rannala Posted August 25, 2010 Report Share Posted August 25, 2010 Hi,There may be a vulnerability in utorrent 2.0.3 that allows TDSS/TDL3/Alureon rootkit to infect the machine. I have now had three consequent injections of this rootkit and am getting a little tired of removing them.Each time I have started utorrent just ~5 minutes earlier, so it's not likely a coincedence. Here's what happens:1. I start utorrent, everything runs normally.2. I get a warning from f-secure that a suspicious program is trying to run from windows temp folder.3. A simultaneous warning indicates that a new program is trying to create a network connection.4. I deny all and remove the files.5. Spoolv.exe (printer spooler) connects to a server abroad, notifying that my machine is now a bot.6. Hard disk driver is replaced with a version hiding the rootkit from most virus scanners.Earlier versions of this rootkit are known to have used a kademlia vulnerability to spread, so this is not so far fetched. This may very well be a second, more sophisticated attempt, not necessarily limited to utorrent.I saw two other recent posts with a similar topic, but they were quickly dismissed with "no no there's no malware in utorrent blah blah". Could someone at utorrent, please, at least take a quick look on the subject. I for one don't have the courage to use utorrent anymore, even though I absolutely love the software Here's an analysis of the rootkit: http://www.f-secure.com/weblog/archives/The_Case_of_TDL3.pdfNow, if anyone else has managed to get this bugger, here's some tips:- Most online and local virus/malware scanners can't detect the rootkit, because of the replaced disk driver.- Hitman pro 3.5.6 sees the malicious driver, but can't do anything about it.- TDSSKiller from Kaspersky seems to be the only one to actually remove the rootkit. (but who knows if something is left behind) Link to comment Share on other sites More sharing options...
moogly Posted August 25, 2010 Report Share Posted August 25, 2010 Use Gmer, it's a very good program to detect and remove rootkits.http://www.gmer.net/ Link to comment Share on other sites More sharing options...
paintball9 Posted August 25, 2010 Report Share Posted August 25, 2010 I'm wondering if it's possible that the uTorrent executable has been infected. Try downloading the file again and comparing a checksum.If it's clean then I'm wondering if this is related (I'm still not sold on the whole remote execute vulnerability but this hasn't been listed as fixed yet, it's pretty old though too) http://www.securityfocus.com/bid/30653 Link to comment Share on other sites More sharing options...
Firon Posted August 26, 2010 Report Share Posted August 26, 2010 You're probably running an infected EXE. It's entirely likely that many executables on your system now have payloads. I suggest to wipe your machine and start fresh. Link to comment Share on other sites More sharing options...
arvid Posted August 26, 2010 Report Share Posted August 26, 2010 It does sound like your theory that uTorrent is causing this is a bit weak. You're probably running tens of other processes (behind the scenes perhaps) right before becoming infected as well.I would suggest comparing your uTorrent.exe with a clean download.Also, you might want to see if TDLwsp.dll is injected in uTorrent (or any other process) as well.I would imagine that the most reliable way to get rid of the rootkit is to wipe the machine though Link to comment Share on other sites More sharing options...
rannala Posted August 26, 2010 Author Report Share Posted August 26, 2010 Guys,I downloaded the exe again from utorrent.com (2.0.3 build 20664). The md5 hash is identical to the one I already have installed, so the exe is not infected.Also, according to processexplorer, I don't have TDLwsp.dll (or TDLcmd.dll) in any running process.Additionally, after removing the rootkit with TDSSkiller, my computer was running fine for two weeks. Until I started utorrent, when it got infected again. That's obviously no proof, but as this has now happened three times it gives me a valid reason to suspect.Exceptional claims need exceptional proof, what else should I try? Link to comment Share on other sites More sharing options...
moogly Posted August 26, 2010 Report Share Posted August 26, 2010 Did you read this guide and follow the steps?How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? Link to comment Share on other sites More sharing options...
rannala Posted August 26, 2010 Author Report Share Posted August 26, 2010 Did you read this guide and follow the steps?How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?Yes, couldn't find any other way to get rid of it. (and I'm still going to do a full reinstall as soon as my new hard drive arrives)I did use Hitman pro to detect the kit, though, so I'm running gmer now for the fun of it. Link to comment Share on other sites More sharing options...
GTHK Posted August 26, 2010 Report Share Posted August 26, 2010 Alureon is real nasty Link to comment Share on other sites More sharing options...
madhur_ahuja Posted December 10, 2010 Report Share Posted December 10, 2010 I am having the same problem. Rootkit while running utorrent.Any antivirus doesn't detect utorrent.exe as infected. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted December 10, 2010 Report Share Posted December 10, 2010 While running which version of uTorrent? Link to comment Share on other sites More sharing options...
madhur_ahuja Posted December 10, 2010 Report Share Posted December 10, 2010 I am running uTorrent 2.2. Build 23235. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted December 10, 2010 Report Share Posted December 10, 2010 Then chances are, you got it from something you downloaded. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.