PDA

View Full Version : Should I still be concerned?



ThrowawayDay
2012-08-14, 11:20
So apologies in advance if this isn't quite the correct place to post this. I'm not necessarily looking for help removing any malware; I have already removed some malware myself but I'm feeling really paranoid about it. I'm not experiencing any symtpoms but I'd like some thoughts from an some experienced in this field as to whether I'm overreacting.

Okay so, I accidentally stumbled into a website that I believe was compromised (IE9 on Win7 x64 SP1, fully up to date, UAC always ON). Microsoft Security Essentials popped up a notification saying that it had removed a threat of some description at which point I thought, "okay, that's still alarming". I closed the entire IE Window and then tried to open MSE.

MSE had mysteriously disappeared. From the whole system.

"Weird", says I, "and also alarming".

I opened IE again and everything seemed to be working so I went to download MSE again and very mysteriously got one of Google's 404 pages (even though it's a Microsoft site).

At first I thought this could be a screwup with the stupid redirect system Google uses on their search engine nowadays but when I put in the URL directly I got the same error. I could get to other pages but not MSE related pages.

I opened Fiddler2 (http://www.fiddler2.com/fiddler2/) so I could see, exactly, where the requests were going irrespective of the URL. But as soon as I started fiddler, the pages worked again (if I turned fiddler back off, I got the error, and so forth). I figure what's happening here is theres something plugged into IE that is taking control of certain requests but the plugin that fiddler uses overrides it when it is enabled (either that, or the malware spots fiddler and then stops interfering; I'd be interested in thoughts on this).

So anyway, with fiddler still running so I could watch my HTTP requests and and actually get the page I wanted, I downloaded and reinstalled Security Essentials. After running a scan, MSE claims to have found and remove what it identifies as

pws:Win64/Sinowal.gen!B http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin64%2FSinowal.gen!B

I thought, "okay", and I turned off fiddler to see if IE was working correctly again, which it seemed to be. I then double checked that there wasn't anything hidding in its addons/plugins (which there wasn't).

Next I ran Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) to check for any entries that were suspicious or otherwise unidentifiable. The only thing I found was an exe with a meaningless 5-6 letter name that seemed to be a randomly generated series of characters (when I searched it on google, I found nothing of substance) stored in my AppData folder. I'd never seen it before and couldn't think what legitimate use it could possibly have so I removed it from Autoruns (it was sitting in the HKCU run key) and deleted it from the folder.

At this point, I'm no longer experiencing symptoms of any kind but I decided to look up Sinowal to get some information about it. Apparently, it's an alternative name for Torpig (http://en.wikipedia.org/wiki/Torpig) which is a rather notorious trojan/botnet that was discovered many years ago and researched heavily by various people in the IT security field. I'm not sure if I should be feeling better or worse at this point; on the one hand it has been heavily researched (and one team of researchers even took over the entire botnet for a period of 10 days) but on the other hand, it seems to be fairly complex and competantly written (as far as most malware goes).

I decide to download the new Spybot beta, temporarily turn off MSE and do a full scan in Spybot. Spybot finds nothing in its scan so I uninstalled it and turned MSE back on. So everything is telling me the system is clean now and I'm experiencing no symptoms, but I'm just not feeling good about things.

I read that Torpig is spread by a rootkit that hides in the MBR; I ran aswMBR as listed in one of the stickies of this forums (which apparently detects the rootkit that delivers Torpig, among other things) and it found nothing.

I'm a fairly security conscious person, and I don't get malware as a rule. Over the years I've never been really convinced that anti-malware applications should be fully trusted to remove malware in its entirety (I mean, the stuff just changes so often, how can you keep up with it?) so I guess I'm looking for reassurance that this thing is gone.

Am I overreacting? Or are there other things I should look at? For instance, I know that Torpig phones home every two hours or twenty minutes or something to that effect; should I find a way to log outbound traffic and look for that?

tashi
2012-08-14, 16:06
Hello ThrowawayDay,

For someone to offer advice they'd need to take a look at the system.

If this is a personal computer please refer to the forum sticky and the instructions in post #2 on how to provide preliminary DDS and aswMBR logs used for analysis.

http://forums.spybot.info/showthread.php?t=288

Then start a new topic providing the logs as shown in that FAQ with a link back to this thread and a volunteer analyst will advise when available.

Best regards.