'Tislife

Removing a Windows Rootkit Using RootkitRevealer and The Avenger

After posting about how to remove a rootkit using SystemRescueCd, I encountered a rootkit that I could not eradicate using my method.  Fortunately, I was able to discover a different method using Windows tools.  SysInternals (aka Microsoft) developed a tool called RootkitRevealer that is very useful in determining the symptoms, thus the identity, of a rootkit.  After determining the identity of the rootkit and its associated files, I was able to use The Avenger to remove the offending files/drivers.  Please visit these websites to learn more about them and their ability to remove malware.

Additionally, here is a great site that educates on rootkits: http://www.raulsiles.com/resources/rootkit.html

Removing a Windows Rootkit Using SystemRescueCd

The past few weeks have taught me a lot about rootkits:

1. They are insanely difficult to remove from a Windows installation
2. This is because they disable all the best anti-malware tools
3. They hide themselves from even the most diligent searching

Instead of spending hours trying to trick a rootkit into letting an anti-malware software to run, I prefer to use a different approach.  I discovered SystemRescueCd during a painful search to remove a virus that I could not seem to identify.  I knew the symptoms of this evil malware, but could not find a cure.  After long hours searching for that elusive cure, I landed on the SystemRescueCd home page.  I was eventually able to use this tool to remove the rootkit and rescue the Windows machine.  Unfortunately, learning to use this simple tool provided a capable Windows systems administrator with a separate challenge: familiarizing myself with (Gentoo) Linux.  I had dabbled with various flavors of Linux throughout the years, but this would be my first attempt at a productive use of Linux.  Below are the steps to successfully using SystemRescueCd to eradicate a rootkit from a Windows installation (syntax commands are in italics; user specific information is specified in all caps):

Boot to SystemRescueCd

Set root password
passwd
TYPE YOUR PASSWORD TWICE

Setup networking
dhcpcd eth0 (make sure your network card or WIFI is plugged in or turned on)
Update DNS if DHCP does not provide
vim /etc/resolv.conf
Type in “nameserver NAME.SERVER.IP.ADDRESS” in the last line of the file (edit the file by typing “R”; when finished, press the escape key)
Save the file using “:wq”

Mount the Windows partition
mount -t ntfs-3g /dev/SDA1 /mnt/windows (or /dev/sda2 - this will take some trial and error if not used to Linux)

Update ClamAV
emerge clamav (this will take a while - not frozen)
freshclam

Run ClamAV, sit back, and relax for 2 hours or more
clamscan -r -i /mnt/windows

When the scan is finished, reboot the machine by typing “reboot” and then run one of those great anti-malware killers.

Publish a BlackBerry App

This writeup is more of an afterthought than a planned event, so if there are missing details, I apologize beforehand.

A little more than four weeks ago, an ad agency owner/friend approached me about writing apps for BlackBerrys (BB) and iPhones.  I told him I’d look into it to see how much dev this would take.  I am not by nature or choice a programmer, although I have accomplished some pretty involved programming projects for my current employer.  I knew BBs were deep in Java, but I decided to find out how much Java I would need to know to program a BB app.

I got to the BB developers site and discovered that BB programming could be done almost entirely in a web browser, which is something I mostly rock at.

A little Java “scripting” is required to package a launcher, a small Java app used to create a browser call that the end-user actually runs to get to the app webpage.  Fortunately for me, the good people over at CrackBerry.com had put together a step by step instruction set detailing the entire process.  There were a few quirks in their instruction set, but there’s nothing like a flawed manual to help you learn the process more intimately.

After creating the launcher, we simply had to be approved as a BB vendor, which is easy when you own a web marketing firm.

I am now waiting to get the logins for the vendor portion of the site, where I can seemingly submit the app to the world!

Let’s see what happens…

UPDATE: I got the logins and submitted the app.  Unfortunately, I sumbitted the app before requesting Java Code Signing Keys from RIM using their webform.  After getting the form filled out and submitted, I was forwarded an email outlining the key receipt policy:

“…should receive your keys within the next two business days as three(3) emails with the respective .CSI attachments…”

::sigh:: So now I have to wait until I receive the keys, rebuild the code, and resubmit the app.

UPDATE2: I received the keys last night.  The signing process was a lot less complicated than I thought it could have been, considering what I had already gone through.  The email states that each .CSI attachment must be run on the same computer, so I double clicked the first attachment I received and, behold, it workéd.  Since this was the first time a .CSI file had been run, it asked me to create a password and confirm.  It then requested the 10 digit PIN that was created when I registered for the keys and the password I just created.  After getting the PIN from my partner (who actually registered for the keys), I was able to successfully finish “installing” that file and the other two, which just asked for the PIN and the password.  Each file told me that I had over 2.1 BILLION code signings remaining.  Guess I will not run out any time soon.

So, the process is finished (after I uploaded the .cod file to the vendor portal app management site).  I am awaiting approval, then I will confirm that the app is available for download.

Find Duplicates From Separate Tables using SQL

This might seem obvious to veterans, but was a HUGE help to me when I figured it out.  The key to finding duplicates using SQL is to change the join key in two tables to the column(s) you want to find duplicates on.  For instance, if I want to find all records from two tables that have duplicate addresses, I would script the following:

SELECT  *
FROM    Customer1 INNER JOIN
        Customer2 ON Customer1.Address = Customer2.Address

This will, of course, give you all the records that have the same addresses…basic join information, but good to know in reference to removing duplicates from separate tables using SQL!

Excel VBA Script

This is a 14 line script (not including declarations) that will take a single column of first and last names and move the last name to an adjacent column:

Public Sub getLastName()

Dim i As Integer
Dim b As Integer
Dim sLetter As String
Dim sLNAme As String

  For i = 2 To 10741 '*Comment 1
    If ActiveSheet.Cells(i, 2).Value <> "" Then '*Comment 2
      sLNAme = ActiveSheet.Cells(i, 2).Value
      For b = -1 To Len(sLNAme) - 1
        sLetter = Mid(sLNAme, Len(sLNAme) - b, 1)
        If sLetter = " " Then
          ActiveSheet.Cells(i, 3).Value = Mid(sLNAme, Len(sLNAme) - b + 1, b) '*Comment 3
          ActiveSheet.Cells(i, 2).Value = Left(sLNAme, Len(sLNAme) - (b + 1)) '*Comment 4
          sLetter = ""
          Exit For
        End If
      Next
    End If
  Next
End Sub

Comment 1: type in your range here; this script will affect the first 10741 cells, not including a header cell
Comment 2: the “2” on this line means “B” column…just an excelism
Comment 3: the “3” on this line means “C” column in excel
Comment 4: again, “2” on this line means “B” column