Worm With Rootkit Package Loose On AIM

Only Chat room users affected? by BoldAndBusted · 2005-10-30 14:31 · Score: 5, Interesting

So, I use GAIM, and I never use the Chat rooms. Should I worry?

Re:Only Chat room users affected? by jZnat · 2005-10-30 14:33 · Score: 4, Funny

And I use Linux, so I'm assuming there's no need to worry. WINE isn't stable enough to support a virus/worm/trojan/etc.

--
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Re:Only Chat room users affected? by AnamanFan · 2005-10-30 15:00 · Score: 5, Informative

Assuming you're on a Windows operating system.

Use of GAIM will only prevent propagation of this worm. There are more levels at play here.

The worm is actually installed from a link you would click on from an infected IM. Nothing fancy here, it's just a simple HTML link. Clicking on this link will call up your web browser. What happens here depends on both the browser, patches, browser settings, and you. In IE, it's likely that the executable will just run it. Or, ask you to download/run said file. The latter true for Firefox or Opera as well as IE.

In any case, if your computer runs this executable, the computer in infected and it's game over. BUT, you won't be spreading the worm to others since you're using GAIM. The spreading of the worm depends on the AIM (or AOL?) client running on the computer.

That is until the worm writers also write for GAIM.

--
AnamanFan - Trying to find the Truth, one post at a time.
Re:Only Chat room users affected? by EnronHaliburton2004 · 2005-10-30 15:23 · Score: 3, Funny

Come on over to the IRC chatrooms. We're friendly, and we'll help you to activate some "worm-like" programs on your system. You don't want to miss out now, do you?

--
94% of Repubs and 21% of Dems voted to renew the Patriot Act
Re:Only Chat room users affected? by Fordiman · 2005-10-30 16:01 · Score: 5, Interesting

Hmmm... Probably not. However, I would suggest not downloading and running any exe files from unknown sources. Unlike the idiots usin AIM who've been hit with this.

But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.

IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.

One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program) ...

Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...

--
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
Re:Only Chat room users affected? by Schemat1c · 2005-10-30 16:57 · Score: 4, Funny

'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'

Sure a woman can block pop ups, all she has to do is giggle.

--

"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
Re:Only Chat room users affected? by thesnarky1 · 2005-10-30 17:12 · Score: 5, Interesting

Yes.... your friends who don't can still send you the link. If you click it, boom. I've cleaned this off of 5 systems this moonth among my friends, Two GAIM, and 3 AIM. Its a nasty virus, I might add, and I don't think the article does it justice. Yes, it prerys upon P2P, but the worst part is, most users will click that link before thinking, so its free bait. This is social engineering at its worst, and the only way to stop it is to tell your friends and family right now. No, this is not a chain letter, this is a plea for help, I can only reach so many people on my own. For instance, my away message on AIM right now deals with this article, and the virus.
To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.

--
Want to find other gamers to play board and role playing game
Re:Only Chat room users affected? by Gojira+Shipi-Taro · 2005-10-30 17:15 · Score: 4, Insightful

Do YOU know an average windows user that doesn't regularly run with account with Admin priveledge? I sure don't, because most applications publishers in the windows world make it more than slightly inconvenient to run with other than Admin level privledges.

So yea it's likely to be granted Admin access, and it's likely to be a threat, on the scal of the whole "nasty shit that causes unnecessary network traffic" thing.

--
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
Re:Only Chat room users affected? by earthbound+kid · 2005-10-30 17:29 · Score: 4, Funny

Back in the days of CRTs, I was always waiting for someone to write a virus that sets your refresh rate so high that your monitor catches fire. That would have been a cool virus. It's probably too late for it now though.

duh by Anonymous Coward · 2005-10-30 14:32 · Score: 5, Insightful

"'The rootkit is designed to not be detected, and that is the scary part.'"

ummm isn't that the definition of a root-kit?

Re:duh by killa62 · 2005-10-30 15:03 · Score: 5, Informative

Actually, rootkits go out of their way to be undetected.
(Shamelessly stolen from grc.com)
"What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.

Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "

link
http://www.grc.com/sn/SN-009.htm
Re:duh by Billly+Gates · 2005-10-30 16:22 · Score: 4, Interesting

Try explaining that to grandma? After all her antivirus software said nothing was installed right?

Explaining about api's only makes you look incompentant if your an It professional because your not speaking down to their language to build confidence.

I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.

Watch as spyware makers do this in the future to prevent anyone from deleting their wares.

--
http://saveie6.com/

Who of us actually would click... by rkitchen · 2005-10-30 14:32 · Score: 4, Funny

"Check out these great new pics of us!! LoLz :)"

Re:Who of us actually would click... by Nuskrad · 2005-10-30 14:36 · Score: 4, Insightful

Probably very few of *us*, if you're referring to Slashdot readers, who we shall assume have some degree of computer literacy. However, the vast majority of internet users are idiots. Simple fact.
Re:Who of us actually would click... by karvind · 2005-10-30 14:36 · Score: 5, Funny

:(
You cheated, there was no link in your post. I have been clicking on the post for last 10 min, nothing happened.
Re:Who of us actually would click... by kakashiryo · 2005-10-30 14:44 · Score: 3, Funny

You want to know scary? My mother asked me where the Desktop was.
Re:Who of us actually would click... by macsox · 2005-10-30 14:52 · Score: 5, Insightful

i don't know why i'm engaging on this, but i will.

the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.

my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.

my mean response is as follows: i have a theory. kids start out life talking about how they want to be astronauts, or the president, or teddy bruschi.* they see a vast world of limitless possibility and imagine themselves filling up an enormous space within it. as people age, they start to realize that they most likely won't be a michael jordan or a bill gates, and their response is not to be content being a small fish in a big pond -- it's to reduce the size of the pond that is 'important'. so, i, for example, work in politics. it's easy for me to see the political world i inhabit as the most important thing locally, or even in the world, and to feel very self-important as a result. many users on slashdot see the world of tech as the pond. or their own i.t. departments. people reduce the scope of the important world, until they are a big fish. i call this, uncleverly, 'resizing the pond'.

i posit that you are resizing the pond. and, further, that you shouldn't.

</self-righteousness>

* don't know who this is? there are people who would call you an idiot if you didn't.

--
go get it
Re:Who of us actually would click... by geminidomino · 2005-10-30 14:56 · Score: 4, Insightful

the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.

"Hey, you don't know me, but I just KNOW you'll love what I have in this box. Go ahead, take it home and open it."

Trusting complete strangers isn't a mark of techno-ignorance, it's a mark of idiocy.
Re:Who of us actually would click... by macsox · 2005-10-30 15:20 · Score: 3, Insightful

first of all, you seem to think that going to best buy is the same as buying things from people in alleys. which i have to say is a bit simplistic.

second, trusting complete strangers is a mark of being able to function in society. when you leave the house, do you need to ensure that everyone driving down the street is a friend or acquaintance? when you go to a restaurant, do you get background checks on the staff? from whom did you buy the aluminum foil to make your hat? mom?

--
go get it
Re:Who of us actually would click... by Toasty981 · 2005-10-30 15:29 · Score: 4, Insightful

"Hey, you don't know me, but I just KNOW you'll love what I have in this box. Go ahead, take it home and open it."

Trusting complete strangers isn't a mark of techno-ignorance, it's a mark of idiocy.

I think part of the problem--and nothing earth-shattering here--is that people still think of PCs as a regular appliance. I know people who think of websites the same way they would think of turning on a TV show. If a friend tells you to turn on a station, nothing bad could happen to the TV. They tend to think the same of a website.

