Thursday, November 12, 2009

Rootkit Removal (Part 1: Detection)

The other day my wife discovered that her computer had been pwnd -- a rootkit was redirecting links resulting from google searches to point to malicious sites. I was able to disable it* after a lot of trouble, and I thought I would write a post describing what I tried and what worked and what didn't.

My wife is running windows XP and had been complaining of "slow internet" and "weird thing happening in Firefox".  The slow internet part I chalked up to Clearwire being generally flaky, and "weird things" was too vague to consider as anything worth worrying about.  One day she complained that when she clicked on a link as a result of a google search, something else came up. I tried the same search from my machine, and got the expected results.  Hmm...  something sounds broken.



My first thought was that our wireless router (running Linux) had been compromised and our DNS lookups were being redirected. That wasn't likely because we've got a strong configuration password and the router running a custom OS is a much 'harder target' than most home routers. Trying the searches from another machine on the same wireless router ruled out that possibility.

So it was something on her machine that was causing the problems. My next step _should_ have been to try the searches in IE as well as Firefox. If it was just FF that was having the problem, maybe there was some kind of malicious firefox plugin installed. Instead, I tried running msconfig. Ack! No msconfig on XP. I checked windows defender -- most recent scan found nothing. I opened up regedit and checked Run key. I did this with some trepidation because whenever I look at the Run key I get upset at all of the garbage that is running on my machine. I took a deep breath and since this was my wife's computer I didn't sweat the google updater, the java updater, the hotkey hook installer, the video card crapplet garbage, windows defender, dvd burining garbage, etc etc.  Rather than delete the lot of them (which was my initial inclination), I renamed the key (to RunX). This way I could restore all of them, or try them one by one.

When I went to recreate an empty Run key, something funny happened -- I got an error because the Run key already existed. I hit F5 to refresh, and sure enough, there was an entry. Rundll32 on some unpronounceable dll in the %windir%\system32 directory. Hmm... somebody had registered for a notification on the Run key and whenever it was modified it added itself back. This is not the behavior of a nice component. "Rootkit I have found thee, and they name is 'yslkasqx.dll'".

Tune in next time to find out how to delete something that doesn't want to be deleted, and to see what other surprises the rootkit had in store.

* Once you've got a rootkit on your machine, it is very difficult to know for sure you've gotten rid of it... subsequent posts will give concrete examples of this, but removing a rootkit is kind of like removing cancer -- there is really no way to tell if you've got it all except to wait and hope. 

2 comments:

  1. SILENCE!

    I am the ancient Aztec Lord YSLkaSQX and I will not tolerate this insolence!!!!

    ReplyDelete
  2. sounds like a lot of the conversations I have at home...i say something's broken, and hubby fixes it...

    ReplyDelete