• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1153
  • Last Modified:

Root Kit on Domain Controller

I would like to know if these results can allows us to safely conclude that the server has a rootkit, and whether or not there is a way to determine how it got there, how much access the rootkit allows for, and whether or not there is a way to tell if any of the data has been compromised. Real VNC has been on the server since 2004 and no one ever updated the software, there have been hundreds of people trying to log in to it from all over and I know that there are some exploits for older versions. Also I know that the server has not been patched for well over 2 years. The guy that took care of the IT at this company was mostly here for desktop support. Also I would like to know about our legal obligations to inform customers of these findings. The first scan is from Virginity verifier, root kit revealer results are in an attached file. gmer results are also in an attached file. Super anti spyware found Worm.evilbot-B,
                                      Any help that you may provide will be greatly appreciated!!!
verifying module: [        ntoskrnl.exe]  0%... -
verifying module: [          ftdisk.sys]  9%... -
verifying module: [            disk.sys] 17%... -
verifying module: [            Ntfs.sys] 20%... \
verifying module: [            NDIS.sys] 21%... |
verifying module: [             TDI.SYS] 41%... /
verifying module: [           tcpip.sys] 62%... \
verifying module: [             afd.sys] 65%... \
verifying module: [           ntdll.dll] 92%... -
verifying module: [        kernel32.dll] 93%... \
verifying module: [        ADVAPI32.dll] 95%... \
verifying module: [           PSAPI.DLL] 97%... /
verifying module: [          WS2_32.dll] 97%... -
verifying module: [          USER32.dll] 99%... |
                                                           
ntoskrnl.exe         (80800000 - 80a75000)... suspected! (verdict = 5).
module ntoskrnl.exe [0x80800000 - 0x80a75000]:
 0x80834d38 (section .text)   5 byte(s):
  JMPing code (jmp to: 0xf71d8bab)
  address 0xf71d8bab is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
  target module path: SysPlant.sys
  file   :2b e1 c1 e9 02
  memory :e9 73 3e 9a 76
  verdict = 2

 0x80834e4c (section .text)   1 byte(s):  exclusion filter: KiSystemCallExitBranch() [05->06]
  file   :05
  memory :06
  verdict = 1

 0x8083ab62 (section .text)  18 byte(s):  exclusion filter: KeFlushCurrentTb()
  file   :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
  memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
  verdict = 1

 0x8083ab7a (section .text)   1 byte(s):  exclusion filter: KeFlushCurrentTb() [c3->00]
  file   :c3
  memory :00
  verdict = 1

 0x8083b0e7 (section .text) [RtlPrefetchMemoryNonTemporal()+0]   1 byte(s):  exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
  file   :c3
  memory :90
  verdict = 1

 0x8083fcb0 [KiServiceTable[13]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d648 DOES NOT belong to ANY MODULE!
  file   :78 3f 9a 80
  memory :48 d6 86 8a
  verdict = 5

 0x8083fcb4 [KiServiceTable[14]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a8266a0 DOES NOT belong to ANY MODULE!
  file   :2d 93 91 80
  memory :a0 66 82 8a
  verdict = 5

 0x8083fcc4 [KiServiceTable[18]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c4468 DOES NOT belong to ANY MODULE!
  file   :2b 2d 85 80
  memory :68 44 7c 8a
  verdict = 5

 0x8083fce8 [KiServiceTable[27]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d818 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :ce ae 92 80
  memory :18 d8 44 f7
  verdict = 2

 0x8083fd28 [KiServiceTable[43]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e6d330 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
  target module path: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
  file   :9f f6 93 80
  memory :30 d3 e6 b9
  verdict = 2

 0x8083fd30 [KiServiceTable[45]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d3f8 DOES NOT belong to ANY MODULE!
  file   :50 1b 94 80
  memory :f8 d3 86 8a
  verdict = 5

 0x8083fd38 [KiServiceTable[47]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf7441a20 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :73 c6 8c 80
  memory :20 1a 44 f7
  verdict = 2

 0x8083fd58 [KiServiceTable[55]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7e6648 DOES NOT belong to ANY MODULE!
  file   :51 58 91 80
  memory :48 66 7e 8a
  verdict = 5

 0x8083fda8 [KiServiceTable[75]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf74422a8 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :5d fc 93 80
  memory :a8 22 44 f7
  verdict = 2

