|
|
rootkit H8 Friday, January 29 2010
Yesterday Gretchen's computer was plagued by an insidious invader that was manipulating the links in pages of search engine results so that when the links were clicked, the result pages were a variety of crappy off-brand sites selling the sorts of cheesy wares currently popular among spammers and browser hijackers. Such a situation isn't tolerable (and should certainly never be tolerated), so I'd been called in to set things right. I'd waded through the registry and had searched the file system for recently-altered files. But I hadn't been able to find all that much that was wrong. After my efforts, the search engine results had seemed to be good once more, so I'd figured I'd fixed the problem.
But then today Gretchen showed me that the problem had returned. So again I poked around looking to see where it was coming from. I even booted up into safe mode, but the even there the search engine results were being hijacked. I could tell the problem was happening at a low level, because both Internet Explorer and Firefox were affected. And Google Chrome wouldn't even start. HijackThis, my favorite crapware detector, wasn't reporting anything suspicious, so I tried downloading a variety of reputable crapware scanners, but none of these could be run. Some kind of application blacklist was in effect.
So eventually I downloaded a rootkit detector that does its work during a reboot. It detected something hidden away in C:\WINDOWS\SYSTEM32\DRIVERS beginning with the two letter H8. But once the computer booted, whatever it had found had hidden itself. And by hidden, I don't mean that it had turned on its hidden attribute. It had disappeared beneath the reach of the operating system. To remove that fucker, I had to pull the hard drive out of the computer, attach it to another computer, and look at it from there. Having done that, I found a nasty mess of files, all beginning with the letters H8. I deleted them all, along with anything else that was slightly suspicious with a recent modified date. This sounds like a big job, but it was less than 10% of the work that reformatting the computer and reinstalling everything would have been. Once I was done, Gretchen's computer seemed completely healthy. It also seemed to run a little faster, indicating that perhaps it had been serving in someone's zombie army. What's unnerving about this experience, though, is that the infection would have never detected had Gretchen not noticed that her search engine results were being hijacked. Someone somewhere had a good thing going with that computer, but he overplayed his hand. This must indicate that a hacker can get away with gross manipulation of browser behavior and a sizable fraction of users either don't notice or don't care.
After winning that skirmish against the forces of darkness, I spent most of the day working on first one web development project and then the other. The frustrating thing was that one of those projects was supposed to be finished, but suddenly there were a bunch of new issues, some of them verging on scope creep. The cats always seem to want to climb on me when I'm really frustrated, and I could feel then drawing in as I rolled my chair up closer to the computer to change my posture. I usually look for cats, and this one time I didn't. Poor Sylvia, I must have run over a paw or a tail, because she let out a distinctly uncatlike scream. But seconds later she seemed completely fine.
Ray and Nancy came up from the city today to spend the weekend. The four of us went out to the Kingston Indian Restaurant and Grill in Uptown, meeting up with our mutual friend Sarah the vegan (who is renting a room in a house out in Lake Hill). Later all of those people went to see a local stage production of Jesus Christ Superstar, and I returned home on my own to continue my work. Hours later Ray, Nancy, and Gretchen came back from the show totally amped up about how completely awesome it had been. "If I could get a ticket, I'd go see it tomorrow," Ray said. They were also singing some of the musical's many songs, some of which Ray also played from the tinny little speakers of his Droid (an open source iPhone knockoff).
For linking purposes this article's URL is: http://asecular.com/blog.php?100129 feedback previous | next |