rootkit detection

[mike]

i ran into a couple of interesting tools that could be used to detect some rootkits: klister and VICE.

mike

[ntl]

That's true. There are even two more tools which are not mentioned in our rootkit article: the tools are called Kernel PS and Patchfinder2. Kernel PS is driver based and can, for example, detect & terminate an active Hacker Defender rootkit.

We have not mentioned these tools because they must be downloaded from malware/underground websites. But everyone should make up his/her own mind:

See http://www.rootkit.com/ for Klister, Patchfinder2 and VICE.

See http://www.xfocus.net/tools/8.html for Kernel PS (file name is knlps).

[Spanner intheWorks]

For those of you who are interested in RK's etc, i thought you might like to know that i've got a thread going over at Wilders called - RootKit Detection Treasure Trove - which you may like to take a look at and follow, and/or even better hopefully contribute to if you wish.

Regards,

Spanner

http://www.wilderssecurity.com/showthread.php?s=95908884f62ac79cc539f5af10599a2a&t=69658

[Guest]

@Spanner

Good work. How about testing a recent rootkit (like Aphex Rootkit 2005) against all these tools? I understand that, for example, F-Secure Backlight can be bypassed by certain rootkits.

If you need help with testing please let me know.

[Guest]

To Mystery guest !

Hi there, Thanx glad you appreciate it, cos a Lot of work has gone in to it, but i think it's a worthwhile project.

Yes i heard that it's possible for some Anti RK's to be compromised, but i suppose that's to be expected as of right now. It's sorta early days in a way, even though RK's have been around for a while, Anti RK's havn't !

As for me testing RK's lol, Well as i mentioned in my thread on Wilders, I'm NO expert on this at ALL ! I do though take a keen interest in it as i think it's a fascinating concept/subject.

So all i'm doing is providing what research/info/tools/links etc i am able , to enable others who are more skilled in the art to attack this threat with as much ammunition as possible.

If you feel that you are able to help in testing etc then that'd be great, and if you can contribute in some way to my thread on Wilders i'm sure we'd All love to hear from you.

Regards,

Spanner

[Guest]

ProAgent 2 (Spysoftware, Keylogger, Password Stealer)

"ABILITIES :
- No Processes are Visible in any Task manager,Process explorer(sysinternals).
- Hiden from sysinternals RootkitRevealer (RootkitRevealer is an advanced root kit detection utility)
- Hidden from by F-Secure BlackLight Rootkit Elimination Technology!
- Not opens a port on system.
- No connection ports are Visible while sending mail in any Tcp Viewer (netstat,fport,CurrPorts,Tcpview etc.)
- No files are Visible in any explorer.
- No registry keys and values are Visible in any registry editor like regedit.exe,msconfig,autorun.exe (sysinternals).
- Firewall bypassing by injecting Dll into default web browser and sending mail.
- New injection technic for new generation firewalls like zone-alarm's last version, etc...
- No need to your own SMTP server. It sends directly to MX.
- Automatic Uninstall."

[Guest]

Not at the moment:

modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory (0x80000000 – 0xffffffff) in order to find structures which looks like a valid module description objects. Currently two most important objects type are recognized: well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence built in, which allows it recognize if the given bytes actually describe a module-specific object. The term AI for this algorithm is probably a little bit exaggerated, since it is just a few bunches of logical rules which should be satisfied by the potential fields of the structure in question...

http://invisiblethings.org/tools.html#modgreper


I have tested modGREPER with Hacker Defender only. In respect of this rootkit it works fine.

[Spanner]

Hi just thought i'd let you know that i'm not on Wilders anymore so my RootKit thread isn't available there anymore.

I have made All the Info/Apps/Links etc available for download. The details are here - http://www.testing.onlytherightanswers.com/modules.php?name=Forums&file=viewtopic&t=20&sid=b0a3c433ecffacbdf772781a77303f5f

Regards,

Spanner