 0x8083fdb0 [KiServiceTable[77]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d910 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :20 00 94 80
  memory :10 d9 44 f7
  verdict = 2

 0x8083fdd8 [KiServiceTable[87]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a824af0 DOES NOT belong to ANY MODULE!
  file   :10 41 85 80
  memory :f0 4a 82 8a
  verdict = 5

 0x8083fdf0 [KiServiceTable[93]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d4c8 DOES NOT belong to ANY MODULE!
  file   :5d d2 90 80
  memory :c8 d4 86 8a
  verdict = 5

 0x8083fdf8 [KiServiceTable[95]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d588 DOES NOT belong to ANY MODULE!
  file   :5f 0f 91 80
  memory :88 d5 86 8a
  verdict = 5

 0x8083fe40 [KiServiceTable[113]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a885828 DOES NOT belong to ANY MODULE!
  file   :76 16 93 80
  memory :28 58 88 8a
  verdict = 5

 0x8083fe5c [KiServiceTable[120]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d338 DOES NOT belong to ANY MODULE!
  file   :46 48 93 80
  memory :38 d3 86 8a
  verdict = 5

 0x8083fe70 [KiServiceTable[125]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e6d8c0 is inside SYMEVENT.SYS module [0xb9e59000-0xb9e79000]
  target module path: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
  file   :b7 e0 93 80
  memory :c0 d8 e6 b9
  verdict = 2

 0x8083fe80 [KiServiceTable[129]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a83da50 DOES NOT belong to ANY MODULE!
  file   :03 4b 93 80
  memory :50 da 83 8a
  verdict = 5

 0x8083fe98 [KiServiceTable[135]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a9634d8 DOES NOT belong to ANY MODULE!
  file   :5c d8 91 80
  memory :d8 34 96 8a
  verdict = 5

 0x8083feb8 [KiServiceTable[143]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xba26b280 is inside wpsdrvnt.sys module [0xba266000-0xba274000]
  target module path: \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
  file   :8c 10 94 80
  memory :80 b2 26 ba
  verdict = 2

 0x8083fed0 [KiServiceTable[149]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf71d77b0 is inside SysPlant.sys module [0xf71d3000-0xf71ef000]
  target module path: SysPlant.sys
  file   :34 0f 94 80
  memory :b0 77 1d f7
  verdict = 2

 0x8083ff18 [KiServiceTable[167]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf74422c8 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :21 f3 93 80
  memory :c8 22 44 f7
  verdict = 2

 0x8083ff60 [KiServiceTable[185]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d866 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :7e cb 93 80
  memory :66 d8 44 f7
  verdict = 2

 0x8083ffd4 [KiServiceTable[214]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a821820 DOES NOT belong to ANY MODULE!
  file   :6b 5e 91 80
  memory :20 18 82 8a
  verdict = 5

 0x8083fff0 [KiServiceTable[221]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a963418 DOES NOT belong to ANY MODULE!
  file   :1a 41 8f 80
  memory :18 34 96 8a
  verdict = 5

 0x80840030 [KiServiceTable[237]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a869860 DOES NOT belong to ANY MODULE!
  file   :39 b6 91 80
  memory :60 98 86 8a
  verdict = 5

 0x80840034 [KiServiceTable[238]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c1460 DOES NOT belong to ANY MODULE!
  file   :6a 73 92 80
  memory :60 14 7c 8a
  verdict = 5

 0x80840064 [KiServiceTable[250]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xf744d0b0 is inside d347bus.sys module [0xf7440000-0xf7466000]
  target module path: d347bus.sys
  file   :80 f3 9c 80
  memory :b0 d0 44 f7
  verdict = 2

 0x80840094 [KiServiceTable[262]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86d278 DOES NOT belong to ANY MODULE!
  file   :bd 3e 9a 80
  memory :78 d2 86 8a
  verdict = 5

 0x80840098 [KiServiceTable[263]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a8267a8 DOES NOT belong to ANY MODULE!
  file   :8e 43 8f 80
  memory :a8 67 82 8a
  verdict = 5

 0x808400a4 [KiServiceTable[266]]   4 byte(s):
  KiServiceTable HOOK:
  address 0xb9e18f20 is inside SASKUTIL.sys module [0xb9e10000-0xb9e31000]
  target module path: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
  file   :8d 28 91 80
  memory :20 8f e1 b9
  verdict = 2

