538099 - Spike in H8SRT*.dll rootkit crashes in late Dec 2009

Status: RESOLVED WONTFIX

(Toolkit :: Blocklist Policy Requests, defect)

Description

[chris hofmann]

rootkit .dll crashes are going crazy in the past few days.

...zero dec1-3
20091204-crashdata 1 H8SRT
--zero
20091214-crashdata 1 H8SRT
--zero
20091228-crashdata 24 H8SRT
20091229-crashdata 159 H8SRT
20091230-crashdata 117 H8SRT
20091231-crashdata 173 H8SRT
20100101-crashdata 240 H8SRT
20100102-crashdata 277 H8SRT
20100103-crashdata 1203 H8SRT
20100104-crashdata 1500 H8SRT

the rootkit randomly renames the .dll  signature distribution
     817
signature list
  21 H8SRTpmtpnugxww.dll@0x210b
  15 H8SRTqmkdviwuyu.dll@0x210b
  14 H8SRTipmkjyyrwk.dll@0x1626
  13 H8SRTeoawvipmnv.dll@0x210b
  11 H8SRTwkbwevpquf.dll@0x210b
  10 H8SRTntncdqjcyo.dll@0x210b
  10 H8SRTkcxuiymqpu.dll@0x210b
  10 H8SRTholtytyhrr.dll@0x210b
<and 700+ more .dll names>

checking --- 20100104-crashdata.csv H8SRT
release total-crashes
              H8SRT crashes
                         pct.
all     226696  1500    0.00661679
3.0.15  2434    6       0.00246508
3.0.16  35495   354     0.00997324
3.5.5   6721    22      0.00327332
3.5.6   121957  900     0.00737965
3.6b5   23541   118     0.00501253
3.6b4   1853    1       0.000539665
3.6b3   657     7       0.0106545
3.6b2   664             0
3.6b1   2069            0

os breakdown
809     0.539333        Windows NT5.1.2600 Service Pack 3
412     0.274667        Windows NT5.1.2600 Service Pack 2
117     0.078   Windows NT6.0.6001 Service Pack 1
92      0.0613333       Windows NT6.0.6002 Service Pack 2
46      0.0306667       Windows NT6.0.6000
7       0.00466667      Windows NT5.1.2600 Service Pack 1
6       0.004   Windows NT5.1.2600
4       0.00266667      Windows NT5.1.2600 Service Pack 3, v.5857
4       0.00266667      Windows NT5.1.2600 Service Pack 3, v.3180
1       0.000666667     Windows NT5.2.3790
1       0.000666667     Windows NT5.1.2600 Service Pack 3, v.5755
1       0.000666667     Windows NT5.1.2600 Service Pack 3, v.3244

google search has this link and many more that tell about the rootkit and how to remove.

http://www.myantispyware.com/2009/12/22/how-to-remove-h8srt-trojan-remove-rootkit-tdss/

H8SRT trojan is a new version of TDSS  trojan, also known as Rootkit.TDSS. The trojan infects your computer through a vulnerability in an already installed programs (mostly in InternetExplorer). It is a very dangerous trojan-rootkit, it uses rootkit-specific techniques designed to hide the software presence in the system.

When installed, it will be configured to start automatically when Windows starts. H8SRT trojan may:
- display many popups and fake security alerts;
- hijack Internet Explorer;
- redirect search results in Google, Yahoo, MSN to non related sites;
- block an access to security websites;
- disable Windows Task Manager, Windows Security Center and Registry editor.

What is more, H8SRT trojan blocks the ability to run a lot of antivirus and antispyware programs, including Malwarebytes Anti-Malware. Also it is usually installed in conjunction with a rogue antispyware programs.

If your computer is infected with the trojan, then use these removal instructions below, which will remove H8SRT trojan and any associated malware for free.

Comment 1

[chris hofmann]

I wish we could block stuff like this, but might only need user doc on sumo for now.

Comment 2

[timeless]

we could switch to only allowing signed libraries into our process's memory space...

Comment 3

[chris hofmann]

pretty strong Correlation to startup
1500 total crashes for H8SRT on 20100104-crashdata.csv
760 start up crashes inside 3 minutes

one recent comment:
Firefox crashes after about 10 seconds each time i try to open it. I have uninstalled it and installed it over and over but it doesnt wor
k. please help me!

not much in the urls that might help to indicate a high correlation of where the infection might be coming from

domains of sites
 340 //
 168 http://www.facebook.com
 136 \N//
  49 http://www.google.com
  38 about:blank//
  37 about:sessionrestore//
  34 http://login.live.com
  31 http://www.youtube.com
  22 http://www.tuenti.com
  20 http://www.google.es
  14 http://www.google.de
  14 http://m.www.yahoo.com
  12 http://home.myspace.com
  11 http://apps.facebook.com
   8 http://www.pornhub.com
   8 http://www.google.it
   7 http://www.comcast.net
   7 http://download.cnet.com
   6 http://www.google.se
   6 http://www.google.com.br
   6 http://h20000.www2.hp.com
   5 http://www.paidthefastest.com

Comment 4

[chris hofmann]

mostly 10.0.32.18 is running when flash is present at the time of the crash but other versions are also showing up.

http://crash-stats.mozilla.com/report/index/fc50fea2-11a4-4e63-8c0b-d47bf2100105
	H8SRTxynxnpfpfu.dll	
NPSWF32.dll 10.0.32.18

http://crash-stats.mozilla.com/report/index/fcc2b7de-8db8-4381-a3f4-253fc2100105
http://crash-stats.mozilla.com/report/index/ef5a5965-d8ad-4b48-beb8-1b2ad2100105
	H8SRTubxsxnspcm.dll	
NPSWF32.dll 10.0.42.34

http://crash-stats.mozilla.com/report/index/f429aaa0-5040-4a66-934c-30ffe2100105
	H8SRTkwmahnejrf.dll	
NPSWF32.dll 10.0.22.87

Comment 5

[chris hofmann]

looks like any one of this signatures is not high enough volume to show up in http://people.mozilla.com/crash_analysis/ so its hard to get an idea about plugins that might have been exploited to get the root kit installed.

Comment 6

[timeless]

re comment 2, http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx has the code to do it. i just need to find the code where we were starting to veto stuff.

Comment 7

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

In http://hg.mozilla.org/mozilla-central/file/aa6337822028/toolkit/xre/nsWindowsDllBlocklist.cpp

While you're there, you could add support for * matching maybe, though that would be a bit of complex code there.  But would let us block h8srt*.dll

Comment 8

[Jorge Villalobos [:jorgev] (he/him)]

Closing old blocklist bugs. Please reopen if the problem still exists.