[GLLUG] Server Infection Question

STeve Andre' andres at msu.edu
Tue May 5 19:48:55 EDT 2009 

On Tuesday 05 May 2009 19:14:54 Stanley C. Mortel wrote:
> I have a client with a compromised server.  Not unusual for MS, but this
> one I find interesting.  Here are some details:
>
> 40 GB hard drive, single partition.  Windows 2000 server, fully
> patched.  History of out of date AV software.  Has Norton on it.  System
> getting slower and slower, locking up, blue screen......yada, yada,
> yada.  Entire network crawling.  History of getting blacklisted for spam.
>
> Would not let me copy the partition using Acronis.  Said Not enough
> space on drive even though I was copying from a 40 GB partition to a 120
> GB drive.  When Acronis starts, it show the infected drive at about 30+
> GB, then after analyzing the drives before the copy it shows it
> completely full.

I love malware smart enough to stop disk copies.  I've seen this twice
now this year.

>
> Could not copy files from within Win2K to a newly formatted drive.
> Tells me access denied.  I tried it on two different drives to be sure
> the one receiving data wasn't bad.

Never use Windows to copy a suspect disk to something.  I always
use OpenBSD, which gets rid of the possibility of infecting the source
system thats copying.

Your pristine system when it booted talked to the other disk.  You
don't have to have autorun enabled to get infected, as you just
saw.  Isn't Windows nice?  This is why I always use a non-Windows
system to copy stuff.

>
> The really interesting thing is that when I put it in an XP box to copy
> to another drive it infected XP during the boot/logon process.  At the
> first logon, the windows alert popped up telling me that the anti-virus
> was not working.  It was turned off and real-time scanning could not be
> turned on.  I tried this twice, with "pristine" installs of XP Pro with
> Computer Associates Internet Security Suite installed and everything
> completely up to date.  I find this of note because I didn't think that
> could happen.  Least I've never seen it.  I never accessed the infected
> drive at all.  The only way it was accessed is by the Windows O.S.
> during the boot/logon process.  As far as I know, the autorun feature is
> now turned off by default in XP, though that shouldn't come into play
> anyway, given that I never accessed the drive.
>
> Ran the CA anti-virus, which worked even though the real-time was
> disabled.  Found several email/spam related worms:  Win32/Sobig.B,
> Sobig.E!Zip, Klez.H.  Also found Win32/Magistr.29188 that I think is
> more problematic.  I'm guessing that the real culprit went undetected.
>
> Any ideas?  Mainly I want to know if this is something that warrants
> further forensics before I wipe the drive, i.e., is this something new?

No, I've heard of this happening before.  There are simply so many
pieces of malware out there that its next impossible to remember
them all.

> I can probably dd the partition, the boot sector, and the partition
> table.  If it stops Linux from doing that, then I'll really be
> surprised.  I plan to put the drive in a Linux box tomorrow and run
> ClamAV on it.  But, before I do that, I thought I'd see if anyone else
> finds this case unique or interesting enough to save the evidence.  If
> anyone has some idea how a "data" drive can infect the OS drive without
> anything running, I'd like to hear that too.
>
> As always, thanks for your input.
>
> Stan

What I'm now doing when I get an infected sheep is to

 - copy the entire disk to another disk from a non-Windows system:

        gtar cf - . | (cd /cleandisk ; tar xvf - )

 - make a complete copy of the newly copied directory which contains
   the entire disk and call it whatever.orig

 - go into the cleandisk directory and use find to blast all .com, .exe
   .dll, .inf, .pif, .msi, .scr files (and their UC versions):

       find . -name "*.dll" -exec rm {} \;

I then have a copy of the disk which *probably* has the infected
dreck off it, but I also have the .orig version if I find that I need
something that find killed, I have a backup.

Note that the gtar example doesn't handle sparse files.  I think
thats the S option?  I use gtar instead of my native tar because
files can be longer than 100 characters, which is the POSIX
standard.

This is all evolving.  I do so love Windows.

--STeve Andre'

More information about the linux-user mailing list