 0x808400a8 [KiServiceTable[267]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a7c13a0 DOES NOT belong to ANY MODULE!
  file   :6b 1b 92 80
  memory :a0 13 7c 8a
  verdict = 5

 0x808400d0 [KiServiceTable[277]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a86a218 DOES NOT belong to ANY MODULE!
  file   :b2 36 93 80
  memory :18 a2 86 8a
  verdict = 5

 0x808400f8 [KiServiceTable[287]]   4 byte(s):
  KiServiceTable HOOK:
  address 0x8a824bc0 DOES NOT belong to ANY MODULE!
  file   :89 a9 91 80
  memory :c0 4b 82 8a
  verdict = 5

module ntoskrnl.exe: end of details
ntdll.dll            (7c800000 - 7c8c0000)... innocent hooking (verdict = 2).
module ntdll.dll [0x7c800000 - 0x7c8c0000]:
 0x7c8211fd (section .text) [NtCreateFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x617752cb)
  address 0x617752cb is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 ce 40 f5 e4
  verdict = 2

 0x7c82123d (section .text) [NtCreateKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775305)
  address 0x61775305 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 c8 40 f5 e4
  verdict = 2

 0x7c8212fd (section .text) [NtCreateThread()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177533f)
  address 0x6177533f is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 42 40 f5 e4
  verdict = 2

 0x7c82139d (section .text) [NtDeleteFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775379)
  address 0x61775379 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 dc 3f f5 e4
  verdict = 2

 0x7c8213cd (section .text) [NtDeleteValueKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x617753b3)
  address 0x617753b3 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 e6 3f f5 e4
  verdict = 2

 0x7c82169d (section .text) [NtMapViewOfSection()+5]   5 byte(s):
  JMPing code (jmp to: 0x617753ed)
  address 0x617753ed is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 50 3d f5 e4
  verdict = 2

 0x7c82172d (section .text) [NtOpenFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775427)
  address 0x61775427 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 fa 3c f5 e4
  verdict = 2

 0x7c82175d (section .text) [NtOpenKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775461)
  address 0x61775461 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 04 3d f5 e4
  verdict = 2

 0x7c821c0d (section .text) [NtRenameKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177549b)
  address 0x6177549b is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 8e 38 f5 e4
  verdict = 2

 0x7c821e1d (section .text) [NtSetInformationFile()+5]   5 byte(s):
  JMPing code (jmp to: 0x617754d5)
  address 0x617754d5 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 b8 36 f5 e4
  verdict = 2

 0x7c821f8d (section .text) [NtSetValueKey()+5]   5 byte(s):
  JMPing code (jmp to: 0x6177550f)
  address 0x6177550f is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 82 35 f5 e4
  verdict = 2

 0x7c82202d (section .text) [NtTerminateProcess()+5]   5 byte(s):
  JMPing code (jmp to: 0x61775549)
  address 0x61775549 is inside SYSFER.DLL module [0x61750000-0x617b2000]
  target module path: C:\WINDOWS\SYSTEM32\SYSFER.DLL
  file   :ba 00 03 fe 7f
  memory :e9 1c 35 f5 e4
  verdict = 2

module ntdll.dll: end of details

SYSTEM INFECTION LEVEL: 5
    0 - BLUE
    1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!





rootkit-revealer.bmp
gmer.log
0
Michaelgoff79
Asked:
Michaelgoff79
  • 3
  • 3
  • 2
3 Solutions
 
