Dealing with rootkits – Zeus Trojan
Posted by aonomus on January 13, 2010
Today, I tangled with a rootkit. I won. So in point form, here is a sequence of events (and eventual resolution):
- Visited google homepage, Spybot Search & Destroy Tea Timer (background app which requests user approval for registry setting changes) pops up and asks whether to allow the following registry change:Userinit registry key [found in My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
to be changed from
- I say ‘Disallow’ and remember my answer, thinking that it is some sort of malware. Instantly, my window fills up with popups from Tea Timer saying that its preventing the registry change. Whatever is trying to change it, is trying darn hard.
- Immediate shutdown and restart in safe mode with networking. A little bit of Google work for the term ‘lowsec.exe’ shows that a related file, sdra64.exe, and lowsec.exe are typical filenames for a rootkit. Great.
- Typical hiding spots include system32, and such places. No such luck finding filenames that match. The process isn’t listed in task manager or process explorer. It must be hooked into a svchost.
- Download the Kaspersky removal tool, find out the type of trojan/rootkit. Ran the tool, trojan eliminated from active processes in memory, files deleted.
- Cleanup time – Firefox is prevented from running, something fishy is about. The error “this action has been cancelled due to restrictions in effect. Please contact your system administrator”. Some searching in regedit showed that there were registry keys in [My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] that prevented several browsers from running. The key names were 1, 2, 3, and the values were oprah.exe, firefox.exe, and chrome.exe.
- Downloaded HijackThis and scanned the system – several keys were found showing MSIE restrictions (preventing IE options from being opened), and many keys adding many suspect domains to the trusted zone of MSIE. I deleted keys which were out of place and unfamiliar.
- Ran a scan for hidden streams using HijackThis, 2 streams found in a temp folder where the malware originated from. Baleeted.
So there you have it. Rootkit eliminated (insert FF7 victory jingle here).
I found it interesting that the malware would force the user to use MSIE with security settings turned off, malware sites added to the trusted zone (so any embedded crap on pages would automatically be trusted and ran, then installed), and Firefox, Oprah, and Chrome were all prevented from running (and the MSIE options window blocked). Essentially, forcing the user to operate as if they were stark naked on the internet. Malware no longer seeks to damage the users computer or such, but instead to install more malware, and harvest personal information.