Yeah, that's right, I'm a security professional. I am so good I managed to infect myself with a rootkit this afternoon. Okay. I'll wait while you laugh.
Finished? Alright, I can continue. So, whatever it was that this trojan was trying to masquerade as, it did a really crappy job. Didn't make much of an effort to hide itself at all. First, as expected, it attempted to phone home. My firewall immediately pitched a fit when "mswinup.exe" attempted to get network access. I refused it access and pulled out the network cable. After refusing it network access, my machine promptly rebooted on its own.
As Windows came back up, I saw a very brief window popup saying something about creating directories. It came and went too fast for me to read it, but I knew that wasn't right. At this point, it was pretty clear something was wrong.
ProcessExplorer did not indicate anything unusual running, however, TCPView showed outbound connection attempts even though I didn't have anything running and they weren't to the usual suspects (ie Google, Symantec, etc). AutoRuns on the other hand, showed several new additions to both services and autorun startup.
A new, hidden service called "Agony" was in place and a hidden entry in startup called "c:\windows\system32\winsecurity\mswinup.exe". Sitting my home directory was a file called "agony.sys" with a duplicate in c:\windows\system32. Both of which were clearly part of this given their name and time stamp.
Rootkit Unhooker (which I had never heard of before) showed me several hooks into the kernel originating with agony.sys. Additionally, a new registry key had been created:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
that read:
%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer
Also bogus. I removed everything related to it and rebooted. Upon reboot, all services and files noted above had not returned. Rootkit Unhooker did not show any unknown hooks. On the safe side, I am imaging the system to run it through FTK and get a filesystem timeline, see if anything else changed that I might have missed. It looks, though, that I got it all.
I am a little annoyed that Symantec didn't even bat an eye when this thing loaded into memory. The agony part appears to be what is used to hide everything from the general user space. On the other hand, the detection signatures I am seeing for other AV vendors for this particular threat are dated on or about 12/26/06, so it's rather recent. If I don't see a signature in Symantec for it soon, it might be time to change AV vendors.
If the FTK timeline shows any missing dangly bits, I'll update.
