This week I encountered a 64 bit Windows machine infected with a rootkit.
It’s a Vista Home Premium SP2 system and it was doing some strange things. The fake hard drive is failing warnings were the first I’ve seen of that variation but very much in the school of fake anti-virus pop-up windows. Internet Explorer kept popping open unbidden and crashing, with mystery audio playing out of apparently nowhere (Vista’s Volume Mixer didn’t identify it as being from any particular application). The audio included voices in conversation saying strange and partly intelligible things followed by strange laughter. It also included something that sounded like what you’d find from Flash video from any number of major websites.
The usual anti-malware tools, Malwarebytes Anti-Malware and installed anti-virus (in this case Microsoft Security Essentials), cleaned up the fake warnings after I disabled them in Safe Mode and could actually run the tools.
The Internet Explorer issue and the strange audio didn’t resolve, and when I let Windows Update install some drivers that included an Intel Storage ICH9M-E/M SATA AHCI controller Vista had a complete BSOD freak out upon rebooting. The blue screen was OxED Unmountable Boot Volume, not really something you want to see, and only booting from the Vista setup disc and letting it System Restore got me back into Windows.
(The Startup Repair from the hard drive would only give me a welcome screen with "Other User" as the login account. At the bottom left corner was an "Ease of Access" blue button. I had no password for Other User and when I clicked on it I had the option to enter a user name and password but none of the existing accounts would work.)
My suspicions were severely raised at this point so I thought I’d try out Microsoft’s Standalone System Sweeper Beta. I downloaded the 64 bit version of the installer and chose to let it create an ISO image that I burned to one of my handy DVD+RW discs. (They are great for exactly this sort of thing. If I need the Sweeper with newer definitions I just create a new ISO and burn it to the same disc.) The web site says the Sweeper needs to be the same architecture as the target machine. I don’t think you can run the 64 bit version on a machine with a CPU that only is 32 bit compatible and in any case the Sweeper will not let you scan an operating system that is a different architecture than the one you are booting. If you boot the 32 bit Sweeper you can’t scan a 64 bit operating system and vice versa. You can make either the 32 or 64 bit Sweeper boot disc regardless of which operating system is installed on the computer on which you are creating the disc.
Anyway, the Sweeper found the Alureon\TDSS\TDL3 rootkit (info here, here and here) and removed it. When I got back into Windows I used Kaspersky’s TDSSKiller to remove leftover bits. It’s possible that TDSSKiller alone would have done the job but I like the idea that I scanned Windows from outside the operating system and any rootkit would be inactive.
The system seemed snappier and considerably less strange afterwards. Internet Explorer stopped opening spontaneously and stopped crashing and there wasn’t the odd 50% CPU action I had seen from some Dell applications threads before the cleaning.
I was quite pleased to have the Microsoft Sweeper since I can’t run GMER in a 64 bit operating system. The very measures (mandatory signed drivers, etc.) that make it hard to rootkit a 64 bit system also make it harder to build anti-rootkit software, and the reduced vulnerability makes going to that effort significantly less worthwhile. The fact that 64 bit operating systems are harder to infect made the dearth of cleaner tools not matter for a time, but now that this 64 bit capable rootkit is in the wild the story has changed.
The Sweeper installer can burn a disc directly for you and it can also build or update a bootable USB flash drive. You will need an Internet connection to download the latest files and you’ll need 250 MB of space on a CD, DVD or flash drive. The first time it creates the flash drive it formats it, but you can still use the balance of its capacity for storage after that. When the installer updates the flash drive it doesn’t format it again or mess with any other content. It just updates the virus definition file (about 60 MB). This is very, very handy.
If you have a live connection to the Internet on the target machine the Sweeper can update its virus definitions when it is booted. You can also download the definitions manually on another computer and put them on removable media to import from when the Sweeper is run. Browse to http://go.microsoft.com/fwlink/?LinkID=96776 and download either the 32 bit or 64 bit definitions for Microsoft Security Essentials. The Sweeper seems to be a standalone version of Microsoft Security Essentials so they use the same definitions.
A note on system requirements:
Microsoft gives a single list of requirements for both the installer computer and the target computer. To work, they suggest the Sweeper needs the system to be Windows XP Service Pack 3 or newer with at least a 500 MHz or 1 GHz processor and 768 MB of RAM or 1 GB of RAM respectively depending on whether the operating system is XP or Vista/Windows 7. This is awfully fuzzy “information”.
I tested the 64 bit Sweeper in VirtualBox on a target Windows 7 64 bit operating system and set it to use varying amounts of RAM. At 752 MB or less the Sweeper will boot but can’t load its virus definitions so it won’t let you scan. That’s great if you want to show somebody a Windows 7 looking startup screen (the Sweeper boots what looks like a Windows 7 Preinstallation Environment) but for cleaning a system it is useless. At 753 MB it will boot and load the definitions and scan but it can’t update its definitions. Still, that’s usable and the scan will be as current as your boot disc’s virus definitions. At 843 MB it will successfully download updates to its virus definitions.
Using Windows Virtual PC and the 32 bit version of Sweeper, I found at up to 633 MB it couldn’t load its definitions and therefore wouldn’t scan. Starting at 634 it could load its definitions but not update. Starting at 714 MB it could could boot, scan and update its virus definitions properly.
To summarize, the 64 bit Sweeper is functional at 753 MB or higher and fully functional starting at 843 MB of RAM while the 32 bit version is functional at 634 MB and fully functional at 714 MB.
I also found that with sufficient RAM the Sweeper will boot and scan a Windows 2000 machine (although it failed to update with code 0x0072ee7 “server could not be resolved”, but a manual update from media worked) so it looks like the operating system requirement is more for the installer than the target computer. That makes sense.
Windows 7 Forums has a nice tutorial on creating and using the Sweeper.
There are a couple more tutorials from Ask Leo! and Security Garden. The latter also has a useful article called Solve Microsoft Standalone System Sweeper Errors.
