24 August 2007

My brother's rootkit woes

My brother's wife's laptop had started redirecting IE to http://hp-desktop.aol.com/. Changing the Home Page to anything else failed in all attempts and failed insidiously when he manually changed through the registry: within a second, the old value was returned. I was at first puzzled as to why a rootkit would redirect to an apparently innocuous site but realized that redirecting to a spammy site would be too obvious.

Jeff Atwood over at Coding Horror had recently detailed his unfunny exploits with cleaning up a spyware infestation and his assessment of the state of Windows security re rootkits. Both, along with their discussion threads, are valuable reading. His three dictums on security:

  1. Stop Running As Administrator
  2. Traditional Anti-Virus Doesn't Work Any More
  3. The Mainstreaming of Virtual Machine Sandboxes

WRT rootkits, the standard recommendation is always RootkitRevealer from Sysinternals. It's a raw interface that merely points to possible problems and offers no recommendations, but it comes from a reputable source. Google should be enough to find follow-up info anyway. An Information Week article recommended the freeware tool RootKit-Unhooker. Despite its oddly inconsistent CamelCase, it looks like a good tool.

On the infected laptop, RootkitRevealer revealed one item of suspicion: HKLM\SOFTWARE\Microsoft\Window\CurrentVersion\MSSYCLM\Start. A search on "MSSYCLM" brought up the thread "Topic: ACEWSUWMB.EXE" at Sysinternals. It could be a false positive, but it could also be owned by the Winhound adware/malware.

He's still deciding whether to try to remove, re-image, or (god forbid) ignore.

[ posted by sstrader on 24 August 2007 at 12:16:37 PM in Science & Technology ]