Now, the question is whether people who get infected learn their lesson...that's what I'd like to see. Anyone know of any studies or such related to that? Do people take security more seriously once it happens? You'd think so, but we all know people who went back to using IE after we install Firefox/Opera/other because the Flash games wouldn't work.
Re:Who of us actually would click... by herriojr · 2005-10-30 15:49 · Score: 5, Insightful

You're not taking into consideration that it's a message from someone on your buddy list, not a perfect stranger.
Re:Who of us actually would click... by jlarocco · 2005-10-30 15:54 · Score: 3, Insightful

the vast majority of internet users are not idiots -- they are merely undereducated about computers and the internet.

my nice response to your comment is that you should try to appreciate that not everyone has the time, energy or will to learn computers to the extent that you or i have.

Maybe the vast majority of internet users should take the little bit of time to appropriately learn about computers and the internet. I'm not saying everyone who uses a computer should be system admins, but I don't think it's too much to ask that people who are going to use a computer every day have at least a basic understanding of what they're doing.

If someone were to get behind the wheel of a car and start driving, with no drivers license, having never driven before, they'd go to jail. It's the law that people have to have at least a basic knowledge about their car and how to drive. Yet, at the same time, any moron with $400 can bring home a new computer, hop on the interweb, and have their new computer pwned and DDOSing some random website in 2 minutes because they either don't understand or don't care to follow simple advice like "Use a virus checker and firewall". Obviously, computer and internet use shouldn't be regulated as heavily as driving, but if people can't be bothered to take a little time to learn how to use their computers, they deserve everything they get in my opinion.

--
Maybe not
Re:Who of us actually would click... by Deathanatos · 2005-10-30 16:34 · Score: 3, Interesting

Who of us actually would click... "Check out these great new pics of us!! LoLz :)"

The sad thing is, people do! And not only do they click the link pointing at some odd site, they download a file, and execute it!

There was an AIM trojan similar (but not the same, I believe) that got circulated to me (by a few of my 'friends') this last week. It's text was something like, "check out these kewl pics of me!" Now, if anyone I know said "kewl" that'd instantly throw red flags. (And still, I got that same IM _6_ times that one night.) So, I take a look. The link points at some odd site, with a .php file. Now, none of the people who IM'd me that night were smart enough to set up a websever w/ PHP. The PHP file, I find, hands you a .com file (With the oh so cliché name img552.com). (Which I think was actually a full Win32 app...) At any rate, through some research, it seems you needed run it in a root user account.

And that's just the thing. Many of these AIM virus/trojan/etc. need not just one, but several lapses of logic to work. They still manage to spread, however. When you click a link, download a virus, and then run it in a root account (although half the world runs as root...)... that's three (usually) fairly obvious lapses in your thinking.

This isn't a hole in the computer, it's the user. Users are..., uneducated. Many /.ers know this, people don't understand how the technology they live with works. Until they do, things like this will continue to work, and people who fix computers will continue to make a living, and we'll keep having to listen to journalism repeat the same words: Don't open executables you don't recognize. (Then again, don't these stupid Windows computers hide extentions by default? We keep telling users not to open things that end in .com, .exe, etc., but all they see is cool_pic(.com!))

But this is /., and I'm preaching to the choir.

*yawn* by patio11 · 2005-10-30 14:33 · Score: 3, Interesting

Summary of TFA: "You might have seen this trick before. A friend points you to a link to an .exe file. You click on it and, ignoring the security message which pops up, attempt to run it. Bad stuff happens. BUT WAIT! Now bad stuff includes a 'root kit', too! Doesn't that sound scary and hacker-y?"

--
Help poke pirates in the eyepatch, arr.

Designed not to be detected - as compared to...? by Telcontar · 2005-10-30 14:34 · Score: 4, Insightful

"The rootkit is designed to not be detected, and that is the scary part."

You can often judge the quality of the articles linked to by /. by their summaries. Check the definition of root kit before writing such a summary. One would hope that at least story submitters are more competent than the average journalist - but then again, this is /. :-)

Um... by Anonymous Coward · 2005-10-30 14:34 · Score: 4, Insightful

The rootkit is designed to not be detected

So ... most rootkits are designed to be detected?

Noteworthy tools by nmb3000 · 2005-10-30 14:35 · Score: 5, Informative

I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.

Hopefully Microsoft's project that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot links.

Hooray for AOL.

