Malware on Steroids

I've been fighting a very nasty piece of malware that ran across my entire network. Thus far every attempt to isolate it has failed. It has apparantly Hijacked my updaters for Windows and AVG. It also seems to run its own versions of MalwareBytes and SuperAntiSpyware, both of those programs reported no problems whatsoever.

Furthermore it has disabled the ability to boot from a CD.

I'm at my wits end, any help with this is greatly appreciated.

TIA,

...Lee

 

Thank you very much for looking at my problem. I have enclosed the logs you requested.

One other observation, I cannot stop AVG processes. I booted in safe mode and deleted the AVG files but I now notice that they are all back.

Thank you again,

...Lee

 

Tim,

Let me start by thanking you for your help. This problem is much more insidious than even I imagined.

This malware hit all of my 6 computers on the network before I could pull the network cable and I have been working on all of them, trying the same suggested techniques as this discussion has been going on.

All of my computers except the two that I have gone after the most aggressively scan perfectly clean with every test. The drives on the computer's I really went after committed suicide.

This problem is quite neural, it either learns as it goes or it is being observed and throws up defenses from another location based on the threat.

I bought a new computer and built up an Ubuntu linux machine along with a PATA/SATA to USB adapter for the sole purpose of trying to save data at this point. It has been partially successful but the two drives that I went after the most aggressively won't even mount in linux.

What was amazing is that the one Windows ME boot drive that I did manage to mount on linux looked nothing like the drive that I saw under windows explorer while looking at it under its own operating system. It had numerous new subdirectories with programs that mimicked AVG (AVG0001.exe), spybot(Spy.exe), and a couple of registry programs under a subdirectory (computer user name was Lee) named Nleewm. I never created any such directory nor any of the files within it.

The other computers have also been destroyed at the BIOS level. Without the infected hard drive in place they will not even post. With the infected hard drive in place one of them tested perfectly normal until I plugged it into the router/switch to the linux box so as to transfer data files and at that point it killed the ethernet port and then rebooted itself and showed the drive as non bootable. That is now a drive that will also now not even mount under linux.

This is the most sophisticated collection of malware I could even dream of. The combination of the rootkit and the bios infection make it undetectable under normal circumstances until it will either drain my bank and brokerage accounts or destroy my drives, I don't know what its intentions are. At this point I am afraid of my own shadow.

"TIN FOIL HAT ON"

The source of this is clearly unknown to me but I did write a series of not so friendly eMails to my congressional representative. I made no overt threat to him or his family but I think the last one I sent ended with the statement that, "You, sir, are a piece of crap". I may have PO'd the wrong guy while speaking my mind

I am also a moderator on a message board where we try to help each other fix our Volvo cars that (the board) has been under constant attack from Russian, Ukrainian, and Chinese IPs. I have been doing a lookup on the IP addresses so as to block entire blocks of IPs and it may have traced backed to my IP that only changes every day or so with DHCP.

"TIN FOIL HAT OFF"

I fear that this may be much more widespread than is known by the general public. Once it is fully in place it is completely undetectable unless the drive is removed, even the Ultimate Boot CD for Windows can't find anything.

My best hope now is that, on the Dell Precision laptop that I originally posted logs from, I can get Dell to send me a new BIOS chip, I will buy a new hard drive, and start over from scratch.

Thank you once again. I don't want to be a thread bumper but I may post back again after I try to mount the laptop drive under linux - it will be interesting to see what is there if I can get it to mount.


...Lee

 

I hate to thread bump but this thing is going from bad to badder.

This is relevant to the Dell Precision laptop that was specific to this thread and I tried to buy a new BIOS chip from Dell. It turns out that the BIOS is soldered in but the computer was under warranty and they sent a guy to my house with a new motherboard and he changed it out free of charge. We never put the infected hard drive back in before I zero filled the drive under Ubuntu Linux. I reloaded Windows XP from the Dell service disks and I thought I was golden - until the next time I turned the computer on. The computer had been properly shut down the last time it was turned off but it initiated a checkdisk routine and, before my very eyes, re-wrote the master boot record. It all happened fast and I couldn't write down the details but it re-wrote several sectors and finished with a revision to the MBR.

MSdefender also reported that 4 changes had been approved to open UDP and TCP ports. I never authorized such changes. Msdefender is now worthless, it will go through the motions but never report anything as being bad. The same goes for SAS, Malwarebytes, and AVG free.

I was at my cabin when I first turned the computer on where I only have dial up Internet so the malware never really progressed very far in reloading itself. It did reload the rootkit and I copied it onto my Linux computer and uploaded the rootkit file to Virustotal.com where it came back as attacking the kernel. It was 0/40 on the virus scan software detection list.

Where on earth can the triggering routine be hiding? The motherboard was replaced, the RAM was removed while it was being replaced, and the drive was completely zero filled under Linux. The only disks that touched the computer were factory setup disks.

The only thing that was original to the "old" computer was the DVD burner drive, the keyboard, and the monitor screen. Can a trojan hijack the firmware on a DVD drive? It did have broadband internet access (at my city house) to update to SP3 and all of its subsequent updates but I was careful to power cycle the cable modem several times before I plugged the ethernet cable into it. For the record the cable modem is a Scientific Atlanta 2100.

Two days after the original re-install and SP3 upgrade it claimed that I had about 345 MB worth of critical updates from the Microsoft update site which is how it gained total control of the computer in the first place. Microsoft update was perfectly happy 2 days earlier so I never let those updates occur. In checking the modem screen it did mange to download about 3 mB of stuff while I was online. The IP logger showed a lot of activity from IP address 4.254.6.252 which the IP lookup sites couldn't tell me much about (as in where) other than it was registered to Level Three Communications.

It appears that the BIOS on the laptop has not yet been compromised so I am reticent to let the process proceed any further. Dell said it was a one time thing to replace the motherboard after a malware attack.

Any ideas on how to proceed will be greatly appreciated. I have 9 other computers in the same (or worse) state of affairs.

TIA,

...Lee

 

Actually I did run MBR.exe per your instrucions and everything came back - at least by my reading - as fine. Here is a log from the current configuration of the computer. The old version read the same.

I did buy a firewall router on Saturday at MicroCenter and hopefully that will block any open port problems I have since I set it up to allow nothing.

I haven't done any kind of programming since writing Assembler Code in the early'80s for a DEC PDP-11 while I was in engineering school so I'm not sure what methods they use to try to decomple. Here is a link to the rootkit file analysis that I uploaded to Virustotal.com.


http://www.virustotal.com/analisis/...bc381da7dfbb0766634344132ec8362-1244603352rly

It is not being picked up by BitDefender yet, at least the Linux version.

I think I may have been inaccurate when I said that I zero filled this entire drive. The wizards of smart on the Linux forums (I read it on the internet so it must be true) said that if you wipe out the first 10 MB then you have wiped the drive since the partition table and the fat table are gone. Since this is a a Dell the first 30 MB or so is the diagnostic partition and the NTFS Windows partition starts after that. This time - and with all of the rest of the drives - I let it go all night to zero fill the entire drive.

Since I am behind the firewall - fingers crossed, knock on wood - things are looking OK. Re-mounting the drive under Linux shows nothing funny as was the case before.

Thank you again for your help Tim, if you read anything bad in the MBR log please let me know. I think my long nightmare is finally coming to an end.

...Lee