• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Rootkit \\?\globalroot\Device\__max++>\ paths?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
xer0syk0
Just Arrived
Just Arrived


Joined: 02 Oct 2009
Posts: 0


Offline

PostPosted: Fri Oct 02, 2009 3:21 am    Post subject: Rootkit \\?\globalroot\Device\__max++>\ paths? Reply with quote

Hi everyone,

I work on and fix lots of computers with varying degrees of infection by malware/viruses/trojans/rootkits etc.

Lately many rootkit infections on the computers I have been looking at share a common characteristic of being referenced as libraries with this particular path structure:

Quote:

\\?\globalroot\Device\__max++>\XXXXXXXX.x86.dll


where XXXXXXX refers to a hex address (I suppose in memory) where the file lies (I guess?) and injects itself into core processes like svchost/alg/lsass/etc. An example of this kind of infection can be found here: http://trusteer.com/ffsearcher-internals-or-defrauding-google-one-click-time

My question is what exactly is this globalroot path?

From what I have searched online, it appears to be called a "mount point" (which wikipedia describes as a convenient way for an OS to reference files from arbritrary locations in memory or on the hard disk). The only reason I know this is that there is a program called Win32kDiag that seems to reveal these mount points and reveal the location of the actual file on the hard drive. It would be nice if anyone could confirm this information.

Is this path indeed a mount point, or something else? In what ways can you derive the original path of such a path and delete the perpetrating library?

I am well aware that tools such as GMER and other rootkit detection tools can detect the presence of such a globalroot path/rootkit, but they cannot remove them. I have tried to use Kaspersky AVZ scripts to remove such infections with BC_DeleteFile() and DeleteFile(), but they do not work. They are however able to quarantine the file and produce a copy of it.

I have produced such a copy of the file quarantined file and uploaded it to VirusTotal (http://www.virustotal.com/analisis/37ecc048cc7c01ca4b4e840742f736c40e8974d8f0158d67255974aa0d56643c-1254444923). Perhaps there is a tool that can search for copies of a specific file, like the one I have found? Well, the premise doesn't seem that complicated so I guess I could code one myself.

So in the case that something like Win32kDiag would fail me, what other ways would there be to combat something like this? (I have not yet had a chance to test the capabilities of Win32kDiag on a machine, I have only seen logs online of people who have this very problem). I am aware that it is possible to simply slave the said hard drive to another computer and scan that hard drive with MBAM or another anti-virus program, but I find that the hardware required to do so may not always be convenient or accessible at the given time.

Thanks for taking the time to read this,
Eric
Back to top
View user's profile Send private message
xer0syk0
Just Arrived
Just Arrived


Joined: 02 Oct 2009
Posts: 0


Offline

PostPosted: Sun Oct 04, 2009 5:57 am    Post subject: solution Reply with quote

Well, it turns out you can only use Win32kDiag to diagnose and remove the problem files.

This is a set of instructions I have written pertaining to the use of Win32k Diag:

Win32kDiag detects mount points or hidden rootkits which inject themselves
into kernel processes via the \\?\globalroot\device\__max++\XXXXXXXX.x86.dll method.
This can be discovered by GMER/DarkSpy/other rootkit detectors which detect ADS's/SSDT.

The program is command line and will produce a log of all of the mount points it finds.
The files shown are not necessarily all malicious; warning flags or entries will usually
be denoted by the message "could not open/access file". These files are worth
investigating. If you happen upon a file that cannot be FileAlyzed, cannot be copied,
moved, deleted, or renamed (or cannot be handled by Unlocker) and does not show information
about its manufacturer, chances are you have found the malicious library/program.

Search for "DLL" in your Win32kDiag log if you have the XXXXXXXX.x86.dll infection.
If you have a different kind of globalroot path infection, simply look for executables
that match the above criteria.

You can then manually seek out these files and delete/replace them using unlocker or
by other methods (slaving the hard drive to another computer, or accessing the hard drive
outside of Windows (boot disc/recovery console). It is often a wise idea to replace files with versions on other
working computers (for example, replacing an infected shell or critical component).

-eric
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Sun Oct 04, 2009 8:58 pm    Post subject: Reply with quote

What you have found is the 2 ways rootkits infect systems. The first is normally a user mode infection that hooks files. The one that hides much better uses DKOM to infect and hide itself.

Rootkits come in two forms: user mode and kernel mode, and rootkits hide by either hooking files, or DCOM (Direct Kernel Object Manipulation).

Thats a big reason why if your PC is rooted, you can't trust the output from ANY software - HJT, MalwareBytes, Spybot, etc.

Win32kDiag can be tricked too

Hooked files like in your post are fairly easy since they show themselves to programs like Icesword and RKU.
Back to top
View user's profile Send private message Visit poster's website
xer0syk0
Just Arrived
Just Arrived


Joined: 02 Oct 2009
Posts: 0


Offline

PostPosted: Sun Oct 04, 2009 10:06 pm    Post subject: hmmm Reply with quote

That's what I would expect as well...

But in that case, what are some methods to remove rootkits that don't rely on traditional scanning programs or diagnostic outputs?

Or would you simply employ all of those tools on the system in question from outside the operating system so the rootkit never intercepts the kernel messages?

Your advice is greatly appreciated.

-eric
Back to top
View user's profile Send private message
Gundamrx793
Just Arrived
Just Arrived


Joined: 07 Nov 2009
Posts: 0


Offline

PostPosted: Sat Nov 07, 2009 11:02 pm    Post subject: Reply with quote

Hey,

I'm just wondering but what exactly does Win32kDiag do? because i currently have a virus a Trojan Zlob.Kh virus...and the path is the same as what you entered...

And how hard is it to remove the Trojan with Win32kDiag?

-nick
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register