Antirootkits - List of ARK's for x64

I've noticed frequent requests enquiring about the availability of ARK's for x64 systems.

So here's a bunch of ARK's that i've put together that will work on x64, mostly on Vista too.



Avast anti-rootkit Edition, based upon the powerful GMER engine - http://files.avast.com/files/beta/aswar.exe

RootKit Hook Analyzer now = SanityCheck - www.resplendence.com/sanity

Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

UnHackMe - http://www.greatis.com/unhackme

F-Secure BlackLight - http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/help.html



For your information -


" Arbitrary code can be injected into Vista x64 kernel despite code signing requirement, and in really any other operating system " http://209.85.229.132/search?q=cach...t detection for x64&cd=22&hl=en&ct=clnk&gl=uk

http://www.task.to/events/presentations/Hidden_RootKits_in_Windows_2006.ppt


Have fun,

S

 

So in spite of driver signing and patchguard malicious code can still get kernel access?

 

Dregg Heda

Err, looks like it !

Also it's not just Ring 0 and Ring 3 stealth anymore, soon it'll be Ring 1 and Ring 2, according to various different reliable sources i've read.

The baddies just won't give up, as there's so much $ to be made.

A lot of these newer coders are top class Zeros & Ones writers, even more talented in some respects than people who work for big name companies. Not that working for big name companies automatically makes them " all that " of course, and as we know, often doesn't !!!

 

Even with UAC on x64, by design (not by error) objects and processes with same or lower rights have access to each other.

That is why it is so important to use UAC and Sully's PGS (to implement SRP). Throw Iron into the set (with a policy sandbox which is much stricter implemented than in Vista/Win7 itself) and you have a decent x64 OS security.

MSE also works splendidly on x64, it is as fast as x64 bit defender and Comodo's CIS. Advantage of MSE over bitdefender is, it is free. Advantage over CIS is that it is problably ranks better as an AV. Advantage of MSE in general = the AV uses the IDS agents of Windows Defender, problably in the most effective way due to the inner circle knowledge.

Regards Kees

 

I am glad to see a thread like this, thanks for posting it StevieO. I had wondered if there were any antirootkit products in existence for x64, but have not done the homework like you have. As of right now IMO I would say that x64 users still have the advantage over x86 users when it comes to being infected with rootkits or malware in general. Unfortunately with the rise of the x64 os, these good days are winding down.

 

JohnnyDollar

Pleasure.

On the face of it, it might appear that x64 should be more resistant, but the bad guys won't give in just like that. So i imagine even x64 stuff will be targeted more and more as time goes on !

 

Did you read that properly ?

That bit was talking about a hardware based "Blue Pill", AFAIK really dependant on hardware type and rather theoretical. Never heard of any of these ITW.

Can you (or anyone) tell us about one single verifiable ITW rootkit that can load an unsigned driver into the x64 kernel ??

 

peteck

They don't need to be unsigned !


Example of just one previous method -

Loading unsigned drivers on Vista - http://www.rootkit.com/newsread.php?newsid=759

Example of a current method -

Unsigned drivers - http://www.vistax64.com/drivers/9351-unsigned-drivers-2.html

Conficker Worm Targets Microsoft Windows Systems - http://www.doecirc.energy.gov/bulletins/t-091.shtml

Vulnerability in Server Service Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

SYSTEMS AFFECTED
-------------------------
Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC. - http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Plus the baddies don't seem to have problems getting some things signed -

Comodo continues to issue certificates to known Malware - http://www.broadbandreports.com/forum/remark,22400172

Comodo Continues to Damage It's Reputation - http://www.broadbandreports.com/forum/remark,22689347

Also -

Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking the operating system - http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx

 

Yes, but LUA does fully protect the kernel... With LUA, no FU, no hacker defender, no blue pill, ...
Left are the ring3 (userland) rootkits. These ones are handle in two ways:
- the use of KAFU or similar method will prevent them to survive a reboot if ever run (if run, it is very bad as your private data may be stolen).
- SRP will prevent them to run in the first place.

 

Hi StevieO, thanks for the links.

Hadn't seen that one, didn't last long tho. Bit sus that letting a signed component load an unsigned one.

