Detecting RootKits

[Curt]

I ran 3 rootkit detectors and got 3 very different results. I could choose to write a long story here about this and tell the details, but in the end the one thing this post really is about, is How on earth dumm users like me are supposed to handle such results? If I (by accident) haven't known any better these scannings would have made me remove several perfectly harmless programs!

Resplendence RootKit Hook Analyzer 3.00's result:

Detecting RootKits


SysInternals RootkitRevealer 1.71 was no better:

Detecting RootKits


F-Secure Blacklight Rootkit Eliminator (expire 1'st October 2007) gave the only trustworthy result: "0 files found":

Detecting RootKits


It would be very interesting to see if security tools like Process Guard 3.4 or Anti Hook 3.0 (or the older but free 2.6) would have prevented any of these false-positive-programs from installing! ???

You can read about the rootkit problem at Gizmo's page.

[Lashiec]

HIPS programs you're talking about... I don't know if they would go so down in the stack. They're quite capable of detecting software trying to launch other apps, code injection and such, but with rootkits it would be another story. Who knows? If Gizmo says they would prevent them, then take his word for granted. The guy lives of that.

Besides, actual rootkits are much more sophisticated than this. I think Altiris would be something like in the league of Norton's Antivirus Recycle Bin, which intercepted the files going to the bin, and rerouted them to his own directory.

Sysinternals tool is quite capable, but in the end, you're alone, unless you post your log in their forums. It's not easy to understand, and you've got to remove possible rootkits by yourself. I wouldn't count too much on Resplendece tool as well, this is not their field of action. F-Secure on the other hand, was (I think) one of the first scanners, but according to an article f0dder linked:

btw it's not just a coincidence that the Ad-Aware engine uses another PR crap firm F-Secure in their products for fighting with spyware. Nice simbiotic

... who knows, it could be true, or it could be some guy crying because he can't bypass F-Secure detection algorithms. Another search showed me that rootkit authors are in a rat race with security software writers, as always. WinHex could be also a helpful tool, but it's also difficult to use.

Enough senseless chit-chat. Where is f0dder?

[SKA]

You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.n.../RkU3.30.150.400.rar

For interpreting scan results : you need to ask in Sysinternals /CastleCops /Wilders Security forums where
many experts hang out, including EP_XOff (apparent co-author of RKU).

SKA

[Curt]

You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.n.../RkU3.30.150.400.rar ...

-SKA (July 07, 2007, 01:20 AM)

Thanks a lot for pointing to RkUnhook (RkU), SKA 
This Russian program (exe name: 7lSQusUji) is by far the most advanced in this group! The first scanning result is literally ready in a second (!), but the final Report took more than a hour to produce. I would like to show a screenshot of the scrolled report window, but the RkU window is not a standard GUI object that my FastStone Capture can recognize, so I will insert a fraction of the 546 KB Report text file (I have deleted 99%). Here is first a screenshot:

Detecting RootKits

Fraction of 546KB Report

RkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.30.150.400
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF4D490B0
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtClose
Actual Address 0xF4C814FC
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateFile
Actual Address 0xF4D36460
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtCreateKey
Actual Address 0xF4C80E56
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateProcess

(part deleted)

==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x845C9660

Process: C:\PROGRA~1\Webshots\Webshots.scr
Process Id: 200
EPROCESS Address: 0x83D34B70

Process: C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 248
EPROCESS Address: 0x82BDA6D8

Process: C:\Programmer\Agnitum\Outpost Firewall\outpost.exe
Process Id: 340
EPROCESS Address: 0x82BB68C8

Process: C:\Programmer\WiredPlane\WireKeys\WireKeys.exe
Process Id: 460
EPROCESS Address: 0x83F34688

Process: C:\Programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Process Id: 480
EPROCESS Address: 0x83D55440

Process: C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process Id: 500
EPROCESS Address: 0x83433020

Process: C:\Programmer\StudioLine\NMSAccess.exe
Process Id: 504
EPROCESS Address: 0x83D2DA48

Process: C:\Programmer\Oront Burning Kit 2\nmsaccess.exe
Process Id: 524
EPROCESS Address: 0x83DCB930

