Jul 07

DNS Changer Malware. Make sure you don’t lose internet access on July 9th 2012.

The DNSChanger Malware was a Trojan Virus that infected millions of computers from 2007 until 2011. Once the malware infected a computer, it changed the computer’s DNS configuration to point to some rogue DNS Servers.  The rogue servers redirected certain websites to advertisers, injected advertisements on most websites, and, among other things, blocked access to antivirus software websites or sites that helped with the disinfection of the computer.

Last year, in November 2011, the FBI seized these rogue DNS servers. The FBI was concerned that millions of people would lose internet access if they just shut down these servers. So they obtained a court order allowing them  to contract with the Internet Systems Consortium to install some interim servers that could handle DNS requests from infected computers.

The FBI intends to bring these temporary DNS servers offline on July 9th 2012. This means that any computers still infected with the DNS Changer Malware will not be able to reach a DNS Server to resolve names, and thus will not be able to reach any websites. More information can be found on this FBI.Gov page.

To detect if your computer has been infected with the DNS Changer Malware see the information on the following Link.

Alternatively you can visit the following site http://www.dns-ok.us/

If you think you are infected, the information on the following link will help you clean your computer http://www.dcwg.org/fix/

What’s worked for me in the past is a combination of Kaspersky’s TDSSKiller and Malwarebytes. If you are infected, you probably won’t be able to download the tools. So you may need to get those tools using a computer that isn’t infected. Once you get the tools, boot into safe mode and run TDSSKiller. Once the computer restarts run Malwarebytes.

If you encounter problems or need help removing the infection, let me know, and I may be able to help.

Until next time.


Dec 09

TDSS Rootkit – TDL4 Version Uses Unpatched Windows Vulnerability.

Since Monday, we’ve repaired and cleaned about 6 computers infected with rogue antivirus software. They all were infected with the TDSS rootkit. The TDSS rootkit family is one of the most sophisticated rootkits circulating at this time. It first appeared in 2008, and it’s been improving since then. The creators are constantly patching, changing, and improving the rootkit to keep up with antivirus companies. The latest version of the rootkit – called TDL4 – was discovered earlier this month and takes advantage of a 0 day vulnerability on the Microsoft Windows Operating system to escalate privileges. Kaspersky Lab published an article about it that you can read here.

From the article:

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. [...] Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is “\RPC Control\spoolss”, they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is “\RPC Control\spoolss”, they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

You can also read a thorough analysis of this threat here.

TDSS is a tough one to get rid of, but it’s not impossible.  Kaspersky Lab has a utility called TDSSKiller. Run the utility following the  instructions on the page, and you’ll more than likely be able to rid your computer from this rootkit. At the time of this writing, their tool is able to remove the most recent version of TDSS.

I use a slightly different technique to get rid of most TDSS infections. I pull the hard-drive out of the computer and attach it to a VM running an up to date Version of Kaspersky. I scan the hard-drive and remove any infection found. This usually removes the infected files and any traces of the rootkit. I then install the hard-drive back on the computer, turn it on, and run some scans with other antimalware tools to get rid of any other infections. I usually use tools like Malwarebytes, Super Anti Spyware, and an up to date, reputable, antivirus. I do some other things and run some other tools to get rid of any traces of the infection. Explaining  exactly how I clean an infected computer  is out of the scope of this post though. Every infection is a bit different, and some special considerations need to be taken. If you need help just email me. A good source to learn about disinfecting computers is the Bleeping Computer site or the Major Geeks Malware Removal Forum.

That’s it for today. Until next time.

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Mar 06

Blue Screen of Death after installing Microsoft update.

This past February, before I put this blog online, I had an issue with some of my customers’ computers. Some of my customers called me asking for help because their computers wouldn’t load. They said their computers kept rebooting. I know it’s been almost a month now, but I think this issue deserves a post in this blog.

After troubleshooting the issue I traced down the source of the problem to a Microsoft update. More specifically to update KB977165/MS10-015. As soon as I removed this update the computer was able to load windows perfectly fine.

This was odd though. Other computers where the same update was installed didn’t have this issue. This indicated that the problem was caused by something else – not the Microsoft Update. I scanned the computer for viruses and found nothing. I re-installed the update and the computer entered the boot loop once again. After some more troubleshooting I traced the cause of the stop error to the file %System32\drivers\atapi.sys. There was a problem with this file. It had to be infected. I uploaded the file to virustotal.com, and the results came back clean in all but one of the scans. It just said that it was probably infected with a root kit, but it wouldn’t give me more information.

This made sense. Rootkits are designed to hide themselves or other malware from antivirus applications. This is probably why the anti-virus scan I ran didn’t catch anything.

I decided to take a different approach, and I took the hard-drive out of the computer. I connected the hard-drive to another computer and scanned it using an up to date anti-virus (Kaspersky). The scan found several items and cleaned them successfully. One of the infected files was atapi.sys. After this, I installed the update and the computer didn’t reboot again.

So there you have it. The problem was caused by a an infection on the PC.

My suspicions were later confirmed by Microsoft. They apparently took some customers’ computers with them to check them and found the source of the problem. They state on their security response blog that the problem was caused by the Alureon root kit.

They state on their blog:

the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

So there you have it. They later released a version of the update that does not install if it detects the system is in a state that will cause it to enter this reboot loop.

If you are a victim of this problem, make sure your computer is free from infection. Microsoft recommends to re-install your operating system if you cannot get rid of the infection.

I don’t think this is necessary. If you are in the Phoenix Arizona area and need assistance with this issue, you can contact us and we will gladly help you.