DonationCoder.com Forum

Main Area and Open Discussion => General Software Discussion => Topic started by: Curt on July 06, 2007, 06:59 PM

Title: Detecting RootKits
Post by: Curt on July 06, 2007, 06:59 PM
I ran 3 rootkit detectors and got 3 very different results. I could choose to write a long story here about this and tell the details, but in the end the one thing this post really is about, is How on earth dumm users like me are supposed to handle such results? If I (by accident) haven't known any better these scannings would have made me remove several perfectly harmless programs!

Resplendence RootKit Hook Analyzer 3.00 (http://www.resplendence.com/hookanalyzer)'s result:

[ You are not allowed to view attachments ]


SysInternals RootkitRevealer 1.71 (http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx) was no better:

[ You are not allowed to view attachments ]


F-Secure Blacklight Rootkit Eliminator (http://www.f-secure.com/blacklight/try_blacklight.html) (expire 1'st October 2007) gave the only trustworthy result: "0 files found":

[ You are not allowed to view attachments ]


It would be very interesting to see if security tools like Process Guard 3.4 (http://www.diamondcs.com.au/processguard/) or Anti Hook 3.0 (http://www.infoprocess.com.au/AntiHook.php) (or the older but free 2.6) would have prevented any of these false-positive-programs from installing! ???

You can read about the rootkit problem at Gizmo's page (http://www.pcsupportadvisor.com/rootkits.htm).
Title: Re: Detecting RootKits
Post by: Lashiec on July 06, 2007, 07:41 PM
HIPS programs you're talking about... I don't know if they would go so down in the stack. They're quite capable of detecting software trying to launch other apps, code injection and such, but with rootkits it would be another story. Who knows? If Gizmo says they would prevent them, then take his word for granted. The guy lives of that.

Besides, actual rootkits are much more sophisticated than this. I think Altiris would be something like in the league of Norton's Antivirus Recycle Bin, which intercepted the files going to the bin, and rerouted them to his own directory.

Sysinternals tool is quite capable, but in the end, you're alone, unless you post your log in their forums. It's not easy to understand, and you've got to remove possible rootkits by yourself. I wouldn't count too much on Resplendece tool as well, this is not their field of action. F-Secure on the other hand, was (I think) one of the first scanners, but according to an article f0dder linked:

btw it's not just a coincidence that the Ad-Aware engine uses another PR crap firm F-Secure in their products for fighting with spyware. Nice simbiotic

... who knows, it could be true, or it could be some guy crying because he can't bypass F-Secure detection algorithms. Another search showed me that rootkit authors are in a rat race with security software writers, as always. WinHex could be also a helpful tool, but it's also difficult to use.

Enough senseless chit-chat. Where is f0dder? ;)
Title: Re: Detecting RootKits
Post by: SKA on July 07, 2007, 01:20 AM
You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar

For interpreting scan results : you need to ask in Sysinternals /CastleCops /Wilders Security forums where
many experts hang out, including EP_XOff (apparent co-author of RKU).

SKA
Title: Re: Detecting RootKits
Post by: Curt on July 07, 2007, 06:06 AM
You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar ...
-SKA (July 07, 2007, 01:20 AM)

Thanks a lot for pointing to RkUnhook (http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar) (RkU), SKA  :up:
This Russian program (exe name: 7lSQusUji) is by far the most advanced in this group! The first scanning result is literally ready in a second (!), but the final Report took more than a hour to produce. I would like to show a screenshot of the scrolled report window, but the RkU window is not a standard GUI object that my FastStone Capture can recognize, so I will insert a fraction of the 546 KB Report text file (I have deleted 99%). Here is first a screenshot:

[ You are not allowed to view attachments ]


Fraction of 546KB Report
RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.30.150.400
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF4D490B0
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtClose
Actual Address 0xF4C814FC
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateFile
Actual Address 0xF4D36460
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtCreateKey
Actual Address 0xF4C80E56
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateProcess

(part deleted)

==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x845C9660

Process: C:\PROGRA~1\Webshots\Webshots.scr
Process Id: 200
EPROCESS Address: 0x83D34B70

Process: C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 248
EPROCESS Address: 0x82BDA6D8

Process: C:\Programmer\Agnitum\Outpost Firewall\outpost.exe
Process Id: 340
EPROCESS Address: 0x82BB68C8

Process: C:\Programmer\WiredPlane\WireKeys\WireKeys.exe
Process Id: 460
EPROCESS Address: 0x83F34688

Process: C:\Programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Process Id: 480
EPROCESS Address: 0x83D55440

Process: C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process Id: 500
EPROCESS Address: 0x83433020

Process: C:\Programmer\StudioLine\NMSAccess.exe
Process Id: 504
EPROCESS Address: 0x83D2DA48

