Solved

Create an Undeleteable File

Posted on 2006-06-09
20
335 Views
Last Modified: 2013-12-04
I have this Aurora variant that I keep running into.  My thought is if I could create an executable of the same name that couldn't be deleted, that would put  a stop to it.  I tried setting deny -> everyone permissions on the file, but somehow it got around that.

Anyone know a good trick for this?

Thanks.

NV
0
Comment
Question by:NoahVail
  • 4
  • 4
  • 4
  • +3
20 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16871005
0
 
LVL 10

Expert Comment

by:GuruGary
ID: 16871116
A very simple trick to try:  Instead of creating a file (aurora.exe or whatever) try creating a directory with the same name (folder name = aurora.exe or whatever).  I have used that before in other scenarios, and often the programs are smart enough to remove a file, but aren't smart enough to try to remove a folder.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16871145
Frankly, that is a "band-aid on a cancer" solution. To be sure Security isn't a Product, it is a Process, and all the AV andAnti-Spyware in the world can't help you as much as the simple things like the acount of least privilege can.
-rich
0
 
LVL 10

Expert Comment

by:GuruGary
ID: 16871393
Rich is right.  Even if you can prevent the file from being created, there are still problems with the system.  You should find the root cause of the problem, fix the problem, and put something in place to prevent it from occurring in the future.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 16872626
Agreeing that it is not good time for a bandaid. It is also not good time in a public forum to identify how malware can create a directory on your system that you cannot delete. So,

I also recommend shoring up procedures. SuperUser Admin IDs are for installing and maintaining applications and setting up security. They are not for surfing out suspect websites or for clicking on strange emails. Ensure that the people have the proper authority levels. Admins should have a second ID with less privilege to hijack or piggyback. Regular users do not need to install, maintain, and upgrade.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16873160
AdAware and its VX2 plugin will get rid of it.

1. Download AdAware SE if you haven't yet.
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

 And the VX2 Cleaner Plug-in
 http://www.lavasoft.de/software/addons/vx2cleaner.shtml
 Install Ad-Aware using the default options, then install "vx2cleaner_inst.exe", taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on "Add-ons" in the lefthand column.  Select "VX2 Cleaner V2.0" and click "Run Tool".  Click "OK", then, if something is found, click "Clean" as in the directions given.  Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again.  This time, click on the "Start" button in Ad-Aware, select "Perform smart system scan" and click "Next".  Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects").  Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK".  Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next".  Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.


2.  If problem persists, let us look at your hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16874755
Instead of trying to "deny" permissions, you can "remove" all permissions as follows:

(1) Right click on the file in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

Of course I agree with the others that this is not a long-term fix, but it gives you a chance to clean up the virus.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 16875161
actually, without identifying a few execptions, I think that is the better idea.

Major difference between MS and alernatives, is that they are easier. Easier to run, easier to hack.

One way to define this, is that you have a choice of starting with everything initially denied, then opening a little for some rights here and there as needed. The other way is start with everything always availabel, then run around looking for doors to shut. Most of us prefer the former, then we best know who is doing what.

A similar situation is for use of ports. My preference is close them all first. Then open them one at a time as needed. The system takes longer to get going, but the method beats the alternative of starting with alll open and then trying to close one at a time as you find them getting abused. My IMO anyway
0
 

Author Comment

by:NoahVail
ID: 16917569
Sorry for the delay.
With respect, rpggamergirl, Adaware and VX2 will not clean several different variants of Aurora.  Neither will CWShredder, MSAntispy, Spybot, Webroot or any other antispyware package as far as I know.  Some variants are rootkit installed and uncleanable.

I'm sorry, an alternative browser is not an alternative for the several users I am seeking to protect.

HiJackthis logs are useful after the fact, I am trying to prevent the fact.

Often these are sites that I am an oncall tech, and do not have access to the routers.  Setting up multiple permission levels on sites that I am called to infrequently is impractical.   I usually have administrative access to the computers, but that may be all.

I haven't found a TSR antispyware program that is truly effective.

In fact I have quite a few uses for an undeleteable file.  Can someone tell me how to make one?

Thanks.
NV

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 32

Expert Comment

by:r-k
ID: 16917682
Did you try my suggestion above?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16917686
>>With respect, rpggamergirl, Adaware and VX2 will not clean several different variants of Aurora.  Neither will CWShredder, MSAntispy, Spybot, Webroot or any other antispyware package as far as I know.  Some variants are rootkit installed and uncleanable.<<

That is not true! Aurora/nail infection is a very old infection, in fact there hasn't been any new variants of aurora since mid last year. There is no aurora variant with rootkitlike capabilities, maybe you are confusing with the epolvy trojan (trojan that comes with aurora/nail infection that changes its name at shutdown, it changes name everytime you look at it)
Malware experts has stopped updating nailfix since Lavasoft has updated their Ad-Aware VX2 cleaner plugin to address the entire bundled Nail/epolvy/dsr infection. And it does a great job!

