Main Area and Open Discussion > General Software Discussion

Detecting RootKits

(1/6) > >>

Curt:
I ran 3 rootkit detectors and got 3 very different results. I could choose to write a long story here about this and tell the details, but in the end the one thing this post really is about, is How on earth dumm users like me are supposed to handle such results? If I (by accident) haven't known any better these scannings would have made me remove several perfectly harmless programs!

Resplendence RootKit Hook Analyzer 3.00's result:

Detecting RootKits


SysInternals RootkitRevealer 1.71 was no better:

Detecting RootKits


F-Secure Blacklight Rootkit Eliminator (expire 1'st October 2007) gave the only trustworthy result: "0 files found":

Detecting RootKits


It would be very interesting to see if security tools like Process Guard 3.4 or Anti Hook 3.0 (or the older but free 2.6) would have prevented any of these false-positive-programs from installing! ???

You can read about the rootkit problem at Gizmo's page.

Lashiec:
HIPS programs you're talking about... I don't know if they would go so down in the stack. They're quite capable of detecting software trying to launch other apps, code injection and such, but with rootkits it would be another story. Who knows? If Gizmo says they would prevent them, then take his word for granted. The guy lives of that.

Besides, actual rootkits are much more sophisticated than this. I think Altiris would be something like in the league of Norton's Antivirus Recycle Bin, which intercepted the files going to the bin, and rerouted them to his own directory.

Sysinternals tool is quite capable, but in the end, you're alone, unless you post your log in their forums. It's not easy to understand, and you've got to remove possible rootkits by yourself. I wouldn't count too much on Resplendece tool as well, this is not their field of action. F-Secure on the other hand, was (I think) one of the first scanners, but according to an article f0dder linked:

btw it's not just a coincidence that the Ad-Aware engine uses another PR crap firm F-Secure in their products for fighting with spyware. Nice simbiotic

--- End quote ---

... who knows, it could be true, or it could be some guy crying because he can't bypass F-Secure detection algorithms. Another search showed me that rootkit authors are in a rat race with security software writers, as always. WinHex could be also a helpful tool, but it's also difficult to use.

Enough senseless chit-chat. Where is f0dder? ;)

SKA:
You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar

For interpreting scan results : you need to ask in Sysinternals /CastleCops /Wilders Security forums where
many experts hang out, including EP_XOff (apparent co-author of RKU).

SKA

Curt:
You could try this one : Rootkit Unhooker 3.3 (dont try version 3.7):
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar ...-SKA (July 07, 2007, 01:20 AM)
--- End quote ---

Thanks a lot for pointing to RkUnhook (RkU), SKA  :up:
This Russian program (exe name: 7lSQusUji) is by far the most advanced in this group! The first scanning result is literally ready in a second (!), but the final Report took more than a hour to produce. I would like to show a screenshot of the scrolled report window, but the RkU window is not a standard GUI object that my FastStone Capture can recognize, so I will insert a fraction of the 546 KB Report text file (I have deleted 99%). Here is first a screenshot:

Detecting RootKits


Fraction of 546KB ReportRkUnhooker report generator v0.6
==============================================
Rootkit Unhooker kernel version: 3.30.150.400
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF4D490B0
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtClose
Actual Address 0xF4C814FC
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateFile
Actual Address 0xF4D36460
Hooked by: C:\Programmer\Agnitum\Outpost Firewall\kernel\Sandbox.SYS
NtCreateKey
Actual Address 0xF4C80E56
Hooked by: C:\WINDOWS\system32\drivers\fslx.sys
NtCreateProcess

(part deleted)

==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x845C9660

Process: C:\PROGRA~1\Webshots\Webshots.scr
Process Id: 200
EPROCESS Address: 0x83D34B70

Process: C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
Process Id: 248
EPROCESS Address: 0x82BDA6D8

Process: C:\Programmer\Agnitum\Outpost Firewall\outpost.exe
Process Id: 340
EPROCESS Address: 0x82BB68C8

Process: C:\Programmer\WiredPlane\WireKeys\WireKeys.exe
Process Id: 460
EPROCESS Address: 0x83F34688

Process: C:\Programmer\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
Process Id: 480
EPROCESS Address: 0x83D55440

Process: C:\Programmer\Microsoft Office\OFFICE11\OUTLOOK.EXE
Process Id: 500
EPROCESS Address: 0x83433020

Process: C:\Programmer\StudioLine\NMSAccess.exe
Process Id: 504
EPROCESS Address: 0x83D2DA48

Process: C:\Programmer\Oront Burning Kit 2\nmsaccess.exe
Process Id: 524
EPROCESS Address: 0x83DCB930

Process: C:\WINDOWS\system32\smss.exe
Process Id: 584
EPROCESS Address: 0x8419F4E8

Process: C:\Programmer\ESET\nod32krn.exe
Process Id: 612
EPROCESS Address: 0x82BB8460

Process: C:\Programmer\Backup4all\IoctlSvc.exe
Process Id: 640
EPROCESS Address: 0x82BB18B0


(part deleted)


==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF5FFF000
Size: 3645440 bytes

Driver: C:\WINDOWS\System32\vtdisp.dll
Address: 0xBF012000
Size: 3493888 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2060160 bytes

(part deleted)


==============================================
>Files

Suspect File: C:\$Extend\$UsnJrnl:$J:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\$Extend\$UsnJrnl:$Max:$DATA Status: Opened for exclusive access by other app or by System


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS005A8.log Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir Status: Hidden


Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\3CTNUGG3\indexCAAQZJGR.htm Status: Hidden


Suspect File: C:\Documents and Settings\karar\Lokale indstillinger\Temporary Internet Files\Content.IE5\LI5FD9A2\indexCA7AFT75.htm Status: Hidden


Suspect File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf Status: Hidden

==============================================
>Hooks

IDT-->Int 0x000000B1, Type: IDT modification hook handler located in [?_unknown_code_page_?]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF7891B4C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF7891B1C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF7891B3C hook handler located in [FILTNT.SYS]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF7891B28 hook handler located in [FILTNT.SYS]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x7C802367 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->CreateRemoteThread, Type: Inline - RelativeJump at address 0x7C81042C hook handler located in [wl_hook.dll]
[1156]sqlwriter.exe-->kernel32.dll-->DebugActiveProcess, Type: Inline - RelativeJump at address 0x7C85A123 hook handler located in [wl_hook.dll]

(part deleted)



Find the program at this all Russian forum:
http://rkunhooker1.narod.ru/rkunhooker_v3/RkU3.30.150.400.rar
[Edit: or at http://rkunhooker1.narod.ru/index.html in English] 
- the program is in English. I think RkU by far is the best of these four apps I have named, but the full report may be useless as it will list every DLL and EXE file on your computer, because they are handling hooks...

---

SKA; what do you hold against version 3.7 ??

justice:
F-secure blacklight is part of my F-secure Anti-Virus for WorkStations 7 installation and probably more version 2007 and v7 of their software. The performance is better than version 5 and it even reports and corrects incorrect windows security settings which was quite a surprise.

Navigation

[0] Message Index

[#] Next page