Friday, November 14, 2008

Spyware Malware Infestation - Smitfraud TDSS

Wow. I've been pretty careful to prevent myself from being infected by viruses or spyware but this time it takes the cake. Seems one of my free webhosts had their server compromised. This caused a site that was hosted on them(my site in fact) to install malware on my computer. I was stupid not to heed the warning on firefox saying first my site was reported as attack site (what?! was my first reaction) so I went on internet explorer to check it out for some insane reason.

Near immediately my avast 4 antivirus spit out a warning which I closed(stupidly instead of trying to clean it) which I can only assume it installed on my computer. Another warning spit out to remove the malware file which I did; causing my computer to freeze up. A reboot later it has already installed c.exe (with a.exe b.exe d.exe in temp folder) for startup along with a ~temp process masquerading as a microsoft virus scanner not installed icon on systems tray near the time. It's amazing because when the popups asked if you want to install virus scanner and right clicking on the virus tray icon automatically opens a spam link.

Avast/Clamwin.exe couldn't detect it as a running process but fortunately I was able to remove it by killing 2 processes, removing the listing of the program c.exe on startup and finally deleted the file in my temp directory.

**Updated -
It was actually much worst than I thought. My dns was completely taken over and I could not figure out what process was causing it. Windows defender (Now I'm starting to think it's completely useless) at full scan detected nothing. I could not open spybot at all. Hijack installer could not install. Accessing windowsupdate was set to local (trendmicro website set to localhost) even majorgeeks resolve back to 127.0.0.1. What an incredibly awesome program despite it being malware obviously that would not access alot of sites which is not a simple edit of the hosts file because it was not touched and prevented opening programs that could fix it. It's focused on sending you to a virus scanner too which is hilariously evil.

Finally I went to safe mode and fortunately I got spybot to work only after editing the filename! (still working in safe mode!) to just spybot.exe and it was able to find Smitfraud-C.gp, Smitfraud-C, and Win32.TDSS.rtk along with an a.exe file in windows/system32/. Took a fix and a rescan which detected it again to solve the problem....

**Final Update
Absolutely premature again. Much more serious than I though. A trojan rootkit? was installed and symptoms include freezing the system (mouse will work) and reaquiring dns whenever internet connection was established. This was the work of TDSS. I tried running a smitfraud fix which did nothing to TDSS of course but a combofix.exe was able to remove the following:

c:\windows\system32\drivers\TDSSmxwe.sys
c:\windows\system32\Drivers\TDSSypaa.sys
c:\windows\system32\TDSSaoli.dat
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSgurc.log
c:\windows\system32\TDSSjont.dll
c:\windows\system32\TDSSkkao.log
c:\windows\system32\TDSSmcfp.dll
c:\windows\system32\TDSSmrxq.dll
c:\windows\system32\TDSSmtpe.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnpur.dll
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSshyf.log
c:\windows\system32\TDSSuxrr.dll
c:\windows\system32\TDSSvcce.dll
c:\windows\system32\TDSSvoqm.dll
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_NPF


and gave me full access to the internet without taking control of the dns. If I did not have a computer it would be make one suicidal trying to download the tools or access the web to figure out how to remove this. Pretty much having to run spybot to reset the virus so you can access the internet for less than a minute before retaking over some entries. I acquired malwarebytes' anti-malware which detected 20 objects (mostly corrected files from combofix with the added extension of .vir and a few restore points) that took over 5 hours to run on my computer. The online trendmicro virus scan took even longer...

I guess this is karma for my recent posts. I am overly grumpy lately... Not that these events can make anyone better.

No comments:

Post a Comment