KBeast (Kernel Beast) 2012 is a Linux rootkit that hides the loadable kernel module, hides files and directories, hides processes, hides sockets and connections, performs keystroke logging, has anti-kill functionality and more.

Here is a PHP script that tracks IPs in log files and executes shell commands per each IP. It was created as a sort of reverse fail2ban or cheap VPN-firewall: a machine with a closed firewall can be told, by a foreign machine, to accept connections from a specific IP.

Intro

It is a rootkit-type infection.

This malware steals confidential information, particularly passwords and bank details.
It will be necessary to change passwords after disinfection and check with your bank that nothing unusual happened.

Method: Gmer

• Download HERE
• Turn off your antivirus and cut the connection.
• Double-click mbr.exe.
• A report will be generated: mbr.log
• In cases of infection, this message MBR rootkit code detected will appear in the report.
• In the Start Menu> Run, type:

"%userprofile%Bureaumbr" -f

• In mbr.log this line appears: the original MBR restored successfully!
• You can post the report to get some help on the Forum.

Restart mbr.exe to check that the infection is no longer present and the new report should no longer find rootkit.

Example report uninfected:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net      

device: opened successfully      
user: MBR read successfully      
kernel: MBR read successfully      
user & kernel MBR OK 

Under Vista and Seven, do not forget to start mbr.exe right-click and Run as administrator.

Method: Recovery Console and fixmbr

• You need to have in your possession the Windows CD.
• Start on the Windows CD.
• Start the Recovery Console as explained here.
• Once the Recovery Console, type the following command:

fixmbr deviceharddisk0

• And validate by [Enter] key on your keyboard.

Method: Combofix

To all readers:

- This software is used as prescribed by a qualified and trained helper to the tool.
- Do not use outside of this scenario: dangerous!

• Right click here.
• Choose: Save target as
• Choose the Desktop as the destination.
• In the "File Name", rename ComboFix.exe to pctipsbyanu.exe example, then save.
• Warning! The renaming stage is mandatory under penalty ofdisplaying the message "ComboFix.exe is not a valid win32 application"and thus make it completely unnecessary and inefficient.
• Disconnect from the Internet and close all applications and programs running.
• Double-click pctipsbyanu.exe to start the fix (Vista and Seven: right-click and choose "Run as administrator").
• Accept the warning message and accept the installation of the Recovery Console (in XP).
• The report will be created under the root: C:Combofix.txt

Example of infection found by Combofix:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net      

device: opened successfully      
user: MBR read successfully      
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys spzt.sys >>UNKNOWN [0x86F80938]<<      
kernel: MBR read successfully      
detected MBR rootkit hooks:      
DriverDisk -> CLASSPNP.SYS @ 0xf7749f28      
DriverACPI -> ACPI.sys @ 0xf7422cb8      
Driveratapi -> atapi.sys @ 0xf739fb40      
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8      
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8      
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8      
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8      
NDIS: Broadcom NetLink (TM) Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf72b5bb0      
PacketIndicateHandler -> NDIS.sys @ 0xf72a4a0d      
SendHandler -> NDIS.sys @ 0xf72b8b40      
user & kernel MBR OK

• Or

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net      
device: opened successfully      
user: MBR read successfully      
kernel: MBR read successfully      
MBR rootkit code detected !      
malicious code @ sector 0x12a14c0 size 0x1ad !      
copy of MBR has been found in sector 62 !      
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Sample of disinfection report:

(((((((((((((((((((((((((((((((((( PC Tips by Anu
Other deletions )))))))))))))))))))))))))))))))))))))))))))))))))
\ \. \ PhysicalDrive0 - bootkit Sinowal WAS found and disinfected
\ \. \ PhysicalDrive0 - bootkit Sinowal WAS found and disinfected
.
(((((((((((((((((((( PC Tips by Anu 2010-11-18 to 2010-12-18
Files created between 2010-11-18 and 2010-12-18 ))))))))))))))))))))))))))))))

Method: Bootkit Remover

• Download and unzip Bootkit Remover to the desktop.
• Download BTKR_Runbox on the desktop.
  • Note that: You must have the remover.exe and BTKR_Runbox.exe on the desktop for tool works correctly.
• Start BTKR_Runbox then select option 3
• Confirm by pressing "1" then [Enter]
• The PC will restart. After reboot, restart BTKR_Runbox by selecting option 1
• If the procedure worked well, it should be written " OK [DOS/Win32 Boot code found] "

Method: MBRCheck

• Download MBRCheck on the desktop.
• Close all applications.
• Follow the instructions, you'll be prompted to restart the PC.
• If you get this:
  • Found non-standard or infected MBR.
• Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Press the Y key and validate using the [Enter] key
• You should get this:

Options:     

[1] Dump the MBR of a physical disk to file.     

[2] Restore the MBR of a physical disk with a standard boot code.     

[3] Exit.     

Choose option [2]

• You will get this:
  • Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel):
  • The disk number to use is 0
• From now on you will have to chose between several MBR codes:
  • Available MBR codes:

[ 0] Default (Windows XP)     

[ 1] Windows XP     

[ 2] Windows Server 2003     

[ 3] Windows Vista     

[ 4] Windows 2008     

[ 5] Windows 7     

[-1] Cancel 

• Type the number corresponding to your operating system and confirm with [Enter]
• Then you will have this:
• Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
• You should have this message:
• Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

..followed by "Please reboot your computer to complete the fix."

• Restart your PC and post the report generated on the appropriate forum.
• Following this, restart MBRCheck that would normally tell you "Windows XX (XX is your version of Windows) MBR code detected".

Method: ZhpFix

If you used ZHPDiag and infection of this type is detected, as shown in the following report:

---\\ Search infection Master Boot Record (O80)    
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net    
Run by Sabrina at 28/06/2010 18:29:00    
device: opened successfully    
user: MBR read successfully    
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8410A328]<<    
kernel: MBR read successfully    
detected MBR rootkit hooks:    
\Driver\atapi -> 0x8410a328    
Warning: possible MBR rootkit infection !    
copy of MBR has been found in sector 0x05D267C0    
malicious code @ sector 0x05D267C3 !    
PE file found in sector at 0x05D267D9 !    
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.    
Use "ZHPFix" command "MBRFix" to clear infection !

• Start ZHPFix from the desktop shortcut ( under Vista and 7: runas administrator mode) or from ZHPDiag that contains the shortcut toZhpFix (an icon located at the top)
• Click MBRfix located on the right side of the screen ,
• Click 'No' to the message that appears on the screen,
• Leave the tool work
• At the end of treatment, a report is displayed
• You can post the report on the appropriate forum.
• Restart the PC for the modifications to be taken in consideration and check with ZHPDiag that the infection is no more.

Method: Antiboot from Kaspersky

The whole procedure is described here.

Other methods

• MacAfee antirootkit
• Sophos Anti-Rootkit Sophos Anti rootkit
• Rootkit F Secure Black Light
• http://www.f-secure.com/ Eliminator
• Avira AntiRootkit
• AVG Anti-Rootkit
• G Data Remover
• Panda Anti-Rootkit
• Vba32 AntiRootkit

Online Scan

To verify that nothing remains, it is better to do an online scan of your computer:

• Online scan BitDefender
• Online scan TrendMicro
• Online scan Computer Associates
• Online scan F-Secure
• Online scan Kapersky

Thanks...