Caught a virus? Trinity to the rescue!

Last week we detected some PC’s in the network behaving badly. The were sending a massive amount of ping packets to one host on the Internet, so some sort of DoS (Denial of Service) attack. When we investigated the problem there was nog sign of the culprit at first, also McAfee which was installed and running had not detected anything abnormal going on.
What most people do next is load lots of tools on the PC and try to discover the hidden programs responsible for all this havoc. But actually there is a much simpler approach.

Today there is a lot of money to be earned by sending SPAM. But since sending SPAM is illegal in a lot of countries, the challange is to keep sending out these giant amounts of SPAM e-mail without being caught. The way to do this is by “owning” a lot of computers of unaware home users and send the e-mails through these systems. So if a recipient traces back the SPAM e-mail, he only sees the home computer as the source.

To be able to control these computers, the hacker needs to infect them with something that installs a backdoor. The backdoor is the way in for the hacker to control the computer and the program which installs the backdoor is often a trojan named after the trojan horse strategy of the greek.
Such an trojan might be an e-mail with the message that you received a postcard from a friend, neighbor or worshipper. To see the postcard you need to click on a link, and that link contains postcard.exe. Since you are curious by nature, you of course click on the link and execute the postcard program.
You might even see a postcard, but meanwhile a program is covertly installed on your computer and your system becomes a marionette to the hacker.

It is important for the hacker to keep his program hidden, because the longer it stays on your computer, the longer he can make money out of it. A way to hide programs from other programs (like you antivirus) is by using rootkit technology. A rootkit installs itself inside or just above the operating system. If you start the taskmanager to look at all the programs that are running, the taskmanager requests this information from the operating system. But instead of communicating with the OS, it really communicates through the rootkit, and the rootkit filters out it’s own existence when sending back the response from the OS to the taskmanager. So effectively the rootkit is a cloaking device which makes it own existence and the existence of the backdoor invisible.

The simple approach i mentioned to finding this kind of software is by eliminating the Operating System when you look for this kind of hidden software. The way we do that is by booting a different Operating System (known to be clean of rootkits) and from there start our search for the culprits. We even assure that the booted OS can not be infected with malware by running it from a read-only medium (i.e. a cdrom).

Trinity Rescue Kit

There are some other bootable cdrom’s out there with antivirus products on it, but TRK is different in that it supports 4 (four!) different antivirus products and they are all legal versions for you to use. Apart from the antivirus bit, TRK also has these (and more) features:

  • easily reset windows passwords
  • 4 different virusscan products integrated in a single uniform commandline with online update capability
  • full ntfs write support thanks to ntfs-3g (all other drivers included as well)
  • clone NTFS filesystems over the network
  • wide range of hardware support (kernel 2.6.19.2 and recent kudzu hwdata)
  • easy script to find all local filesystems
  • self update capability to include and update all virusscanners
  • full proxyserver support.
  • run a samba fileserver (windows like filesharing)
  • run a ssh server
  • recovery and undeletion of files with utilities and procedures
  • recovery of lost partitions
  • evacuation of dying disks

Start with downloading the TRK iso from: here and burn it on a cdrom, for instance with Nero (here is a good tutorial on how to burn iso’s with Nero).
Put the cdrom in your computer and reboot, when the BIOS kicks in you might need to press a key to get a boot menu and select the cdrom to boot from (on Dell computer, press F12). When you see the TRK boot screen (click on the image for a larger version):

press enter to continue booting the default option. After a lot of text scrolling over your screen you will end up with a prompt, indicating that trinity as ready to obey your commands. To start scanning your computer for viruses, all you have to do is type in:
virusscan -a avg

This will mount all the Windows disks, update the virusscanner to the latest signatures and start scanning. Apart from selecting the AVG virusscanner, you can also choose to use: ClamAV by specifying “clam”, Bitdefender (bde) and F-Prot (fprot). But we had very good results with AVG. Of course if you are really paranoid, you can run them all four sequentially.

For the update to be successfull you will need an Internet connection on the computer. If the computer is detached from the network, you can first boot TRK on a different computer with Internet and then give the command:
updatetrk, this will update all four virusscanners and generate a new iso image from which you can burn a new updated cdrom.

When one of the virusscanners has found something fishy and has deleted of renamed the file, you can reboot Windows and be sure that the rootkit is not operational anymore. It is wise (now you know the name of the malware) to run a targeted removal tool for the malware, because they will clean up the registry as well.

Some other neat thing TRK can do is copy itself to an USB stick so you can boot it from there with trk2usb or start a fileserver so you can access all the disks from an other computer on the same network with: fileserver.
For a complete overview of it’s capabilities, type trkhelp or have a look: here.

Have fun & stay clean…