H_HarryCommented:
Hi,
Yes you 100% do have a root kit on your Domain Controller. You also have the Worm.evilbot virus - sometimes known. as bolgi.worm.
As to how it got there you have pretty much answered your own question; as a penetration tester I see it everyday - you have not patched your server for over two years. There is a plethora of remote and local vulnerabilities for Windows that patches are available for - if you are two years behind then almost anyone could down load public code and exploit you. I notice in your screenshot that you have daemon tools installed - there is a nasty off-by-one 0-day exploit circulating in certain circles that will allow a user system rights when exploiting this service.
The attack could have come from an external source or an internal one. If you are pretty sure it is a very recent attack then you could undertake some forensic examinations but if it is not a recent  occurrence then this will be fruitless.
To do:
I would recommend that you take this DC off line and treat all your domain admin accounts as compromised. Format the server and put it back up - personally I would not trust any root kit removal tool but I have no real grounds to say this, it is just my personal opinion.
You will need to check all other servers and workstations to see if they are infected too - I would do this before changing any sensitive passwords - once you are sure you have removed any viruses/worms/root kit/Trojans examine all AD user accounts - the attacker will have left himself another way in. Remove or disable anything that you think shouldn't be there.
Remove all unneeded software from all DC's - by unneeded I mean anything that is not needed to make the DC function as a DC.
If you can use RDP instead of VNC I would advise this also. There is a authentication by-pass exploit in the public domain for VNC.
Implement a patching policy for the domain and specifically the domain controllers - although I suspect your problems are far deeper rooted that out of date software.
You should consider hiring an security consulting firm or pen testing firm to provide a tailored detailed report for remedial measures.
As for your customers, it really depends on your setup if you need to tell them - if you have VPN's to other peoples sites then you maybe shoiuld make them aware of it - however, there will be a serious business decision to be made for this as it could have a big impact ont he business.
If you comply to PCI requirments and this particular server falls under the PCI scope then yes you will have to tell people effected - but all this is vry dependant on your particualr setup.
0
 
Hugh FraserConsultantCommented:
If you have not been authorized to perform these scans of the systems, you're already treading on thin ice by doing the vulnerability scans. However foolish they have been exposing an unpatched system to hundreds of users (hopefully we're not talking about being exposed to the Internet), that does not give you the right to exploit these vulnerabilities to test for weaknesses. If this is indeed the case, I'd caution against telling them to protect yourself, and refrain from doing unauthorized tests in the future.

Having said that, given the SANS time-to-live stats, any unpatched Windows system exposed to the wild is almost guaranteed to be infected with something. The alarm for ntoskrnl.exe is disturbing, and if I were responsible for the system, I'd be taking it offline immediately, even if it incurs downtime on the network, since user's credentials are now potentially compromised. I would not have any faith in the DC backup images, since it's difficult to tell how long it's been compromised.

I'd re-deploy the DCs from a virgin image, and force users to change passwords at next login.

If in fact the DCs are exposed to the Internet, I'd be suggesting a network re-design.

Clearly, system and patch management needs to be addressed as well, along with some education for the administrators of the system.

0
 
H_HarryCommented:
Sorry, I have refereed to the server as a DC but just re-read your post and you don;t say it is a DC - the above still mostly applies though.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Michaelgoff79Author Commented:
I should have specified earlier that I am the new sys admin for this company, and am willing to do whatever it takes to renew the integrity of their systems. Problem is that we are looking at basically reformatting the DC and all of the workstations. Then there is the question of what was compromised, the level of access for the rootkit(s) and whether any of their data has been compromised.
0
 
Hugh FraserConsultantCommented:
I also read it as a Domain Controller from the subject line. And definitely, an engagement with a security consulting firm to do a thorough audit should be done.

You should also consider installing an IPS or at the least and IDS at appropriate points to identify any unusual traffic.
0
 
Michaelgoff79Author Commented:
I have ran some tests on the workstations and it appears as though the workstations have rootkits as well considering that I am gettings the same returns with the same scans on various scans. rootkit revealer wont run, gmer has some reports of infected files and virginty verifier show deepred ntoskrnl.exe so the plan is to rebuild the domain controller with a fresh image, and all of the workstations as well. All port forwarding has been stoped, a snort box will be put in place, all passwords will be changed, the wireless router will be replaced WEP -> WPA 2 AES, and some user education is due in the near future
0
 
H_HarryCommented:
Sounds like you are going in the right direction.
Don't forget to check your network infrastructure devices too - attackers often create user accounts on these to provide a backdoor to the domain at a later date. Getting 'enable' on a switch/router/firewall will lead to domain admin in a very short space of time regardless of patch level or secure working practises; hpwever, they are often overlooked by incident response teams, domain admins etc.
Good luck with your cleanup - sounds like you have a horrendous task on your hands :-\
0
 
Hugh FraserConsultantCommented:
Excellent steps. Sorry about your luck inheriting this.

Note that Snort can be run in an inline mode with 2 NICs. An IPS installed in an working network almost always disrupts traffic, which generally attracts the wrong kind of attention to the security group.

You're in the fortunate (?) position of having a network that's already disrupted, making it an ideal time to install an IPS. If you have the time, I'd jump at the opportunity.

And while you're at it, throw a network profiling tool like NTOP into the mix so that you can see trends in the network.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now