Process: C:\WINDOWS\system32\smss.exe
Process Id: 584
EPROCESS Address: 0x8419F4E8

Process: C:\Programmer\ESET\nod32krn.exe
Process Id: 612
EPROCESS Address: 0x82BB8460

Process: C:\Programmer\Backup4all\IoctlSvc.exe
Process Id: 640
EPROCESS Address: 0x82BB18B0


(part deleted)


==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF5FFF000
Size: 3645440 bytes

Driver: C:\WINDOWS\System32\vtdisp.dll
Address: 0xBF012000
Size: 3493888 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2060160 bytes

(part deleted)


==============================================
>Files

Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS005A8.log Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\3CTNUGG3\indexCAAQZJGR.htm Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\LI5FD9A2\indexCA7AFT75.htm Status: Hidden


Suspect File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf Status: Hidden

==============================================
>Hooks

IDT-->Int 0x000000B1, Type: IDT modification hook handler located in [?_unknown_code_page_?]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF7891B4C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF7891B1C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF7891B3C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF7891B28 hook handler located in [FILTNT.SYS]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x7C802367 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [wl_hook.dll]

(part deleted)

Find the program at this all Russian forum:
http://rkunhooker1.n.../RkU3.30.150.400.rar
[Edit: or at http://rkunhooker1.narod.ru/index.html in English] 
- the program is in English. I think RkU by far is the best of these four apps I have named, but the full report may be useless as it will list every DLL and EXE file on your computer, because they are handling hooks...

---

SKA; what do you hold against version 3.7 ??

[justice]

F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation and probably more version 2007 and v7 of their software. The performance is better than version 5 and it even reports and corrects incorrect windows security settings which was quite a surprise.

[Curt]

F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation ..

-justice (July 07, 2007, 07:07 AM)

http://www.f-secure.com/home_user/ - but pricey, isn't it:

Detecting RootKits
---

BTW:

Today justice is a thousand posts behind Darwin...(??):

#300

-Curt (July 07, 2007, 07:16 AM)

  more justice!

[Lashiec]

Curt, that's the Internet Security suite, which includes lots of things like a firewall or a antispam filter. The one justice is using costs 39.95 € for a one year license.

[Grorgy]

The internet suite seems fairly well priced for one of the top line ones to.

[f0dder]

...and just remember that nothing will be 100% proof in detecting rootkits. There's so many ways you can hide yourself, and after that it becomes a cat-and-mouse game where anti-rootkit software jumps through massive hoops to try and detect specific rootkits.

[laughinglizard]

I use IceSword myself.

There's a good site with information and discussion about rootkits here:
http://www.antirootkit.com/index.htm

They have a pretty good roundup of Rootkit Detection & Removal Software software, including the name, publisher, OS, the Cost/Rating and the Version.

http://www.antirootk...m/software/index.htm

They have a similar list for Rootkit Prevention Software at the bottom of the page.

I've used Cyberhawk since early beta and think its a good product but recently started using NOD32. They added several security features I like, and, are Gizmo's number one (not free) choice.

[Curt]

http://www.antirootk...m/software/index.htm : wow! Thanks, laughinglizard ! 

Rootkit Detection & Removal Software

Detecting RootKits


Detecting RootKits


But more important:

Rootkit Prevention Software:

AntiHook AppDefend Cyberhawk DefenseWall HIPS Dynamic Security Agent Exe LockDown
GeSWall Personal Edition Neoava Guard ProcessGuard SocketShield ThreatMon

SocketShield is now $30 for 1 year LinkScanner Pro!; or 1 year FREE: http://www.trialpay....b594&tid=6rGU5--

[Plasma Man]

I love the maverick attitude in the RkUnhook help file.

[Curt]

Talking about PREVENTION of rootkits one should of course mention today's GAOTD:

For those who have been looking at returnil, it is todays giveaway, at http://www.giveawayoftheday.com/ for the next 23 and a bit hours

-Grorgy (July 09, 2007, 02:16 AM)

- even though it is strange that Returnil is free today when it was FREE only a week ago!