Process: C:\Programmer\Oront Burning Kit 2\nmsaccess.exe
Process Id: 524
EPROCESS Address: 0x83DCB930

Process: C:\WINDOWS\system32\smss.exe
Process Id: 584
EPROCESS Address: 0x8419F4E8

Process: C:\Programmer\ESET\nod32krn.exe
Process Id: 612
EPROCESS Address: 0x82BB8460

Process: C:\Programmer\Backup4all\IoctlSvc.exe
Process Id: 640
EPROCESS Address: 0x82BB18B0


(part deleted)


==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF5FFF000
Size: 3645440 bytes

Driver: C:\WINDOWS\System32\vtdisp.dll
Address: 0xBF012000
Size: 3493888 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2060160 bytes

(part deleted)


==============================================
>Files

Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS005A8.log Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\3CTNUGG3\indexCAAQZJGR.htm Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\LI5FD9A2\indexCA7AFT75.htm Status: Hidden


Suspect File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf Status: Hidden

==============================================
>Hooks

IDT-->Int 0x000000B1, Type: IDT modification hook handler located in [?_unknown_code_page_?]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF7891B4C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF7891B1C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF7891B3C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF7891B28 hook handler located in [FILTNT.SYS]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x7C802367 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [wl_hook.dll]

(part deleted)



Find the program at this all Russian forum:
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar
[Edit: or at http://rkunhooker1.narod.ru/index.html in English] 
- the program is in English. I think RkU by far is the best of these four apps I have named, but the full report may be useless as it will list every DLL and EXE file on your computer, because they are handling hooks...

---

SKA; what do you hold against version 3.7 ??
Title: Re: Detecting RootKits
Post by: justice on July 07, 2007, 07:07 AM
F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation and probably more version 2007 and v7 of their software. The performance is better than version 5 and it even reports and corrects incorrect windows security settings which was quite a surprise.
Title: Re: Detecting RootKits
Post by: Curt on July 07, 2007, 07:26 AM
F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation ..
-justice (July 07, 2007, 07:07 AM)

http://www.f-secure.com/home_user/ - but pricey, isn't it:

[ You are not allowed to view attachments ]
---

BTW:

Today justice is a thousand posts behind Darwin...(??):

#300
-Curt (July 07, 2007, 07:16 AM)

 :Thmbsup: more justice!
Title: Re: Detecting RootKits
Post by: Lashiec on July 07, 2007, 01:44 PM
Curt, that's the Internet Security suite, which includes lots of things like a firewall or a antispam filter. The one justice is using costs 39.95 € for a one year license.
Title: Re: Detecting RootKits
Post by: Grorgy on July 07, 2007, 04:13 PM
The internet suite seems fairly well priced for one of the top line ones to.
Title: Re: Detecting RootKits
Post by: f0dder on July 07, 2007, 04:51 PM
...and just remember that nothing will be 100% proof in detecting rootkits. There's so many ways you can hide yourself, and after that it becomes a cat-and-mouse game where anti-rootkit software jumps through massive hoops to try and detect specific rootkits.
Title: Re: Detecting RootKits
Post by: laughinglizard on July 08, 2007, 04:05 PM
I use IceSword myself.

There's a good site with information and discussion about rootkits here:
http://www.antirootkit.com/index.htm

They have a pretty good roundup of Rootkit Detection & Removal Software software, including the name, publisher, OS, the Cost/Rating and the Version.

http://www.antirootkit.com/software/index.htm

They have a similar list for Rootkit Prevention Software at the bottom of the page.

I've used Cyberhawk since early beta and think its a good product but recently started using NOD32. They added several security features I like, and, are Gizmo's number one (not free) choice.

Title: Re: Detecting RootKits
Post by: Curt on July 08, 2007, 04:59 PM
http://www.antirootkit.com/software/index.htm : wow! Thanks, laughinglizard !  :up:

Rootkit Detection & Removal Software

[ You are not allowed to view attachments ]


[ You are not allowed to view attachments ]


But more important:

Rootkit Prevention Software:

AntiHook (http://www.antirootkit.com/software/Antihook.htm) AppDefend (http://www.antirootkit.com/software/AppDefend.htm) Cyberhawk (http://www.antirootkit.com/software/Cyberhawk.htm) DefenseWall HIPS (http://www.antirootkit.com/software/DefenseWall-HIPS.htm) Dynamic Security Agent (http://www.antirootkit.com/software/DynamicSecurityAgent.htm) Exe LockDown (http://www.antirootkit.com/software/Exelockdown.htm)
GeSWall Personal Edition (http://www.antirootkit.com/software/GeSWall-Personal-Edition.htm) Neoava Guard (http://www.antirootkit.com/software/NeoavaGuard.htm) ProcessGuard (http://www.antirootkit.com/software/ProcessGuard.htm) SocketShield (http://www.antirootkit.com/software/SocketShield.htm) ThreatMon (http://www.antirootkit.com/software/ThreatMon.htm)
[ You are not allowed to view attachments ]

