Re: Rogue Kernel Driver ierk8243.sys may be novel Trojan

• Previous message: Russ: "Microsoft AppCenter and W32/SQLSlammer patch information"
• In reply to: Barron Mertens: "Rogue Kernel Driver ierk8243.sys may be novel Trojan"
• Next in thread: Jay Lagorio: "Re: SPRINT ADSL [Zyxel 645 Series Modem]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Mon, 27 Jan 2003 10:27:09 +0000
From: Matt Scarborough <vexversa@VERIZON.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

This "ierk8243.sys" rootkit sounds a lot like "Hacker Defender." It
could have been installed for example by using the following INI file
CMD /K C:\WINNT\SYSTEM32\DRIVERS\ierk8243.sys ierk8243.ini

=====ierk8243.ini=====
[Hidden Table]
ierk8243*
RPCRDR.EXE

[Root Processes]
hxdef*
ierk8243*

[Hidden Services]
ierk8243*

[Hidden RegKeys]
ierk8243
LEGACY_IERK8243

[Hidden RegValues]

[Startup Run]

[Settings]
Password=ierk8243
BackdoorShell=RPCRDR.EXE
ServiceName=ierk8243
DisplayName=ierk8243
ServiceDescription=ierk8243

[Comments]

======

Similar symptoms of some similar kind of rogue driver have been reported
in the microsoft.public.* NNTP groups.

If it is Hacker Defender, Handle v2.01 will detect it.

Copyright (C) 1997-2001 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
<Non-existant Process> pid: 488 NT AUTHORITY\SYSTEM
   18: File C:\WINNT\system32
   80: Section \BaseNamedObjects\_.-=[Hacker Defender]=-._
------------------------------------------------------------------------------

The backdoor is slick. It listens on mapped ports already opened on the
victim (such as IIS or Exchange) for a unique 32 byte value containing
the password as in,

0000
0010
0020 00 00 04 05 00 50 8f 49 24 fa 00 2c 3d 79 50 18 .....P.I$..,=yP.
0030 44 70 f8 c5 00 00 01 fe 3c 6c 6a ff 99 a8 34 83 Dp......<lj...4.
0040 38 24 a1 a4 f2 11 5a d3 18 8d bc c4 3e 40 07 a4 8$....Z.....>@..
0050 28 d4 18 48 fe 00 (..H..

Hacker Defender is available for download at ZDNet and CNet or
http://rootkit.host.sk/
and runs on NT4, XP, and Win2k. Source code for a similar nasty is
available at
http://www.rootkit.com/projects/he4hook/
(which might explain the masquerading VERSION_INFO.

Versions released on January 10, 2003 will also run in Safe Mode (and
thus hide processes in Safe Mode.) As you mention, if the Service Name
can be determined, importing something (Regedit.exe /S) will change the
startup to disabled.

====
REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ierk8243]
"Start"=dword:00000004

=====

The rootkit's kernel mode driver will need to be disabled and the box
rebooted before these entries are visible. (Again reminding about hidden
tables and processes in the INI file.) Registry clean up requires taking
ownership of keys similarly named as those below also created in
ControlSet001 and ControlSet002.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IERK8243]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IERK8243\0000]
"Service"="ierk8243"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ierk8243"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ierk8243]
"Type"=dword:00000010
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,73,00,\

79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,\

00,72,00,73,00,5c,00,69,00,65,00,72,00,6b,00,38,00,32,00,34,00,33,00,2e,00,\

73,00,79,00,73,00,20,00,69,00,65,00,72,00,6b,00,38,00,32,00,34,00,33,00,2e,\
  00,69,00,6e,00,69,00,00,00
"DisplayName"="ierk8243"
"ObjectName"="LocalSystem"
"Description"="ierk8243"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ierk8243\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
<snip>

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ierk8243]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ierk8243]
@="Service"

I'd consider a box like this pretty much owned and in need of a good
nuking. But that's just me.

Matt Scarborough 2003-01-27

On Sun, 26 Jan 2003 17:29:38 -0500, "Barron Mertens" wrote
<000001c2c58a$69ae1410$792a6481@edu.uwo.ca>

> Approximately around Jan 10 2003 our main database cluster began
> experiencing random unexplained "blue screen of death" crashes. The blue
> screen claimed that the component that had failed was called
> ierk8243.sys and this was the cause on both machines (Win2Ksp3 and
> SQL2000sp2). Inspection of those machines and even google returned no
> matches for that file or anything close (other than someone's email
> address in Iceland I think). I bit the bullet (credit card?) and called
> in Microsoft Premium Support Services after I ran out of ideas and had
> suffered through too many crashes. After a week of analyzing dump files
> we had a breakthrough when someone else showed up with the same problem,
> that person discovered that if you reboot into safe mode and search the
> registry that there is a kernel level (like a hardware device driver)
> driver called ierk8243.sys installed and you can also then find the file
> on the hard drive in the %systemroot%\system32\drivers folder. While the
> driver is running you cannot find it in the registry or on the file
> system or on a list of running processes, booting into safe mode
> prevents the driver from loading. The file's properties read as a
> standard MS file belonging to the original OS install, including the
> timestamp info. To kill the driver just change the startup value to 4
> (disabled) in the registry and rename the file. MS and NAI and
> TrendMicro are analyzing the file to see what it was doing and hopefully
> they can figure out how it got in. The only info to come out of the
> analysis so far is it might have been using port 961 and this MAY be a
> Trojan horse related to "Backdoor/Alley" which is quite obscure. We have
> found this code on four machines altogether, all administered by myself
> and all running SQL Server (not sure who is guilty), two machines were
> Win2k Advanced Server and two were XP Pro.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Next message: Russ: "Administrivia: SQL Slammer Webinar today at 5:30pm EST"
• Previous message: Russ: "Microsoft AppCenter and W32/SQLSlammer patch information"
• In reply to: Barron Mertens: "Rogue Kernel Driver ierk8243.sys may be novel Trojan"
• Next in thread: Jay Lagorio: "Re: SPRINT ADSL [Zyxel 645 Series Modem]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]