propably everyone had experience with more or less sophisticated malware.
as usual removal is quite easy and straight forward. sysinternals are big helpers here – although in many cases even the plain old task manager helps to locate the unwanted stuff and remove it manually through registry and so on.
yesterday i had a much more curious case.
a customer reported issues with his pc – many apps are randomly crashing without any special pattern.
nothing special so far – i digged on the pc and checked the logs. just some application crashes from nvstream (seems to be related with nvidia’s driver and some kind of media streaming capabilities). nothing required on this machine. so i uninstalled the driver with all of it’s components and just reinstall the current video driver.
during uninstall i noticed only one curious thing: we’re using teamviewer for remote management of client machines (that’s not yet the curious part :-)).
when the machine came up the machine popped up online in my teamviewer contacts, shortly afterwards gone offline and online again. some kind of weird?
before i completed cleaning up some other parts of the machine i saw another app crash.
okay – something seems to be causing trouble in this system. as it happend randomly in almost any application a system component like a driver, filesystem may be related.
i went to sysinternals and got the latest version of process explorer. it turned on verify signatures and check virustotal (thanks @markrussinovich) to get some good overview of the most things running on the system.
here come the funny part: process explorer showed up that the server is unknown or cannot be resolved
(there has been some delay like 2 or 3 seconds until this timeout occured)
what? virustotal gone? no way.
i popped up the commandline and did a quick nslookup on virsutotal. no record found.
using nslookup with an explicitly set server – not working.
are you kidding me?
i tried to ping virustotal. working.
i opened IE and chrome to get to the virustotal. working.
are you really kidding me?
Digging more into it
okay – somebody doesn’t want to let the process explorer talk to virustotal.
simple tricks like renaming the application didn’t work – maybe some kind of hash or originator check.
(perhaps these bad guys have also implemented some kind of database lookup for blocked applications and/or protocols whatsoever)
next step? digging a little deeper. getting wireshark.
so wireshark is running with filter on dns. i get into the console, do a quick ipconfig /flushdns and set a ping on virustotal.com – there is a dns request sent.
restarting wireshark, same settings. popping up process explorer (after another flushdns) -> check virustotal. no dns request sent.
conclusion at this step: nice idea – didn’t see such a sophisticated interception yet.
but where is this thing sitting?
a quick search for rootkits didn’t showed up anything malicious so far.
using showed up common services and – it did even a check on virustotal. requests haven’t been blocked from there.
scrolling through i saw an unnamed service that pointed to a .sys file in the tempdir of the user. the file didn’t exist anymore. but yep – that has been the entry point.
much more interesting: another component had 2/57 hits – so not recognized that much.
much much more interesting: this component had been a winsock driver – even with an invalid signature.
and seriously who is programming a winsock driver but not signing it ? i won’t expect anything good behind this.
location had been:
But – the file hadn’t been there. No way to open or see the file a this location. Somebody is hiding.
Only a config file GambaliOff has been there – written in chinese.
Then i tried another path to this dll
And there has been the file – of course i took a copy to check the contents of this file later on.
long story short
hitting google with “gambali64.dll” showed up many entries with hijackthis logs where this file has been involved and nothing that indicated this file could be trustworthy.
so i chose to delete the driver (via autoruns) and rebootthe machine – everything works fine.
and here’s the funny part:
– teamviewer is coming once online after a reboot (no more short disconnect that may be related to a winsock integration)
– windows updates had issues before – working again
– before switching to ESET antivirus from kaspersky, kaspersky had issues contacting the update servers (while manually navigating the had been possible)
by the way:
date of the infection had been 17.04.2015 – 2 months ago. and still only two hits on virustotal. seems like some polymorphic code has been used here.
i digged already into the contents of gambali – there’s an export for WSPStartup that is used when integrating into winsock as LSP (layered service provider).
perhaps i’ll check more into details as it’s quite interesting to see how it works. and even more perhaps i’ll write another post on this – but i can’t make a promise so far.