--
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)

Re:Noteworthy tools by chris_eineke · 2005-10-30 14:51 · Score: 4, Funny

I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.
I 'spose that anyone in the computer tech/repair shop industry appreciates worms like these.

--
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke

Old.. by Chickenofbristol55 · 2005-10-30 14:36 · Score: 5, Informative

This is actually pretty old news, one of my friends got this a few weeks ago (he's not a geek, and he called me because I build this custom pc for him). It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers). The trojan was called directX.exe, found in windows/system32 folder. My suggestion: don't click on a link from a friend before 1) you know what it is 2) and make sure that it doesn't say that your downloading a video file, when it's obviously a batch or exe file. This virus is not really a big deal, you just have to have half a brain to deal with it.

--
public class null extends java applet { System.out.print ("Tabula Rasa"); }

Re:Old.. by Anonymous Coward · 2005-10-30 16:32 · Score: 5, Insightful

It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers).

Rule #1 when dealing with rootkits (or other break-ins)... The system can no longer be trusted. That means any and all executables on the system are suspect (including System Restore functionality) and may have been tampered with.

On a unix/linux box, that means shutting the system down and booting from read-only media that cannot be tampered with. Then you use tools that are only on the CD/DVD to investigate the system and find out what files have been changed / corrupted / hijacked. This is where tools like Tripwire come into play (or simply using fingerprinting tools like md5sum and doing a diff between two sets of signature files).

On a Windows box, you're better off with a format and re-install from CDs. Or, if you thought ahead and created a disk image using Knoppix, you could restore using that image. (Be sure that it's an image that you know is clean.)

Luckily for you, it sounds like the worm that you dealt with was apparently not very sophisticated. But how can you be sure that you've removed that rootkit from the system? And who's to say that the next one won't interfere with System Restore?

Never assume that worm writers are stupid. Don't assume you can outsmart them. However, most of the time (unless you are a specific target), worm writers are looking for the biggest return for least effort. So a worm that infects the majority of hosts is enough and they will not bother writing the code to infect the rest.

IOW, if System Restore functionality begins to have a significant impact on infection rates, you should plan on System Restore functionality being broken by future worms.

In summary:

- Backup your data files regularly.
- Boot a Knoppix CD/DVD and fingerprint your system regularly for a baseline to compare against at a future date.
- Use that Knoppix CD/DVD to create snapshot images of your currently working (and uninfected) system.
- If you're infected / invaded, assume that you haven't found everything and will need to rebuild the system from scratch.

(Yes, I've fought off a rootkit once. It was a real pain.)

Root kits by Rufus211 · 2005-10-30 14:45 · Score: 4, Funny

"The rootkit is designed to not be detected, and that is the scary part."

As opposed to those root kits that are designed *to* be detected? Damn it, thinking again instead of being scared into buying something. Really need to work on that...

Re:hah by saskboy · 2005-10-30 14:48 · Score: 3, Insightful

Frequently Messenger type programs get worms that do NOT require the user to click, thus making the virus that much more worm-like since it doesn't require user intervention. Windows XP had several of these vulnerabilities, and so did MSN Messenger 6. Did you ever wonder why Microsoft forced upgrades sometimes? It's because a critical bug was found in their JPG processing code for instance, and the mere presence of MSN 6 and an infected buddy messaging you automatically, because they got infected automatically, meant you got infected too. It came through a malformed .jpg or .png Avatar picture that on most Messengers is set to download and display upon arrival of any message from that person, even a message sent by a virus.

--
Saskboy's blog is good. 9 out of 10 dentists agree.

Well... by slavemowgli · 2005-10-30 14:54 · Score: 4, Funny

It delivers a brutal root-kit [...]

As opposed to the usual kind and gentle root kits, I suppose?

The rootkit is designed to not be detected, and that is the scary part.

Isn't that part of what makes a root kit?

--
quidquid latine dictum sit altum videtur.

