Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Belated "deja vu" - IR for rootkits that run in safe mode

Published: 2005-10-12
Last Updated: 2005-10-12 20:05:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
I was a little busy last August 1st and didn't notice that there was a new glitch in the Matrix, a haxdoor variant that's a real problem for first tier IR folks because "It also ......, drops rootkits that run in safe mode." So a number of weeks later when the second haxdoor variant that "drops rootkits that run in safe mode" was being analyzed by Handlers Tom Liston and Lorna Hutcheson, my jaw was dropping as I read Symantec's August 1st recommendations for "cleaning". To say the least, Symantec's documented recovery instructions are onerous, and first responders should at least read their instructions and compare them to an alternative mentioned below.

Since I then knew of only 2 haxdoor versions which create the SAFEMODE cleaning issue (flattening is still preferred here), and since this cleaning issue doesn't seem to have created any significant AV Vendor issues in the middle of this years malware fe$tival, I dropped a line to some AV acquaintences about IR response problems these two variants create.

To make a long story short, F-Secure took a look at the second "safe mode" variant and said  "Yes, this variant uses the similair registry keys/values. Haxdoor indeed does run in safemode. Symantec's recommendation about recovery console is probably the easiest way to delete haxdoor without any special tools. F-secure Blacklight also can identify and rename haxdoor's files. So I'd recommend users to try that first. It is far easier to use than recovery console."

And if your AV vendor does or does not address this issue, please drop me a line. Thanks!

Also, thanks very much Lorna, Tom and Jarkko!.

F-Secure BlackLight Beta

Symantec Backdoor.Haxdoor.E, "Discovered on: August 01, 2005"

Tom's analysis mentioning the second variant is in the Handler's Diary September 22nd 2005, see Follow the Bouncing Malware IX: eGOLDFINGER
Keywords:
0 comment(s)
Diary Archives