Wednesday, July 18, 2012

Virus Created Its Own Partition

I ran into a first yesterday. As seems to happen on a somewhat regular basis, a client had a virus infected computer. One of tools I normally rely on is TDSSKiller.exe from Kaspersky. It removes most rootkits that infect the boot sector of a hard drive. And is one of the few that checks the boot sector of non-boot drives. So, you can use it when a drive is externally attached.

In this case, TDSSKiller.exe identified Rootkit.boot.SST.b. When the software attempted to clean it, it didn't display an errors, but if you looked at the log it indicated that it couldn't be cleaned.

Some web sites suggested downloading Kaspersky Rescue Disk to remove it. This is a bootable linux CD/USB image. Basically, it accomplishes the same thing as placing the drive in an external case. It prevents any malware on the drive from loading in the boot process. This tool also found the rootkit, but couldn't remove it.

I also tried booting up in the XP recovery console and using FixMBR, which appeared to work, but the rootkit was still there.

The final fix was referenced by a few web sites. This rootkit created its own partition that it inserted into the boot process. None of the repair tools understood the boot process and therefore could not repair it.

On this computer, the OS partition was 40GB and a 100 MB parition was created after that. The 100MB partition was marked active and therefore was used to start the boot process. When viewed from within Disk Management, the partition type was unknown. The fix was to remove the extra 100 MB partition and then mark the OS partition as active. After this, the rootkit was gone.

Based on reading other web sites, the size of this partition may vary. I saw references to a small partition that is only a few MB. I'm guessing the virus authors changed it to be 100 MB to make it confusing with the 100 MB partition used by Windows Vista and Windows 7. Also, I can only assume that a larger partition provides more space to hide malware that is introduced during the boot process.

After removing the rootkit, there was still a bunch of other malware that I removed with MalwareBytes and SuperAntiSpyware. In the end the only thing lost was some Start Menu shortcuts.

Realistically, I should have just wiped it and rebuilt it, but after putting in an hour or so, it became competitive and I just wanted to win.


8 comments:

  1. Excellent post. I am dealing with rootkit.boot.sst.b problem and did notice due to your post that I have a 10mb partition active over my 298GB Windows 7 Partition. I was ready to delete the small active portion and set the other active, but my small partition is labled: Healthy(Active, Primary Partition). Is this safe to delete? Not the problem?

    ReplyDelete
  2. Mine was also labeled Healthy (Active, Primary). For mine the partition type was labeled as unknown. That was the big tip off it was not legitimate.

    So, I can't guarantee yours is hosting the rootkit, I think it's likely.

    ReplyDelete
    Replies
    1. Thank you for such a prompt response. My last question before I do it: if I delete it and there is not rootkit, will I be deleting something important or crucial that I will regret?

      Delete
    2. That's the million dollar question!

      Generally, for Windows 7, there is a 100 MB system partition that the OS starts from and then a large boot partition that contains the OS. The 100 MB partition is the one that should be active.

      I am unaware of any 10MB partition created after the OS partition that has any usefulness. However, I can't guarantee it. If the 10MB partition is used for anything, it would utilities from your computer vendor. Not critical stuff.

      You also have the option afterwards to boot from the Windows 7 DVD and let it do a startup repair. They did a very nice job with that tool in Win 7.

      Delete
  3. I should also note that I was changing the partition by using the Ultimate Boot CD that I keep on hand, not live within the OS. If you do it live within the OS, I'm guessing that the rootkit may see it and put itself back.

    I saw that other used the Gparted live CD to do the partitioning work.

    ReplyDelete
  4. Byron,
    On your reccomendation, I looked deeper into the partition. Luckily, I am three weeks into working with my company and a few coworkers that started with me have the exact same programs downloaded and computers. So identical that our main partitions were 298.01 and 298.02 respectively. This gave me the luxury off seeing the differences between our partitions. Sure enough, he did not have the 10MB partition and I GParted in and took out the 10MB partition (which was labled as contaminated).
    While I was doing so, there was an unlabled partition that showed up but bought no warning. I left it so as to take it one step at a time. I'm proud to say I have scanned with TDSSKiller, ESET NOD32, and the Kaspersky Rescue Disc again. No detection of the virus. I left the unwritten untouched as to not spoil a good thing.
    Thank you so much for your comments on the virus and suggestions. They directed me to the correct resources instead of installing a plethora of random, unordered, and potentially dangerous programs. Our IT guy is busy with so many things, it's difficult to get him to understand the urgency of trying to work while dealing with the infection's behavior.
    For anyone else dealing with the same problem and looking for a detailed way of using GParted, I reccomend http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/588858 (scroll halfway down for a detailed step-by-step process)

    ReplyDelete
  5. After all of the searching i did on this little bugger, your blog tipped me off to the extra partion, mine was 10 mb and i was able to delete it using the disk manager in windows, I should not only after removing a tone of maleware from the system first. Scanned again with kaspersky rescue disk and now no more trojan. Thanks for the tip.

    ReplyDelete
  6. Thanks for the post. I had a client PC that I spent hours on today! Then I saw this. I had a 10MB partition in Windows set aside for this thing. I just made the C: partition active and deleted the other.

    ReplyDelete