New Form of Spyware?
Spyware and viruses could start using an old Unix trick. Recent viral applications allow viruses and spyware to use the kernel rootkit concept to hide themselves from the Windows operating system and the users that administer them. For more information, take a look at the following articles:
We have recently seen something similar in the field and they aren’t pretty. While not as vicious as the variety discussed in the above articles, removal was long and difficult. Since the system was infested by a variety of viruses it is difficult to pinpoint how or when the system became infected with the particular rootkit virus. But the affects were both obvious and difficult to manage. The virus broke the system links to call control interfaces in explorer. This made the control panel, printer panel, and of course the APIs for Windows Update unusable. It also broke some of the features of Windows XP SP2 and left the system reporting that it was at Service Pack 1.
Removal was onerous and unfortunately, having to use trial and error, not well documented. Two virus removal tools were used; one major brand that will be left un-named and AVG anti-virus. The un-named tool was already installed and had quarantined some viruses but missed a majority of them which is unfortunate considering it was fully up to date with a current subscription. As the control panel was not available to uninstall this insufficient product, it was disabled and AVG 7.0 free edition was installed. AVG then went on to discover over 100 infected files with 20+ virus variants.
From here things get confusing and we will only paraphrase. During this process the system was in and out of safe mode constantly. SpyBot Search and Destroy and Ad-Aware SE were both run on the systems, and on each successive run they found new or previously hidden spyware tools. AVG was run again later and found yet another group of infected files, all with a date of a week or more in the past. System load went from 80% of available resources used to 20%, but the Control Panel was still non-functional. HijackThis was then run and a couple of possibly spurious registry entries were found. Backup copies of the entries were made and then they were removed. The control panel issue still existed but AVG immediately found 2 new viruses. HijackThis was run again and a new different suspicious entry was found. After this one was removed, the Control Panel was available again. After one last scan AVG found no more viruses. The system was patched and brought fully up to date.
The virus(es) in question first broke the users normal path to system control, then using the registry and other infected files masked the main culprit from the system, users and Anti-virus software.
The technician doing this work has chosen to have virus removal be one of his specialties since 1999 and this removal still took him a total of 7 hours. His previous longest challenge took only 2 hours.
We are very concerned about this new host of viruses and we will be keeping an active watch.
I wonder if something like RootKitRevealer would be usefull in removing or at least detecting spyware like this? It looks like this utility specifically looks for files and registry entries that attempt to hide from the system.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
That page also has some interesting information about root kits in general. Overall it looks like the anti-spyware packages are going to have to borrow a few tricks from anti-rootkit utils. Or, maybe that was already the difference between your “nameless” anti virus program and the one that actually worked.