Hello everyone,
Thank you for your interest in Returnil. I am the official US rep for the company and look forward to help answering your questions about the software.

For those concerned over cost of licensing, please be aware that Returnil is now FREE for personal home use on a single computer.

Home page: http://www.returnilv...system.com/index.htm
Personal Edition (FREE): http://www.returnilv...iles/rvspersonal.htm
___
With Kind Regards
Mike

-Coldmoon (June 28, 2007, 12:05 PM)

But prevent rootkits it will.

[Nod5]

Curt,
Security tools like these always tend to be a bit hard to grasp I would say. I've only tried RootkitRevealer and it was a while ago. But as far as I remember, one quick way to sort out the results was to google on each match (and if needed restrict the search to sysinternals forum). I remember that that showed all my results to be false positives.

For example, your match containing "ControlSet001\Services\sptd\Cfg" is Daemon Tools:
http://www.google.co...ervices%5Csptd%5CCfg

[Curt]

Thanks for sharing, Nod5 

(.. hmm, that didn't come out all right; somehow it sounded familiar wrong
- anyone who have been at a AAA meeting will understand what I mean..)   

speaking of it: in my setup it was Alcohol 52%... 
 
- not Daemon Tools.

 

[ssoundman]

I found this rather odd...

I just doanloaded returnil's free application from their website and AVG informed me that the SHeur.FA trojan was attached to the download.

Hmm... Has anyone else seen this?

[Curt]

You don't have to trust AVG too much on this; I am confident it was a false positive!



Download from: http://www.returnilv...iles/rvspersonal.htm
- or from:
http://www.download....bj=uo&tag=button

[jgpaiva]

I just doanloaded returnil's free application from their website and AVG informed me that the SHeur.FA trojan was attached to the download.

-ssoundman (July 11, 2007, 02:42 PM)

Just make a search for "avg false positive" here on the forum... Curiously it isn't the first time AVG fools people saying good software has trojans.

[ssoundman]

Thanks, Curt & jgpaiva.

I downloaded it from the second of the two links Curt provided and it went just fine.

[jimfarrington]

My wife opened an e-postcard this morning from an unknown source and AVG notified it had intercepted the SHeur.AFJ virus. Doing a scan indicated it had attached to QuikBooks. Searching the normal sources for virus information reveals no information on such a virus although Google lists it as the number 13 search term posted today. Anyone know anything about the virus itself?

[Lashiec]

Well, I encountered a brazilian blog that seems to shed some light onto the situation. I'll try to translate it

2 employees working at the USA got recently infected with that virus, a Trojan Horse called SHeur.AFJ. Both of them found the infection using AVG.

And then, after some more chitchat (basically saying what you have commented), he posts this link to other blog. Pretty strange this one if you ask me...

Other of the links of Google it's also quite creepy. Is this a tech meme? A joke? A real trojan? And AVG doesn't list anything in its page...

P.S.: João, if my translation is wrong, feel free to correct

EDIT1: Forget about those two last links. It's a bunch of bastards playing with Google Trends results during a given time... Good thing to redirect traffic to your pathetic site. <paranoid mode>Maybe they created the virus to do that</paranoid mode>

EDIT2: Some corrections

[jgpaiva]

Lashiec is right with his translation.

Apparently, there are diverging positions on that blog post. The guy writes bad as hell, he shouldn't be allowed to have a blog!!!
Truth is that i couldn't figure out if there is a virus or not. Apparently, only AVG is finding it. (I'm stating to find AVG a paranoid-maker, these posts about false positives are becoming WAY too anoying)
Well.. But his conclusion is "maybe this is just a giant false-positive".

Really sorry for not being more helpful, but i really can't understand what that guy is trying to comunicate.

[Curt]

I do not understand how anyone will dare to settle with the FREE AVG!! 

[Lashiec]

Because it's free, and it doesn't suffer from the update problems that are plaguing AntiVir. I personally use avast!, but AVG is also a good option, a bit heavy on resources, but it's not Norton (thank God).

And it's not exactly the king of positives.

[jimfarrington]

Thanks for the input, folks.