A Very Sophisticated Rootkit?

A thought came to me as I was Browsing the Web, just now -- about all these *many* "Medium Security attacks" on GHOST, in the NIS log, that I'd discussed in the prior post.

 

Maybe these showed up when I tried to run GHOST for an "incremental recovery point [RP] of recent changes" -- which it won't do, for the last week or so -- and, really, what started me off on "Why is this happening" -- which (along with a very suspicious computer "crash" last week) led to queries about a rootkit infection.

 

Well, I just tried to do an incremental RP in GHOST -- and, as usual, it hangs at "1%."  Then after waiting a few minutes, I cancel it.

 

And, sure enough, this showed up in the NIS log as "Medium Severity, Unauthorized Access blocked."

 

But, why is my trying to do an incremental RP "Unauthorized Access" and "blocked"?  That, I don't understand.

 

Even more curious -- I just now, brought up GHOST (to check the terminology/specific words used on an incremental RP save) -- and I get *another* "Medium Severity, Unauthorized Access blocked" entry into the NIS log.

 

I'm thinking that maybe many (but not all) of these "Medium Severity" events in the NIS log (that I mentioned in the prior post) -- on NSW, LU, and esp, System Restore -- are when I try and access these systems.  There are other instances, though, where these "blocked" NIS logs appear, that I have *not* accessed these systems at all.  So...?

 

That ain't right.  Something's wrong, here.  Or, if not, the NIS log terminology/warnings, etc, are *very* mis-leading.

 

Kind Regards,

Robby

Message Edited by Robby on 08-04-2009 10:04 PM

Robby:

 

When you see those entries, it means that something is scanning, or accessing Norton files.  It has to do with your tamper protection.  Almost everything on your computer will access Norton files at some time or other.  If they push too hard, that is when you will see a block.  It doesn't usually cause any problems unless the scanning program gets stuck and refuses to quit.

 

You need to look at this logically.  Ghost scans for changes and writes to the disc.  System restore scans and writes to the disc.  Both programs are not working.  There fore there is most likely something wrong with the hard drive.  The symptoms you are seeing are not rootkit related. 

 

Since Quads is a professional, I would respect his suggestions and do what he recommends.  You are getting too many disc errors for it to be anything else.

 

Something to consider is heat.  Speedfan is a nice utility that lets you compare your drive with others of the same make, as well as monitoring the temperature of the drive.

 

First though, disable as many of the scanning programs as possible and save your data.  

Robby -

 

What happens if you tell GHOST to not backup the Norton Files?  Do you still get the access errors in the logs?

Hi delphinium,

 


delphinium wrote:

Robby:

 

When you see those entries, it means that something is scanning, or accessing Norton files.  It has to do with your tamper protection.  Almost everything on your computer will access Norton files at some time or other.  If they push too hard, that is when you will see a block.  It doesn't usually cause any problems unless the scanning program gets stuck and refuses to quit.

 

You need to look at this logically.  Ghost scans for changes and writes to the disc.  System restore scans and writes to the disc.  Both programs are not working.  There fore there is most likely something wrong with the hard drive.  The symptoms you are seeing are not rootkit related. 

 

Since Quads is a professional, I would respect his suggestions and do what he recommends.  You are getting too many disc errors for it to be anything else.

 

Something to consider is heat.  Speedfan is a nice utility that lets you compare your drive with others of the same make, as well as monitoring the temperature of the drive.

 

First though, disable as many of the scanning programs as possible and save your data.  


 

OK.

 

But...I ran another -- chkdsk /r C: today.  Log seems to think it's OK?

 

************************

Event Type:     Information

Event Source:  Winlogon

Event Category:          None

Event ID:        1001

Date:               8/5/2009

Time:               1:48:03 PM

User:                N/A

Computer:       TOSHIBA-USER

Description:

Checking file system on C:

The type of the file system is NTFS.

 

A disk check has been scheduled.

Windows will now check the disk.                        

Cleaning up minor inconsistencies on the drive.

Cleaning up 10 unused index entries from index $SII of file 0x9.

Cleaning up 10 unused index entries from index $SDH of file 0x9.

Cleaning up 10 unused security descriptors.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

CHKDSK is verifying file data (stage 4 of 5)...

File data verification completed.

CHKDSK is verifying free space (stage 5 of 5)...

Free space verification is complete.

CHKDSK discovered free space marked as allocated in the

master file table (MFT) bitmap.

Windows has made corrections to the file system.

 

  78148160 KB total disk space.

  28129788 KB in 158656 files.

     59276 KB in 14226 indexes.

         0 KB in bad sectors.

    315312 KB in use by the system.

     65536 KB occupied by the log file.

  49643784 KB available on disk.

 

      4096 bytes in each allocation unit.

