Jul 07

DNS Changer Malware. Make sure you don’t lose internet access on July 9th 2012.

The DNSChanger Malware was a Trojan Virus that infected millions of computers from 2007 until 2011. Once the malware infected a computer, it changed the computer’s DNS configuration to point to some rogue DNS Servers.  The rogue servers redirected certain websites to advertisers, injected advertisements on most websites, and, among other things, blocked access to antivirus software websites or sites that helped with the disinfection of the computer.

Last year, in November 2011, the FBI seized these rogue DNS servers. The FBI was concerned that millions of people would lose internet access if they just shut down these servers. So they obtained a court order allowing them  to contract with the Internet Systems Consortium to install some interim servers that could handle DNS requests from infected computers.

The FBI intends to bring these temporary DNS servers offline on July 9th 2012. This means that any computers still infected with the DNS Changer Malware will not be able to reach a DNS Server to resolve names, and thus will not be able to reach any websites. More information can be found on this FBI.Gov page.

To detect if your computer has been infected with the DNS Changer Malware see the information on the following Link.

Alternatively you can visit the following site http://www.dns-ok.us/

If you think you are infected, the information on the following link will help you clean your computer http://www.dcwg.org/fix/

What’s worked for me in the past is a combination of Kaspersky’s TDSSKiller and Malwarebytes. If you are infected, you probably won’t be able to download the tools. So you may need to get those tools using a computer that isn’t infected. Once you get the tools, boot into safe mode and run TDSSKiller. Once the computer restarts run Malwarebytes.

If you encounter problems or need help removing the infection, let me know, and I may be able to help.

Until next time.


Dec 09

TDSS Rootkit – TDL4 Version Uses Unpatched Windows Vulnerability.

Since Monday, we’ve repaired and cleaned about 6 computers infected with rogue antivirus software. They all were infected with the TDSS rootkit. The TDSS rootkit family is one of the most sophisticated rootkits circulating at this time. It first appeared in 2008, and it’s been improving since then. The creators are constantly patching, changing, and improving the rootkit to keep up with antivirus companies. The latest version of the rootkit – called TDL4 – was discovered earlier this month and takes advantage of a 0 day vulnerability on the Microsoft Windows Operating system to escalate privileges. Kaspersky Lab published an article about it that you can read here.

From the article:

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. [...] Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is “\RPC Control\spoolss”, they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is “\RPC Control\spoolss”, they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

You can also read a thorough analysis of this threat here.

TDSS is a tough one to get rid of, but it’s not impossible.  Kaspersky Lab has a utility called TDSSKiller. Run the utility following the  instructions on the page, and you’ll more than likely be able to rid your computer from this rootkit. At the time of this writing, their tool is able to remove the most recent version of TDSS.

I use a slightly different technique to get rid of most TDSS infections. I pull the hard-drive out of the computer and attach it to a VM running an up to date Version of Kaspersky. I scan the hard-drive and remove any infection found. This usually removes the infected files and any traces of the rootkit. I then install the hard-drive back on the computer, turn it on, and run some scans with other antimalware tools to get rid of any other infections. I usually use tools like Malwarebytes, Super Anti Spyware, and an up to date, reputable, antivirus. I do some other things and run some other tools to get rid of any traces of the infection. Explaining  exactly how I clean an infected computer  is out of the scope of this post though. Every infection is a bit different, and some special considerations need to be taken. If you need help just email me. A good source to learn about disinfecting computers is the Bleeping Computer site or the Major Geeks Malware Removal Forum.

That’s it for today. Until next time.

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Apr 21

Blue Screens and Restarts on Windows computers after a McAfee definition update.

I got a call today from one of my customers. There were some virus alerts on some of the computers at their office, and, according to my customer, the computers started crashing. When I got on site, I realized some computers had experienced BSODs. I looked into the issue a little bit more and found out that the problem had been caused by a McAfee update released today. The issue was being experienced by a lot of people, and McAfee released a knowledge base article acknowledging the issue. You can find the KB article here.

Instructions on how to overcome this problem are found on that KB article.

Apparently there was a false positive detection of w32/wecorl.a in the  5958 DAT definition file. McAfee released a new definition file shortly after. You can find this new definition file here.

False positive detection of w32/wecorl.a in 5958 DAT