The rootkit was disabling the windows update service as soon as I could start it. The service startup type is stored in the registry but also has a live value in the service control manager. The rootkit could in theory set either one, which made things a bit more complex. The fact that the change happened immediately pointed to the service control manger, which is a higher level API. As far as I know the SCM doesn't have a notification system so the rootkit must be polling every few seconds to make sure it still hadn't started.
But how to catch it? How do you know which process is shutting down the service? The first thing I looked at was the event log, which tells you that the service stopped but not who stopped it. Next, I tried process monitor, the tool from sysinternals. I'd never used it before, and found it to be fantastic. To catch the rootkit in the act, I set a filter to only show RegSetValue calls, reenabled the windows update service, and waited for the rootkit to shut it down. Sure enough, a couple of seconds later, somebody writes to the windows update service key ... and it was services.exe. Wait -- that is a windows service container process. It is only supposed to run a predefined set of services. Conveniently, process monitor also lets you look at the loaded dlls in a process, which turned up another odd name that I didn't recognize (again, looked like it was a randomly generated name to avoid detection). I was able to prevent the dll from loading via the now familiar mechanism -- changing the ACL on the file.
And that was it ...with this last change, windows update was able to run, a whole bunch of new updates were installed, and hopefully whatever vulnerability was exploited to install the rootkit has now been patched. The machine has been up and running fine with no symptoms for several days now, and my wife reports that that performance is much better.
No spawn, please!
ReplyDelete