На техническом форуме forum.esetnod32.ru в последнее время привлекли две темы, связанные с активностью руткита Sirefef/ZAccess/Maxplus.
Антивирус обнаруживает в памяти
Цитата:
|
13.05.2014 2:27:32 Модуль сканирования файлов, исполняемых при запуске системы оперативная память Оперативная память Win32/Sirefef троянская программа
|
проверка в tdsskiller v 3.0.0.34 результат не дала.
Цитата:
14:21:49.0812 0x0d44 TDSS rootkit removing tool 3.0.0.34 Apr 29 2014 18:20:10
14:21:53.0781 0x0d44 ================================================== ==========
14:21:53.0781 0x0d44 Current date / time: 2014/05/13 14:21:53.0781
...
14:22:32.0125 0x0ab8 ================ Scan MBR ==================================
14:22:32.0125 0x0ab8 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
14:22:32.0312 0x0ab8 \Device\Harddisk0\DR0 - ok
14:22:32.0312 0x0ab8 ================ Scan VBR ==================================
14:22:32.0312 0x0ab8 [ E91BDD0F11AA316ADA62DF0B6B91B358 ] \Device\Harddisk0\DR0\Partition1
14:22:32.0343 0x0ab8 \Device\Harddisk0\DR0\Partition1 - ok
14:22:32.0343 0x0ab8 [ F29821165B66421AB26D25C5B4A6D09D ] \Device\Harddisk0\DR0\Partition2
14:22:32.0375 0x0ab8 \Device\Harddisk0\DR0\Partition2 - ok
14:22:32.0375 0x0ab8 Waiting for KSN requests completion. In queue: 266
14:22:33.0375 0x0ab8 Waiting for KSN requests completion. In queue: 266
14:22:34.0375 0x0ab8 Waiting for KSN requests completion. In queue: 266
14:22:35.0421 0x0ab8 AV detected via SS1: ESET Smart Security 7.0, 7.0, enabled, updated
14:22:35.0421 0x0ab8 FW detected via SS1: Персональный файервол ESET, 7.0.302.26, enabled
14:22:37.0687 0x0ab8 ================================================== ==========
14:22:37.0687 0x0ab8 Scan finished
14:22:37.0687 0x0ab8 ================================================== ==========
14:22:37.0687 0x09a4 Detected object count: 0
14:22:37.0687 0x09a4 Actual detected object count: 0
14:22:53.0859 0x0fcc Deinitialize success
|
проверка другими методами и программами: метод поиска скрытых объектов по файлу сверки в uVS, cureit, eset_syrescue, malwarebytes, pchunter_free, gmer также не дали результат, хотя ESET sysinspector показывает наличие руткита в памяти: SysInspector: "Руткит" = "@Trojan.Win32/Sirefef" ( 9: Высокий риск ) ;
проверка специализированной утилитой очистки Sirefef результат не дает
Цитата:
[2014.05.14 20:38:18.781] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Sirefef
[2014.05.14 20:38:18.781] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.1.0.18
[2014.05.14 20:38:18.781] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Feb 27 2014
[2014.05.14 20:38:18.781] - .::EE:::::::::::::SS:.EE..........TT......
[2014.05.14 20:38:18.781] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2014.05.14 20:38:18.781] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2014.05.14 20:38:18.812] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.14 20:38:18.875] - INFO: Default settings of system services restored successfully.
[2014.05.14 20:38:18.875] -
[2014.05.14 20:38:18.890] - INFO: Win32/Sirefef was successfully scheduled to after reboot
|
после перезагрузки вредоносный объект по прежнему висит в памяти.
в связи с этим компанией ESET была выпущена (в срочном порядке) новая версия утилиты
ESETSirefefCleaner 1.1.0.19
и вот обновленная утилитка находит на диске компоненты Sirefef
Цитата:
[2014.05.15 13:06:47.253] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Sirefef
[2014.05.15 13:06:47.254] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 1.1.0.19
[2014.05.15 13:06:47.255] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: May 14 2014
[2014.05.15 13:06:47.256] - .::EE:::::::::::::SS:.EE..........TT......
[2014.05.15 13:06:47.256] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2014.05.15 13:06:47.257] - ..::::::::::::::::::.................... 1992-2013. All rights reserved.
[2014.05.15 13:06:47.312] - INFO: Removing remnants of Win32/Sirefef threat...
[2014.05.15 13:06:47.887] - INFO: Directory scheduled to after reboot cleaning 1 - \??\C:\Windows\$NtUninstallKB3296$
....
[2014.05.15 13:06:49.712] - INFO: Win32/Sirefef was successfully scheduled to after reboot cleaning.
[2014.05.15 13:07:08.592] -
[2014.05.15 13:07:08.592] - --------------------------------------------------------------------------------
[2014.05.15 13:07:08.592] - INFO: System is rebooting...
[2014.05.15 13:07:09.614] - --------------------------------------------------------------------------------
[2014.05.15 13:07:09.614] - INFO: Logging finished successfully...
[2014.05.15 13:07:09.614] - ----------------------------------------------
|
после перезагрузки ESET более не детектирует Sirefef в памяти.
15.05.2014 13:37:23 Оперативная память 275 0 0 Зaвepшeнo
заметим, что и
антируткит от malwarebytes так же обнаружил и удалил часть скрытых объектов от Sirefef.
Цитата:
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
Malwarebytes | Free Anti-Malware & Internet Security Software
Database version: v2014.05.14.02
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.17107
Computer :: GIN [administrator]
14.05.2014 12:54:18
mbar-log-2014-05-14 (12-54-18).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 286246
Time elapsed: 29 minute(s), 53 second(s)
Folders Detected: 4
c:\windows\$ntuninstallkb3296$\1644588774 (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\l (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\194118127 (Backdoor.0Access) -> Delete on reboot.
Files Detected: 13
c:\windows\$ntuninstallkb3296$\1644588774\l\xadqgn nk (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\000000 01.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\000000 02.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\000000 04.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\800000 00.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\800000 04.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\u\800000 32.@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\@ (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\bckfg.tm p (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\cfg.ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\desktop. ini (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\keywords (Backdoor.0Access) -> Delete on reboot.
c:\windows\$ntuninstallkb3296$\1644588774\kwrd.dll (Backdoor.0Access) -> Delete on reboot.
Physical Sectors Detected: 0
(No malicious items detected)
|
(c), chklst.ru
15.05.2014, 20:07
Мы мирные люди, но наш бронепоезд...
Линейный вид
