that page.
AV scanner simply marked it as safe ;).

rgrds

Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker by Gerry

Gerry
Sat Jul 15 17:13:46 CDT 2006

Hi Polanski,

Can you clarify a couple of things;

1. How did this Trojan get onto your computer in the first place?
2. Were you running as an Administrator at the time?

Polanski24 wrote:
> Hello!
>
> Last week one of my home systems was seriously compromised with than
> brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> bitter credit from KasperskyLabs for discovering malware but they did
> not manage to provide any solution to removing all payloads installed
> by it. Due to fortunate errors made by rootkit programmer which allows
> for easy spotting of its presence with system abnormal behaviour
> symptoms I coul easily spot presence of malware on compromised system.
>
> For thread discussing infection pls check: http://tinyurl.com/zxrg8
>
> All tools but one used to search for malware/rootkit failed. Only SVV
> (System Virginity Verifier by Joanna Ruktowska) managed to discover
> infection which most probably employs Shadow Walker technology. Pls
> find below results from running SVV.
>
> Note that kl1.sys and klif.sys driver modules are part of Kaspersky
> Antivirus installation.
>
> Removal of unprotected haspnt.sys still leaves symptoms and gives svv
> check result posted below original one.
>
> Any help on forensic investigation and removal of rootkit would be
> greatly appreciated.
>
> rgrds
>
>
> __________________________________________________
> Original SVV check:
>
> C:\svv check /m
> WARNING: Service Table redirection detected
> origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
> currKiServiceTbl: 0x829b1b58 - 0x829b1ffc
> ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
> module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
> 0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
> byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
> file :c3
> memory :90
> verdict = 1
>
> 0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
> KeFlushCurrentTb()
> file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
> memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
> verdict = 1
>
> 0x804dbaba (section .text) 1 byte(s): exclusion filter:
> KeFlushCurrentTb() [c3->00]
> file :c3
> memory :00
> verdict = 1
>
> 0x804de8ea (section .text) 1 byte(s): exclusion filter:
> KiSystemCallExitBranch() [05->06]
> file :05
> memory :06
> verdict = 1
>
> 0x804e2878 [KiServiceTable[116]] 4 byte(s):
> KiServiceTable HOOK:
> address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
> target module path: kl1.sys
> file :e3 0c 57 80
> memory :3e f2 a4 f7
> verdict = 2
>
> 0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
> byte(s):
> JMPing code (jmp to: 0xf521ff3b)
> address 0xf521ff3b is inside klif.sys module [0xf5209000-0xf5237000]
> target module path: \SystemRoot\System32\drivers\klif.sys
> file :8b ff 55 8b ec
> memory :e9 32 41 d2 74
> verdict = 2
>
> IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[6] points to 0xf79c116d which is inside Haspnt.sys module
> [0xf79be000-0xf79ca000]
> target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
> verdict = 5
> UNFIXABLE!
>
> IDT[14] points to 0xf79c0fc2 which is inside Haspnt.sys module
> [0xf79be000-0xf79ca000]
> target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
> verdict = 5
> UNFIXABLE!
>
> module ntoskrnl.exe: end of details
> kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
> = 2).
> module kernel32.dll [0x7c800000 - 0x7c8fb000]:
> 0x7c802f58 (section .text) 15 byte(s): Inside EAT
> file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
> memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
> verdict = 2
>
> module kernel32.dll: end of details
>
> SYSTEM INFECTION LEVEL: 5
> 0 - BLUE
> 1 - GREEN
> 2 - YELLOW
> 3 - ORANGE
> 4 - RED
> --> 5 - DEEPRED
> SUSPECTED modifications detected. System is probably infected!
>
> ___________________________________________________
> Check after disabling haspnt.sys
>
> svv check /a /m
> WARNING: Service Table redirection detected
> origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
> currKiServiceTbl: 0x82b9db58 - 0x82b9dffc
> WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM
> CRASH!
> Do you want to continue (yes/no)?
> yes
> ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
> module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
> 0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
> byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
> file :c3
> memory :90
> verdict = 1
>
> 0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
> KeFlushCurrentTb()
> file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
> memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
> verdict = 1
>
> 0x804dbaba (section .text) 1 byte(s): exclusion filter:
> KeFlushCurrentTb() [c3->00]
> file :c3
> memory :00
> verdict = 1
>
> 0x804de8ea (section .text) 1 byte(s): exclusion filter:
> KiSystemCallExitBranch() [05->06]
> file :05
> memory :06
> verdict = 1
>
> 0x804e2878 [KiServiceTable[116]] 4 byte(s):
> KiServiceTable HOOK:
> address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
> target module path: kl1.sys
> file :e3 0c 57 80
> memory :3e f2 a4 f7
> verdict = 2
>
> 0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
> byte(s):
> JMPing code (jmp to: 0xf510bf3b)
> address 0xf510bf3b is inside klif.sys module [0xf50f5000-0xf5123000]
> target module path: \SystemRoot\System32\drivers\klif.sys
> file :8b ff 55 8b ec
> memory :e9 32 01 c1 74
> verdict = 2
>
> IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[14] points to 0x83f9507a (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> module ntoskrnl.exe: end of details
> dump_atapi.sys (f5092000 - f50aa000)... Image file not found!
> dump_WMILIB.SYS (f7cce000 - f7cd0000)... Image file not found!
> hardlock.sys (bac50000 - bacc1000)... Wrong PE image format!
> kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
> = 2).
> module kernel32.dll [0x7c800000 - 0x7c8fb000]:
> 0x7c802f58 (section .text) 15 byte(s): Inside EAT
> file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
> memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
> verdict = 2
>
> module kernel32.dll: end of details
>
> SYSTEM INFECTION LEVEL: 5
> 0 - BLUE
> 1 - GREEN
> 2 - YELLOW
> 3 - ORANGE
> 4 - RED
> --> 5 - DEEPRED
> SUSPECTED modifications detected. System is probably infected!
>


--
Gerry Hickman (London UK)
Top

Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! by Polanski24

Polanski24
Mon Jul 17 04:47:44 CDT 2006


Hello!

Just for information of interested readers:

with help of kernel debuggers and SoftICE I managed to remove rootkit.

rgrds

Top