How to remove it. The answer. by TheGSRGuy · 2005-10-30 14:58 · Score: 3, Informative

http://www.jayloden.com/VirusClean.htm

This tool is updated almost daily. 100% effective, I can vouch for it. You can become infected if you click the link on non-AIM clients, but it won't spread to everyone else on your buddylist.

Re:How to remove it. The answer. by rhizome · 2005-10-30 15:26 · Score: 5, Interesting

I can vouch for it.

And who are you?

--
When I was a kid, we only had one Darth.
Re:How to remove it. The answer. by Atragon · 2005-10-30 15:32 · Score: 4, Funny

And who are you?
He's TheGSRGuy of course.

Yahoo.com and Google.com by tepples · 2005-10-30 15:05 · Score: 4, Informative

How many people still use .com files anyway?

Yahoo.com, Google.com, Fark.com, News.com.com... Windows stores Internet shortcuts in files with the .url suffix, but even when you have "hide file extensions" turned off, Windows still hides the .url suffix, making it nearly impossible to distinguish Google.com from Google.com.url in icon view and difficult in any other view. The little arrow in the corner doesn't mean much, as the Google.com file could contain an icon with the arrow already drawn inside.

Re:Yahoo.com and Google.com by wx327 · 2005-10-30 17:16 · Score: 4, Informative

You can change these settings in explorer by going to (using the URL internet shortcut as an example):
Tools/Folder Options/File Types/URL/Advanced/Always show extension

Alternatively, you can edit the registry and create the following key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShort cut] (slashcode will probably insert a space somewhere in there)
"AlwaysShowExt"=""

Re:As compared to the one with the alert box? by Entropius · 2005-10-30 15:05 · Score: 3, Funny

This's work especially well in Australia, when the root-kit *could* be the carrot...

Re:AIM client, or AIM protocol? by Kadin2048 · 2005-10-30 15:11 · Score: 4, Interesting

Well this is true, it could just as easily be spread via email or something, but the relation to AIM is that once the virus (trojan, whatever you want to call it) gets into your system, I believe that it sends out messages to all of your contacts with the link, propagating itself.

At least this is how several other IM viruses have been spread. I noticed that just this weekend I got several IMs from people that I haven't talked to in years (but who apparently still have me on their lists) which were nothing but links to .COM or .EXE files.

One of them was being hosted at this address:
http://home.earthlink.net/~two4tea/mc-110-12-00000 80.exe (It has since been removed -- the link is dead)

And I didn't get the other URL that was going around. I downloaded the file and opened it up in a hex editor just out of curiosity (I'm on a Mac so it wasn't possible to execute anyway), but there didn't seem to be any obvious text strings or anything.

What I wonder is how the file got up on that web site to begin with; it seems rather farfetched to believe that a virus could find out that someone has a Earthlink web page and upload itself, then send out that link, which makes me think that the person spreading the virus probably planted it there after somehow gaining access to the account, and then letting the version of the virus which points to that URL out. When the linked file is removed the virus stops propagating, but by then has already spread and nabbed a few unwary users. Unless the program has the capability of 'phoning home' to get the URL of the latest location to send out to everyone, that is. The file was a few hundred KB, so I suppose it's entirely possible that it has that capability; you could fit quite a bit of code into something like that.

Not really my area of expertise, but perhaps someone who knows something more can elaborate on how these things work?

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."

Re:When everyone runs as root already by Mantus · 2005-10-30 15:11 · Score: 3, Informative

Due to poor software design, it's difficult to not run ad admin. Most programs run no problem, be some, like WinAMP, need to have their directory permissions changed to run and a non-admin. While this isn't a problem for power users, most users won't even know how to change the permissions (in XP Home you need to boot into safe mode to get the security tab to appear in the file properties windows)

Despite the fact that the \Documents and Settings\username folder exists, some developers choose not to use it, and that causes problems.

Hey kid, want some candy? by Kadin2048 · 2005-10-30 15:20 · Score: 4, Insightful

Actually it's more like the old adage about taking candy from strangers. "Here, eat this! You'll like it!"

Most people just don't make the mental connection that they could click on a link -- something they do pretty often and usually without incident -- and cause serious harm to their computer.

