I’ve been looking at a bunch of rootkits that seem to be doing the rounds at the moment. Fortunately for our customers, we detect all this malware (and components they drop) as Mal/EncPk-EQ but googling around suggests that this is not an uncommon infection (google for “TDSS rootkit”). To make matters worse, this particular rootkit breaks several of the most common anti-rootkit tools out there which will be a pain if you want to verify you are infected.
One of the slightly unusual things about this series of rootkits though is that the author has left debug output in the code. A handy way therefore to check for it’s presence is to run DebugView from this Microsoft Sysinternals page.
After downloading and running the dbgview executable (make sure you select “Capture Kernel” from the “Capture” menu) you might be unfortunate enough to see something like this: (you may need to leave DbgView running for a few minutes)
This is a pretty good sign you are infected and you’ll now be faced with the joy of cleaning up the infection. Note that I wouldn’t recommend visiting any sites that appear.
Clearly the malware authors are going to remember to remove the debugging output at some point (they may have already) so another and probably easier way to check for this malware is to open up a command prompt and type:
If the malware is present, the output should look similar to this (note the time and size are zero).
We are currently working on several different cleanup techniques for these threats but as always, prevention is better than the cure so make sure your Anti-Virus solution is up to date. If you do find yourself infected though, you might want to try booting from a live CD option such as Knoppix or BartPE. These will allow you to remove the offending files (search for TDSS*).
If you happen to find any samples we’d be interested in taking a look. Please submit them via the web link.