Even the real rootkits are cleanable!
Aurora is nothing compared to Haxdoor and it's no way near as bad as smitfraud infection in which malware experts manage to clean.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16919113
Disable System restore if using Xp Pro or winME http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
Then run ad-aware or other to clean. Once clean, migrate your account to a lesser privileged one, install an alternate browser, and be free from spy-ware.
-rich
0
 
LVL 10

Accepted Solution

by:
GuruGary earned 500 total points
ID: 16921376
If you have tried the suggestions that are a direct answer to your question (by r-k and GuruGary) please post the results.  If you have not tried them, see if they give you the solution you want, or combine the 2 suggestions and use them both at the same time.

There is no 100% way to create an undeleteable file.  The best way I can think of is to open a handle to the file before anythign else gets a chance to get to the file ... that way it would be in use and could not be deleted.  But then something could always come along after that and load something that deletes the file before you get to open the file ... or something could kill the process that has the open handle to the file.

The best approach is to fix the root cause of the file being created.  But as far as creating an "undeleteable" file, try combining multiple methods.  Create the file as a directory, set the file permissions, set the file attributes, set ownership, open a handle to the file.  And making a directory with the file name has additional advantages, as you can put files in the directory and do some additional tricks, like create a file with an invalid file name inside the directory.  The directory will not be able to be deleted until all the files in the directory are deleted.  One way to create an invalid filename is to use the "\\?\" access to create a file named "LPT1" or some other reserved name that is very difficult to delete.  To do this, open a command prompt and use a command like:
copy con "\\?\c:\windows\aurora.exe\lpt1"
then type in some text followed by [Ctrl]+Z and [Enter] to create the file (this assumes the "undeleteable" file you want to create is "C:\Windows\aurora.exe" and you have created a directory with that name).  This will create a file named LPT1 in the directory "aurora.exe" which cannot be deleted by Windows.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17293148
I suggest a

Delete - No Refund
0
 

Author Comment

by:NoahVail
ID: 17293390
rpggamergirl - FYI - I did run across a variant of Aurora that contained a rootkit component.  
It was an Aruora infection.
It contained the Nail.exe hook.
It was the first rootkit I ever saw, in fact at the time, rootkits were still somewhat obscure.  I was able to locate it using the sysinternals rootkit detector (I think, the only time it ever worked for me).  I had a system with a recurring infection.  I took it everywhere with me and benched it every opportunity to try to figure out how this system kept reinfecting itself.  
The scan for rootkit was a shot in the dark after 40 hours of everything else.  I had never heard of rootkits before.

What an awakening.

Anyhoo, if I could get everyone to stop debating why I shouldn't have an undeleteable file and just offer the best option for creating such a beast, I would be grateful.  Just forget why I want it anymore and let my reasons be my own.

Which it looks like GuruGary tried the hardest to do on my behalf.  Very nice solution, I'll try it next time 'round.
Thanks GG!

FYI - II
One problem-ware I was battling, stripped my permissions from my file after I set it to EVERYONE - DENY and then overwrote it with it's own stuff.

Some of the stuff I battle isn't malware, the coders and I have different ideas on what should happen in my systems.

I had lots of input here.  Thanks to all who took the time to respond.
You guys keep EE from being a dismal disappointment (which it sometimes is).

NV
0
 

Author Comment

by:NoahVail
ID: 17293393
It was the Sony DRM fiasco that alerted me to rootkits and prompted me to first scan for one.

NV
0
 

Author Comment

by:NoahVail
ID: 17293413
rpggamergirl - Your post deserves more than the cursory reading I gave it.  I'd be interested in hearing more about what you know abut rootkits.  If you ever expound or have a recommended reading I'd like to learn more; I've had a time trying to stay ahead.

Thanks.
NV
noahvail
at
hotmail.com
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17293853
There are many articles about rootkits around, just google it. I help at other forums and I I've seen a few. When rootkits are presents, it's more sensible to format the drive than take the risk of compromising the system security.
A few rootkits now targets Blacklight and Rootkit Revealer, even the pe386 rootkit targets hijackthis as well. So that means those kind of rootkits are able to hide from those scans, luckily not all of them can and there is one recent rootkit scanner that hasn't been targeted yet.

Haven't seen a new variant of nail around for a long while. Some variants of Vundo also has a rootkit capabilities. Recently there are more rootkits showing up in logs than any variant of auroa/nail. Also new variants of HackerDefender/SDBot have surfaced very recently.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17295324
The principal of least privilege will keep 99.99999% of these root kits, spyware, and issues off your PC's. To be certain, there are tasks, and even programs that don't run unless they have admin rights, however, there are a few built-in tools to help you do this, as well as dozens of 3rd parties. The transition is easy, the commitment is the hardest part. however, not having to scan for viri/rootkits and not worrying about your personal information is well worth it.
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
http://xinn.org/win_bestpractices.html
http://www.xinn.org/annoyance_spy-ware.html
http://nonadmin.editme.com/WhyNonAdmin
-rich
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now