Pay no attention to that man behind the curtain!
Written by Rock, former SS:2845 dev and StarSiege guru.


I ran the RootKitRevealer and I hit pay dirt. This RootKitRevealer is a real nice boot-scraper! It confirmed what I had, where it was located, and how deeply it was rooted. It found a couple of THOUSAND entries. All but 6 of them were in the "ubeasus" folder! Now I had this devil by the horns. I wasn't letting go until I twisted its ugly little head clean off!

Technically, this is called a "rootkit trojan". Once it infects your machine, it is absolutely INVISIBLE to today's virus and spyware scanners, which is why none of my typical tools could find it. You can't find it on your hard drive, you can't find it in the Registry, but it's there just the same. It doesn't hide in the boot-sector like old-style viruses do. It even installs a device driver into Windows. You can't see the device driver when you look in the Device Manager, even if you "View Hidden Devices" in the menu. But if you've got a rootkit trojan, you can be assured that it's there... and it's looking back at you with evil eyes!

Rootkits (aka "root kits") have been around for a while. They were originally a collection of advanced Unix utilities (a toolset) that System Administrators use to help maintain and troubleshoot computer systems and networks. To do that work, they might purposely bypass, or defeat, various system protection protocols. A rootkit trojan uses some of those advanced methods to hide itself.

The way a rootkit trojan works:
Let's say you have a hard drive. It's partitioned into sectors and clusters at the low level. The "fdisk" and "format" commands set up those objects on your hard drive so that you can use it to store your files. Then you have Windows, the operating system, which knows how to get into your hard drive and read/write the raw hard drive data that represents, and manages, your files.

When you use a program to access your files, like Explorer for example, that program asks Windows to go to the hard drive and set/get the file information. When Windows returns the information, the program can then display it, delete it, read/write it... whatever it wants to do. Virus scanners, spyware scanners and almost all other programs on your computer use that same Windows interface to get at the files on your disk drive, and they all see the same file information.

So if I were a trojan-writer, and I were to hook in my own little file-interface in between Windows and your hard drive such that all file requests go through me, then I could filter out all file information that refer to my trojan, and pass all others through unmodified. Thus, I can make all my trojan-files become totally invisible to the typical Windows application. I would implement my trojan as a "file system filter driver" and I would make it install right alongside all the other device drivers that Windows uses. Once I do that, it would automatically reload itself EVERY TIME YOU BOOT THE MACHINE and my filter driver would make sure that you never see any of my trojan files. I can apply the same interface-hook method to the Registry, thus preventing you from seeing (or deleting) my operational persistence-keys that are stored there.

So there you have it. You won't find ANY run-entries in any of the typical locations on your machine, yet the trojan will execute every time you reboot because it's a device driver. Perpetual pop-ups are what you'll get, and that would be the LEAST of your worries. This little beastie can log all of your online activity and send it all back to the bad guys at any internet location. So you can say goodbye to your online bank accounts, credit card information, and any other highly sensitive personal information. Can you say "Identity Theft?"

Luckily, those nasty results didn't happened to me except for those annoying perpetual pop-ups. But that doesn't mean it couldn't do any of those other dirty deeds any time it wanted to. It only takes phoning home once for a command from its "owner". This thing had to go.

I knew exactly what to do next!

Finally part 6: "Mop the floor with the little cretin!"

Previous

---