SocketShield is now $30 for 1 year LinkScanner Pro! (http://www.explabs.com/products/socketshield_lspro_trial.asp); or 1 year FREE: http://www.trialpay.com/productpage/?c=dbab594&tid=6rGU5--
Title: Re: Detecting RootKits
Post by: Plasma Man on July 08, 2007, 10:34 PM
I love the maverick attitude in the RkUnhook help file. ;)
Title: Re: Detecting RootKits
Post by: Curt on July 09, 2007, 03:05 AM
Talking about PREVENTION of rootkits one should of course mention today's GAOTD:

For those who have been looking at returnil, it is todays giveaway, at http://www.giveawayoftheday.com/ for the next 23 and a bit hours
-Grorgy (July 09, 2007, 02:16 AM)
- even though it is strange that Returnil is free today when it was FREE only a week ago!

Hello everyone,
Thank you for your interest in Returnil. I am the official US rep for the company and look forward to help answering your questions about the software.

For those concerned over cost of licensing, please be aware that Returnil is now FREE for personal home use on a single computer.

Home page: http://www.returnilvirtualsystem.com/index.htm
Personal Edition (FREE): http://www.returnilvirtualsystem.com/index_files/rvspersonal.htm
___
With Kind Regards
Mike
-Coldmoon (June 28, 2007, 12:05 PM)

But prevent rootkits it will.
Title: Re: Detecting RootKits
Post by: Nod5 on July 10, 2007, 07:03 AM
Curt,
Security tools like these always tend to be a bit hard to grasp I would say. I've only tried RootkitRevealer and it was a while ago. But as far as I remember, one quick way to sort out the results was to google on each match (and if needed restrict the search to sysinternals forum). I remember that that showed all my results to be false positives.

For example, your match containing "ControlSet001\Services\sptd\Cfg" is Daemon Tools:
http://www.google.com/search?q=ControlSet001%5CServices%5Csptd%5CCfg
Title: Re: Detecting RootKits
Post by: Curt on July 10, 2007, 07:26 AM
Thanks for sharing, Nod5  :up:

(.. hmm, that didn't come out all right; somehow it sounded familiar wrong
- anyone who have been at a AAA meeting will understand what I mean..)   

speaking of it: in my setup it was Alcohol 52%... 
 
- not Daemon Tools.

 :D
Title: Re: Detecting RootKits
Post by: ssoundman on July 11, 2007, 02:42 PM
I found this rather odd...

I just doanloaded returnil's free application from their website and AVG informed me that the SHeur.FA trojan was attached to the download.

Hmm... Has anyone else seen this?
Title: Re: Detecting RootKits
Post by: Curt on July 11, 2007, 05:23 PM
You don't have to trust AVG too much on this; I am confident it was a false positive!

[ You are not allowed to view attachments ]

Download from: http://www.returnilvirtualsystem.com/index_files/rvspersonal.htm
- or from:
http://www.download.com/Returnil-Virtual-System-Personal-Edition/3000-2144-10704691.html?part=dl-ReturnilV&subj=uo&tag=button
Title: Re: Detecting RootKits
Post by: jgpaiva on July 11, 2007, 05:27 PM
I just doanloaded returnil's free application from their website and AVG informed me that the SHeur.FA trojan was attached to the download.
-ssoundman (July 11, 2007, 02:42 PM)
Just make a search for "avg false positive" here on the forum... Curiously it isn't the first time AVG fools people saying good software has trojans.
Title: Re: Detecting RootKits
Post by: ssoundman on July 12, 2007, 12:16 PM
Thanks, Curt & jgpaiva.

I downloaded it from the second of the two links Curt provided and it went just fine.
Title: Re: Detecting RootKits
Post by: jimfarrington on July 13, 2007, 02:21 PM
My wife opened an e-postcard this morning from an unknown source and AVG notified it had intercepted the SHeur.AFJ virus. Doing a scan indicated it had attached to QuikBooks. Searching the normal sources for virus information reveals no information on such a virus although Google lists it as the number 13 search term posted today. Anyone know anything about the virus itself?
Title: Re: Detecting RootKits
Post by: Lashiec on July 13, 2007, 02:57 PM
Well, I encountered a brazilian blog (http://www.jonnyken.com/infoblog/2007/07/13/virus-novo-na-praca-trojan-horse-sheurafj/) that seems to shed some light onto the situation. I'll try to translate it

2 employees working at the USA got recently infected with that virus, a Trojan Horse called SHeur.AFJ. Both of them found the infection using AVG.

