Got The Sucker
Many thanks to Rorschach112 at Geeks To Go for pointing the way to ending the problem, and to the lads and/or lasses of Kaspersky for their TDSSKiller that took out the problem.
The machine was invested with a problem with many names: Win32/Olmarik, Rootkit.Win32.TDSS.u, Win32/Alureon.F, Backdoor.Tidserv!.inf. It installed itself in the boot area of the hard disk and communicated with various malware sites.
The clues that it was on the machine were the redirection of search engine results and an increase in boot time. Eliminating the stuff you could see would only last until you re-booted when it would relaunch and recreate what you deleted.
ESET warned about it and blocked the calls to the ‘mothership’, but it couldn’t remove it completely. Messing about in the boot sector is definitely a specialized field, and if you aren’t 100% confident about what you are doing, you could render the computer inert.
I don’t need the computer I cleaned up, now that I have the emulator working, but it is always good to have a back-up.
3 comments
So… was the rootkit itself by a malware author, or was it a gift from Sony? These are troubled times in which one has to consider the possibility that a major multinational corporation would launch a rootkit. But they did.
It was pure malware and I suspect that I was infected while reading an article a few months back. ESET set off bells and whistles related to an ad at the site. I think I mentioned it on the blog, a Javascript embedded in what should have been a jpeg.
I don’t give a damn who does it, rootkits are malware and they endanger your entire system. Screwing around is the boot sectors of someone else’s computer is trespassing, plain and simple, as defined by English common law, even though that was written centuries before adding machines, much less computers. I don’t doubt that it is a violation of Microsoft’s intellectual property interests as well.
Sony had to backtrack after it was discovered, and they should have had penalties imposed. I’m more than tired of having to adapt my world because of supposed ‘threats’ to the ‘intellectual property rights’ of a half-dozen conglomerates.
One of the massive improvements to Windows 7 is the UAC system, which is why I’ve retired all my XP systems. With UAC you would have gotten the “Program ‘Firefox.exe’ wants to make changes to the system, do you wish to allow this?” requester, you would have clicked “No”, and the virus would have been dead in its tracks, unable to modify any of the underlying details of the system to permanently wedge itself into system boot. The only real issue I’ve had with Windows 7 is its stubborn refusal to run unsigned device drivers, usually a good thing but if you’re actually developing device drivers can be annoying since then you have to install your own self-signed certificate as a valid signing authority (overriding several Microsoft UAC escalations during this process) and sign your drivers. But given that the usual result of installing your spiffy new driver into the system is either a spontaneous reboot or a full system lockup, it’s no more annoying than device driver development in general :).
Of course, UAC is prone to the same problems as running as a user on Linux… i.e., if a root escalation exploit is found, getting in as a user can *still* allow modification of the underlying system. Oh well. But in this particular case, I seem to recall hitting a web site infected with this virus, getting the UAC notification, sighing, clicking “No”, and that was that. Of course I do run antivirus (I’m running Microsoft’s, actually, which works better than you’d think, probably because Microsoft bought it rather than writing it from scratch 🙂 ), but AV can’t catch *everything*…