Microsoft Warns of Impossible to Clean Spyware

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

Re:You're infected! Not me.

[Master+Bait]

In the old pre OS X days, most Mac viruses were INITs (AKA Extensions) which are rewritten system calls. I remember a virus from the olden days which was an INIT that spread through a DiskInsertionEvent.

Happened to me 2 days ago.

[LePrince]

I was at work, and I'm the only person in our helpdesk to "de-spywarise" the company's PC (I'm the only 2nd level tech analyst). I got a laptop yesterday that was infected with numerous spywares. After removing most of them with HijackThis, Spybot, CWShredder, there was a rogue entry to a file named "elitegfk.exe" in the registry that, as soon as I removed it, came back.

Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !

I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...

The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...

I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...

This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

Anyway.

Already in the wild?

[kilocomp]

One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.

The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.

Re:Unpossible to Clean SpyWare?

[Werrismys]

"Honestly, VMWare is the best way to use Windows :-)" You could not be more right. I have been advocating VMware before, but for a reason.

I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.

The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.

I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it.