And then, after some more chitchat (basically saying what you have commented), he posts this link (http://hundreddollar.blogspot.com/2007/07/great-america-drowning.html) to other blog. Pretty strange this one if you ask me...

Other of the links of Google it's also quite creepy (http://iphonehelp.blogspot.com/2007/07/user-review-solid-media-phone.html). Is this a tech meme? A joke? A real trojan? And AVG doesn't list anything in its page...

P.S.: João, if my translation is wrong, feel free to correct ;)

EDIT1: Forget about those two last links. It's a bunch of bastards playing with Google Trends results during a given time... Good thing to redirect traffic to your pathetic site. <paranoid mode>Maybe they created the virus to do that</paranoid mode>

EDIT2: Some corrections
Title: Re: Detecting RootKits
Post by: jgpaiva on July 13, 2007, 04:02 PM
Lashiec is right with his translation.

Apparently, there are diverging positions on that blog post. The guy writes bad as hell, he shouldn't be allowed to have a blog!!!
Truth is that i couldn't figure out if there is a virus or not. Apparently, only AVG is finding it. (I'm stating to find AVG a paranoid-maker, these posts about false positives are becoming WAY too anoying)
Well.. But his conclusion is "maybe this is just a giant false-positive".

Really sorry for not being more helpful, but i really can't understand what that guy is trying to comunicate.
Title: Re: Detecting RootKits
Post by: Curt on July 13, 2007, 05:45 PM
I do not understand how anyone will dare to settle with the FREE AVG!!  :down:
Title: Re: Detecting RootKits
Post by: Lashiec on July 13, 2007, 06:21 PM
Because it's free, and it doesn't suffer from the update problems that are plaguing AntiVir. I personally use avast!, but AVG is also a good option, a bit heavy on resources, but it's not Norton (thank God).

And it's not exactly the king of positives.
Title: Re: Detecting RootKits
Post by: jimfarrington on July 13, 2007, 07:51 PM
Thanks for the input, folks.
Title: Re: Detecting RootKits
Post by: sajman99 on June 28, 2009, 03:37 PM
Lots can change in two years, particularly in a security-related field like anti-rootkits (ARKs). I readily admit I'm not an "expert" in this security area, but I've searched in the effort to find some newer ARKs.

One of the most recommended ARKs out there is GMER at http://www.gmer.net . It's been updated several times lately and is well regarded.

In addition, I really like this ARK I had not previously heard about- GamingMaster's Kernel Detective (latest version 1.30). It runs fast, stable, and provides a wealth of information.

The development details and Kernel Detective download link is available here: http://www.at4re.com/f/showthread.php?p=51875#post51875  
Relevant Sysinterals forum thread for those interested can be found here: http://forum.sysinternals.com/forum_posts.asp?TID=19056&PN=1

If somebody has some more ARK recommendations, I am definitely interested.  :)
Title: Re: Detecting RootKits
Post by: cmpm on June 28, 2009, 08:48 PM
A paragraph from wikipedia on rootkits.
Which seems to make good sense.
It's not up to date as it could be.

The best, and most reliable, method for operating system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash drive)[citation needed]. A non-running rootkit cannot actively hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed. Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run.[citation needed]

Just to complicate my sense of secure computing, I read up on it a little.
:)

Title: Re: Detecting RootKits
Post by: Steven Avery on June 29, 2009, 12:05 PM
Hi Folks,

That makes a lot of sense, looking at the root from the outside. 

Any other rootkit attempts generate concerns.  They tend to have to work on a low-level on your system, and the less low-level manipulation you have (even if in a "good cause") the more stable your system.

Also the small group of Russian anti-rootkit technophiles seem to be at war with one another, reading the history of the field does not give me confidence.  I wonder how many of these guys might be "highest bidder" oriented, Microsoft affiliates one month, Thin Line Associates the next.

I like the occasional external view thing, probably using whatever is available in UBCD4.  And if more is needed there, letting UBCD4 know.

Shalom,
Steven
Title: Re: Detecting RootKits
Post by: sajman99 on July 01, 2009, 01:27 PM
Thanks for the ARK information, folks.

I checked out the ARK RootRepeal at http://rootrepeal.googlepages.com, and it's a nice tool which can quickly display stealth objects, hidden services, etc.
I'll be keeping it in my ARK collection FWIW. But that's all I've been able to find so far.

Surely somebody has some specific ARK tools which they use and recommend? Maybe some ARKS that are newer and not well-known to the average user?
As suggested by Curt, I've read Gizmo's page at http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm , but (as noted by one of the first comments on that page) some of those ARK recommendations haven't changed in a long time while rootkits have continued development.

Look forward to any suggestions, sajman99