I vote that it's more ignorance (to a certain degree self-imposed, because a lot of people could understand a lot more about their computers if they wanted to, but simply choose not to) than a lack of ability or mental capacity.

--
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."

Re:A couple of hours? by mindstrm · 2005-10-30 15:49 · Score: 3, Informative

Right then, well, "System Restore" is a feature of Windows XP that snapshots the status of a whole bucketload of system settings, DLLS, etc... each time you update software, and at other times determined by the system, these snapshots are taken. You can go into system restore and revert to your system status from yesterday, last week, or just before oyu installed something, and it generally works very well (meaning quickly, reliably, and doesn't erase your data.) It doens't make a mess, either.

It was a very surprisingly well done feature, I can't actually believe it came from MS

Some viruses DO run on WINE by killa62 · 2005-10-30 15:57 · Score: 3, Informative

Some windows viruses do run under WINE. However, they do not affect the system to the extent that windows viruses affect windows systems. They RUN, but mostly nothing else happens other than wasting CPU cycles.

I think this was posted on /. before.
http://os.newsforge.com/article.pl?sid=05/01/25/14 30222&from=rss

Re:Some viruses DO run on WINE by Psykosys · 2005-10-30 16:04 · Score: 5, Funny

When are they going to get around to full virus support? (I'm sticking with Windows 'til then.)

been here before by jordan · 2005-10-30 17:34 · Score: 3, Interesting

we warned them once , we warned them twice .

silly AOL, will they ever listen?

FDisk in 2005? by Anonymous Coward · 2005-10-30 17:38 · Score: 3, Informative

I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.

It's 2005 and you only tried FDisk? There's a number of free boot record editors that could have fixed anything. There is no rootkit that I know of that is based out of the MBR the way the old Pakistani virus did to Apples. If I have a customer who needs data recovered off a rootkit infected computer I put it in as a slave in a WXP or W2K system.

Re:FDisk in 2005? by clymere · 2005-10-30 22:07 · Score: 3, Informative

Using a clean windows machine to fix an infected windows drive isn't all that smart in the first place. This is an area where live disks excel, Knoppix being the obvious first choice...not to mention the many variants with more specialized tools added on. You're running a different OS, its running off of read-only media, and you're risking essentially nothing.

--
once you go slack, you never go back

About the rootkit by nightcrawler77 · 2005-10-30 18:20 · Score: 4, Informative

This looks like the same worm a friend of mine got a few weeks ago. I loaded it up in VMWare and discovered that it installed, among other things, the "FU" rootkit.

I took a rootkit class at this year's Black Hat Training from the guy who wrote FU. He pointed out that it's more of a proof-of-concept rootkit. It does allow you to hide files, registry keys and drivers from both user-mode and kernel-mode processes, but, it really doesn't go out of its way to hide itself from every possible angle, so detection (and thankfully, removal) wasn't that bad.

I was able to whip up a little app to fix it from within Windows. But had the worm's author actually expanded on FU's techniques and done a better job of hiding the rootkit, recovery would not have been as nearly as easy. (Just imagine how much fun would it be to talk a novice through Windows XP's Recovery Console!)

Once the worm authors start to get better at exploiting the potential of rootkits, we've definitely got a much better problem on our hands. The old "1. get infected, 2. run anti-virus to disinfect, 3. repeat" cycle just won't work anymore. Good luck even finding a well-implemented rootkit once it's in your kernel, let alone trying to clean it up while it's effectively able to veto every action you take.

(Yet another reason why no Windows user should run as an Administrator.)

--

"Power corrupts, and absolute power corrupts absolutely." -- Lord Acton

IE and i.e. by stonedonkey · 2005-10-30 19:01 · Score: 5, Informative

IE: The worm is a compact, surreptitious BT/Kademlia client.

Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).

Handy cheat sheet:

i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)

e.g. = exempli gratia = for example

There's your pendantic lesson of the day :p

Slashdot Mirror

Worm With Rootkit Package Loose On AIM

50 of 438 comments (clear)