This requires considerable deliberate user involvement, with UAC disabled, etc

Does this load an unsigned driver ? Is it a rootkit ? Will it even work with UAC enabled ?

I don't know what this has to do with driver signing, it appears to be concerned with site certificates. Did I miss something ?

Sure, sure, but this thread (by inference) is about x64 rootkits. So I ask again - can you name a single ITW rootkit that works on x64 ?

Freebies are fun why not ? But anyone trying to sell you an ARK for x64 is selling Snake Oil IMO.

 

peteck

Hi there,

As for the the certs, not drivers i know, but i posted those links to show what kinds of circumventions the baddies are prepared to take. And fake certs have already materialised. I wouldn't be surprised if fake driver signing happens either at some point.

I can't point to an ITW rootkit that works on x64, just yet. But have to say that i have been reliably informed some time ago by an infamous ARK coder, that it is indeed possible. Not only that, but there are some Very clever people who code either directly and/or indirectly for the baddies. As there is so much money to be made out of Malware, i don't see them throwing in the towel over x64. I believe sooner rather than later there will be some kind of RK for x64 attached to Malware. If the're not working on something right now, i'd be very surprised, as they are always ahead of the Anti's ! Plus as more people take up x64 the baddies will concentrate more and more on it.

-

Understanding Stealth Malware

" This course is focused on Windows systems (and Vista x64 specifically)

" Attendees will have a chance to run, analyze and experiment with several previously unpublished samples of proof-of-concept rootkits "

-

Another thing to consider is, if everyone thought that x64 was 100% impenetrable, there would be no need for ARK's etc in x64. I take note of your " Snake Oil " comments, and it does make me wonder ! Apart from the dedicated stand alone ARK's i've already listed above, more and more AntiMalware companies are including AntiRootkit tech into their products. Here's just one for eg -


Avira AntiVir Premium x32 + x64

AntiRootkit against hidden rootkit threats - http://www.avira.de/en/products/avira_antivir_premium.html

So is it a precaution against the unknown or ?

-

nProtect GameGuard - http://global.nprotect.com/product/ggp.php - is well known for using Rootkit tech in their software. I can't say whether it's used in their products for x64, but they do sell it for x64. It'd be interesting to find out if they do, or not ?


System Requirements

Windows XP, Windows Vista
(32bit/64bit)

-

GameGuard

Because of its method of actuation (very similar to a rootkit) - http://en.wikipedia.org/wiki/NProtect_GameGuard


*

For those interested in some more background info, and " possible " bypasses that could/might use in some way/s -

Already mentioned, but not available anymore -

Download Tool to Bypass Driver Signing on 32-bit and 64-bit Windows Vista - Atsiv, a tool created by Linchpin Labs & OSR -
http://news.softpedia.com/news/Down...n-32-bit-and-64-bit-Windows-Vista-61405.shtml

Permanently Turn Off and Disable 64-bit (x64) Windows Vista Forced Driver Signature Signing with ReadyDriver Plus -

http://www.tipandtrick.net/2008/per...iver-signature-signing-with-readydriver-plus/

Update on Driver Signing Bypass - http://www.alex-ionescu.com/?p=24

Driver Signature Enforcement Overrider - http://www.ngohq.com/home.php?page=dseo

ATT Vista 64 loader - http://forums.guru3d.com/showthread.php?t=275261

 

Two silly questions:

1. What is MSE?

2. Does Avira Free contain anti-rootkit detection?

 

Luxeon

MSE ? I didn't see it mentioned in this thread, but it probably means Microsoft Security Essentials - http://www.microsoft.com/security_essentials/market.aspx

Avira Free does contain anti-rootkit detection, see my screenies -









I just did a scan and this small extract shows the RK search listed.

-

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: high
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Expanded search settings............: 0x00001000

Start of the scan: Wednesday, September 16, 2009 12:41

Starting search for hidden objects.
'19716' objects were checked, '0' hidden objects were found.

 

Excellent, thanks for the info.

Bob

 

hey stevie o i just read that comodo certiface thing and now im all freaked ou lol. can i just delete the comodo certificates? or should i just uncheck them all?