How to get a 'root' to kill itself

vanjast · June 03, 2011, 05:25:20 PM

Somewhere I mentioned that I got that little invasion piece of code from my kids USB stick.
..anyway it ended up on my laptop as I do a lot of dev on this and transfer files from my desktop.

I got to toying with it.. and found it changes most of the security settings to prevent you from getting to it.
On my desktop I easily got rid of it by changing the security settings back to me, but on my laptop this was not doing to well.
It got around any changes, deletions, Rootkit killers, etc by preventing completion/shutdown of tasks.

I have visual C installed on my laptop and this has a debugger that always pops up when a piece of code goes haywire, so i thought .. let me debug it for fun.
The debugger got into it and produced the same code as IDA and Olly... Ok a quick browse and shut it down. Msoft C complained at shutdown (as mentioned earlier) and on closing the error message the BugCode shut itself down... I just ROFLed.

I quickly disabled it in the registry and deleted the files... Hasta Lavista Baby.. I'll be baaack!!
:bdg :bg

baltoro · June 03, 2011, 09:31:49 PM

Interesting.
In retrospect, do you have any idea how it initially got the code to execute ???
...On my development machine (which is my only one), I always run with administrative privileges enabled. And, I NEVER connect it to the Internet (my wireless adapter is ALWAYS disabled).
I can't imagine that some USB malware would run its own process. You could easily write a user-mode program that could hook CreateProcess (using, Microsoft Detours),...and, alert you to every process on your system. Also, SysInternals Process Explorer would display information about all processes, wouldn't it ???

jj2007 · June 03, 2011, 10:18:32 PM

Quote from: baltoro on June 03, 2011, 09:31:49 PM
I can't imagine that some USB malware would run its own process.

That part is easy.

baltoro · June 03, 2011, 10:24:09 PM

Ahhh,...yeah,...
I always disable the Windows autorun and autoplay feature (so,...I didn't even think of that).

vanjast · June 05, 2011, 04:09:28 PM

I must be suffering from 'oldtimers'.. I knew this existed but couldn't remember how to disable it... :bg

hutch-- · June 06, 2011, 04:35:52 AM

Van,

It also means you don't keep a disk image of your boot drive, that absolutely ROOTS a root kit. :bg

baltoro · June 06, 2011, 09:42:35 PM

Quote from: HUTCH...It also means you don't keep a disk image of your boot drive, that absolutely ROOTS a root kit. :bg...

Hutch,...could you elaborate a little on this topic ??? I'm embarrassed to admit that I know absolutely NOTHING about it.

hutch-- · June 07, 2011, 06:57:35 AM

Which, the disk image or the OZ idiom on how to fully PHUK something.

A disk image is something like Acronis or Norton Ghost, it saves an entire partition as a file somewhere, preferably on another HDD and if you have a stuff up you re-write it back to the original partition and it is identical to what you backup up in the first place.

The historical OZ idiom of something being ROOTED refers to a target of desire that someone has had their wicked way with and that the target is no longer of any value. :P

dedndave · June 07, 2011, 08:04:15 AM

i have had good results with...
http://www.ultimatebootcd.com/
freebie, of course :bg

vanjast · June 07, 2011, 09:43:52 AM

Quote from: hutch-- on June 07, 2011, 06:57:35 AM
The historical OZ idiom of something being ROOTED refers to a target of desire that someone has had their wicked way with and that the target is no longer of any value. :P

happens every couple of days or so... whoops!!

vanjast · June 07, 2011, 09:49:19 AM

Quote from: dedndave on June 07, 2011, 08:04:15 AM
i have had good results with...
http://www.ultimatebootcd.com/
freebie, of course :bg

Nice...

News:

How to get a 'root' to kill itself