  19537040 total allocation units on disk.

  12410946 allocation units available on disk.

 

Internal Info:

d0 ba 03 00 5d a3 02 00 8b eb 03 00 00 00 00 00  ....]...........

9e 07 00 00 01 00 00 00 b3 01 00 00 00 00 00 00  ................

fc da ce 0e 00 00 00 00 36 1d f7 b4 00 00 00 00  ........6.......

36 8f 39 15 00 00 00 00 bc 48 ee 1b 05 00 00 00  6.9......H......

a2 f7 64 a7 04 00 00 00 32 cd 33 a4 0a 00 00 00  ..d.....2.3.....

40 aa 42 be 00 00 00 00 90 38 07 00 c0 6b 02 00  @.B......8...k..

00 00 00 00 00 f0 e7 b4 06 00 00 00 92 37 00 00  .............7..

 

Windows has finished checking your disk.

Please wait while your computer restarts.

 

************************

 

Also, did an --  fsutil dirty query C:  -- says, "NOT dirty."

 

So...you still think I should NOT uninstall/reinstall GHOST and NSW?  What about NIS 2009?

 

************************

 

And, on the Windows Event Viewer/Security Tab:  You don't think those many "Anonymous Logon" things are significant?  What about the "Failed Audits"?

 

Again, tks for the help.

 

Kind Regards,

Robby

 

 

 

Failed audits can be caused by several things, other than an attack.  There have been instances of power fluctuations causing them, scheduled programs trying to run and failing to start, and the XP logon screen is apparently vulnerable. 

 

You could also check your power source for fluctuations, get either a surge protector or a new surge protector.  I split the wiring on my system so that half of it was plugged into a surge protector in one outlet on one electrical circuit, and the other half in a surge protector that was plugged into a different circuit.

 

If you don't have so many programs all trying to scan at the same time and having one or the other prevented from running, that may make a difference as well.

Hi db,

 

I'm not sure what you mean when you say, "tell GHOST to not backup the Norton Files."   You mean don't include any Norton files in the designated backup/recovery point?  If so, I'm not quite sure how to do that.

 

But... you still may be on to something here.

 

I found another thread on the Norton Forums (April 2008) that seems to be somewhat similar to the problem I'm having with GHOST (won't do incremental recovery points -- just gets to a 1% progress and hangs there).

 

http://community.norton.com/norton/board/message?board.id=other&thread.id=9467&view=by_date_ascending&page=1

 

In that thread, the poster and the respondent (Erik Carlstrom, Technical Product Manager, Symantec Corporation) talk about the role that NIS 2009 "Tamper Protection for Norton Products" is playing in the problem.

 

The poster tried turning OFF that Protection, and GHOST worked.   The conclusion I got out of that thread, is that NIS 2009 and GHOST have some sort of conflict here.

 

I did a History check on NIS, for "Tamper Protection," and -- sure enough -- *every* one of the GHOST "blocks" I get are related to that.  The other "Medium Security" events that invoke the Tamper Protection (Live Update, System Restore, etc) are simply "logged," or "detected" -- but not "blocked."

 

Another thing.... the GHOST listings on these blocks always show (under Action) "Duplicate Object."  Wonder what that means?  No other processes with these "Medium Security" alerts show this.  And, those are *not* blocked.

 

Here's an Attachment of my History log on this, if you'd care to look at it.

 

[I've included a .txt file (hard to read).  (The .mcf file, favoured by NIS for output of their History log, doesn't seem to be allowed as an Attachment on this Forum.)]

 

[BTW,  your initial thoughts, expressed to me earlier, about a "rootkit" issue on my GHOST problem -- may also be on the mind of Eric.  He says, in this thread:

 

"It's likely that another program is hooking into services.exe and trying to indirectly manage our service."  ]

 

Appreciate all your help, db.

 

Kind Regards,

Robby

 

Nope, turning NIS 2009 "Tamper Protection" OFF didn't help with the GHOST problem.

 

A curious thing, though, on all these failed GHOST attempts:

 

Whenever I click cancel, the progress jumps past "1%" to around 4-5% (where it should be).  Then, the "blue pop-up" comes up telling me it's doing an incremental RP.  But, by then it's too late.  The job has been canceled.

 

Guess tomorrow I'll try un-install (no save)/re-install on GHOST, and see if that works.

 

Kind Regards,

Robby

For further information Robby, spend some time on the forum where Ghost issues are dealt with. Most of us on this forum don’t use it.  You will get more help there.

OK, tks, delphinium.

 

Kind Regards,

Robby