-
Apr16
Rootkit: Malware and Trojan
Filed under: Computer Security; Tagged as: Avast!, malware, Malwarebytes, McAfee, rootkit, Rootkit Buster, Trend Micro, trojan1 Comment
I spent half a day last weekend to help my friend to battle with a computer infected with trojans. Lots of them. They were persistent and difficult to remove. Malwares like AntiVirus 2008 or AntiVirus 2009 as described in this post were easier to remove compared with the ones I encountered last week. Basically, AntiVirus 2008 and AntiVirus 2009 are malware that uses scare tactics to make users to buy their own virus removal software. The ones I encountered at my friend’s house turned out to be a kind called “rootkit.”
According to wikipedia, “A rootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised… An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system.” This is a serious threat.
The computer in question has a good working McAfee Virus scan and its On Access scan window keeps popping up saying that trojan was found and deleted. That’s how my friend found about their existence. The reason he asked my help was that it looks like it was catching the same gourp of files again and again, even though the virus scan said it had deleted them. Some of the files were in windows\system32\drivers. They were systemntmi.sys, amd64si.sys, i386si.sys, amd64si.sys, and lots of others.
So, there I was. Trying various other software. I tried Malwarebytes’ Anti-Malware. It found a bunch of infections. Like over 50. It said it had removed them. Reboot. Scanned again. Strange. It found them again. Removed. Reboot. I used Avast! Reboot. I used Trend Micro Rootkit Buster. Reboot. As I said earlier, the trojans were persistent. I decided to take a break at that point to do more research on the issue.
What I will do this weekend is to do an OS reinstall this weekend. As the wikipedia article says, “Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.”
Oh well. I’m looking at two system restore projects within a week!
 |