Context
For now, I can’t tell much about the context, mainly because it may – or may not – involve other people. The only thing I am interested in is to spot the issue and understand precisely what is going on.
What makes the case really interesting though, is that it occurred on a fresh install of a Windows XP virtual machine. I aimed it to be a clean malware reversing snapshot. I noticed the weired behavior minutes after finishing the system install and setting up a bunch of reversing and live analysis tools.
So I bet that if I got some malware, it probably comes from one of those. At this time, unfortunately, there are too many and I could not spot the exact time, so I can not start the analysis from this angle.
This article is almost written in live, so pardon my mistakes. I will update it as soon as I find something new. Of course, I am really expecting your feedback, suggestions and corrections. I see it as a great opportunity to learn, even though this one may not be the easiest…
Symptoms
Two things alerted me quickly.
The first one was, at a point, the permanent failure of going through the full windows update process. Believe me, I have tried all ways.
The second one was the weird dialog when trying to access to the keyboard layout settings. It says “Incompatible driver detected“. To me, this looks like there is a keylogger somewhere…
Suspicious activities: the keyboard driver and windows update seem to be messed
Then, as I started to check around, more odd stuff came out.
I fired up Process Explorer, and soon realize that it was “unable to verify” the signatures of all the running Windows processes. I could not find anything else suspicious, though (no odd process, memory content looks normal, etc.).
On the left, Process Explorer fails to validate any Windows process.
On the right, expected behavior on a clean system.
Ok, while I am with the Sysinternal suite, why not scanning with Rootkit Revealer:
Rootkit Revealer cannot access to the SYSTEM hive of the registry
Interesting… and what about GMER:
GMER crashes when accessing the registry…
Oops! Now it crashes when it is accessing the registry…
For the fun, let’s see what happens if we try to set up an antivirus (Security Essentials):
Windows certificate warning when installing… Microsoft Security Essentials!!!
Nice one! Very suspicious! Note that after a full scan, Security Essentials reports me that the system is clean and everything is fine. I am so relieved. :)
Curious to see how my certificates are, I run certmgr.msc. I compared all Microsoft root certificates with a clean machine and could not see anything different. But again something happened:
certmgr.msc crashes
Oh, just one of my last attempts to do live analysis (this the WinPcap setup included with Wireshark):
WinPCAP installation also fails
Ok, so enough played. The thing seems to be nicely done, and live analysis is going to be way too hard and unreliable.
Memory Analysis
This is where I am now. I reverted to a snapshot prior to my live analysis attemps, confirmed the strange behaviors are still observable, and suspended the VM to get the vmem file.
So I have spent the last hours scanning the memory with, of course, Volatility.
So far, I have to confess that I found NOTHING. But analyzing the memory can be a harsh process when it comes to sophisticated threats, and I may have reached the limits of my skills.
But, anyway, I could not dream of a greater and more exciting opportunity to learn!
My discoveries, if there are, will be published in another article.
UPDATE: I forgot to tell that it is a Windows XP SP3 machine, but not fully updated due to the issues.
Run combofix, it will root out anything, plus fix misconfiguration problems at widow’s “root”. Google combofix, but only download it from bleepingcomputer. Follow their cautions to a T, including not to click anything on the terminal while running etc.
Thanks Piper. I did not know this tool, a nice one to have in a toolbox. I will run it and post the results.
To me it looks like a parasitic infection if so many different tools are crashing and not running correctly.
Just submit your copy of GMER that is crashing to virustotal and see if it is detected, if it is likely you have a parasitic infection which is crippling all your files… good luck
Hi phocean
Try to run one of the offline scanners this computer in Safe mode
list here: http://ondailybasis.com/blog/?p=77
in addition – try Malwarebytes to see any known malware and run HJT on this machine and post it here.
If need help – contact me :)
Use sysinternals autoruns and see what is running at startup. check your hosts file for suspicious entries.
@ak: I analyzed Gmer myself (except for the registry part that crashes), and I can tell it finds nothing unusual.
@dl: I tried scanned the disk online and offline with three antivirus (microsoft, kaspersky, clamav) and it found nothing. Anyway, antivirus work with hooks on native API, so if there is already a good rootkit, I can’t trust their results.
@Michael: sure done, it is always the first things I do. Live analysis (see the screenshots) and then offline analysis.