Free rootkit detector from Sysinternals

Well, that version surely took all the guesswork out of it. The screenshot shows the results here when I have Javacool's ID-Blaster Plus running with all four options checked.

When I turned it off and re-scanned with RootkitRevealer, I had a blank results area that said "No discrepancies found" in the bottom left-hand corner of the screen.

Nice work. Pete

 

Why is the "system"-timestamp put to 1-1-1601?
Is this normal? I find it kind of funny...

 

Hello all...
I'm new and was in the message above talking about a strange timestamp in the system reg. can anybody tell me if this is normal?!? Should I be bothered?
Here's my rootkitreveal list:

HKLM\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 19-3-2005 20:07 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf41 22-2-2005 22:55 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf42 22-2-2005 22:55 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf43 19-12-2004 22:53 0 bytes Hidden from Windows API.
SYSTEM 1-1-1601 1:00 0 bytes Error dumping hive: Internal error.
E:\Download\Stardownloader\Temp\328SM88Q.0 19-3-2005 21:40 0 bytes Hidden from Windows API.


Thank you in advance!
Bye,
Jan

 

I get exactly the same result from the same version of Rootkit revealer, except for the last line of yours (i.e. about that file on E-drive).

I am running Windows XP sp2 (Swedish version). Two hard drives of 160 mb that are raided (raid 0 I think it is called - they are raided to make the computer faster, not for backup/restore reasons).

 

I search in google for "d347prt" and found some hits. "d347prt.sys" seems to be the name of a valid Microsoft SCSI controller (something like that). I found some hits about Deamon Tools and "d347prt", could it be because I use Deamon Tools?
http://www.daemon-tools.cc/dtcc/portal/portal.php

I don't know if it can cause any of these but anyway I am running Windows XP sp2 (Swedish version). Two hard drives of 160 mb that are raided (raid 0 I think it is called - they are raided to make the computer faster, not for backup/restore reasons). The raiding makes these hard drives look like one big drive and that is done at bios level so not even Partition Magic can see anything but one big drive when you boot from the boot diskettes of Partition Magic.

...
And now I found something that seems to be likely to be correct for my problem, first the link to the whole page and then a qoute from that page (it seems my guess about Deamon Tools above might be right):

http://www.antivirus-forum.net/forum/New_rootkit_detection_technology_86245.html

" Anti-virus software has matured to where most users can let it blindly
disinfect the file. Anti-spyware is nowhere near that point. All the
time you hear about a user that didn't check what action the
anti-spyware program was going to commit in eradicating a detected
spyware product (or the anti-spyware program doesn't tell the user
anything which is even worse), they blindy let the anti-spyware program
do its thing, and now TCP doesn't work because an LSP got removed or an
application no longer functions. Rootkit removal tools are even more
risky than using anti-spyware tools, especially because the typical user
that gets their hands on this tool won't know how to use it. It
involves understanding the operating system, components, and
applications beyond the typical user's expertise.

For example, I ran SysInternal's RootKitRevealer. It listed about 4
hidden registry items. Reading the help that comes with the program
might trigger the typical user into eradicating what is not a rootkit.
In my case, it was the free Virtual Daemon Manager (Daemon Tools) used
to run a driver-level CD-ROM drive emulator that lets you have up to 4
virtual CD drives. I create an ISO image of my Windows, Office, and
Bookshelf CDs, save them on the hard drive, and use Daemon Tools to make
it look like I have 3 CD drives with these CDs in them. I can run
Windows and Office updates without having to search for the real CDs, I
can add the Recovery Console at-will, I can recover files, and I can run
the program without having to load the CD (since many CD-based
applications still don't copy everything onto the hard drive). Because
it has some copy-protection bypass abilities, I even have an ISO file of
a copy-protected game that I can play without having to hunt down the
physical CD. Because I know the device ID of d347prt listed in the
hidden registry keys is for the Daemon Tools virtual CD tool, I know
this is a false alert. Actually there are no false alerts by
SysInternals RootKitRevealer as you are assumed to have the expertise to
know which hidden registry keys are good and which might be suspicious
or bad. "

 

Hopefully, everyone's now using the latest version (1.32)

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml . Pete

 

Unfortunately, the latest "advertised" private builds of Hacker Defender are undetected by RootkitRevealer, F-Secure BlackLight, UnHackMe, Kernel SC, Kernel PS, and Find Hidden Services (FHS).

Nick

 

Really? You tested it against all of those yourself?

 

By "advertised", I meant for sale at some steep prices. The "freeware" version of Hacker Defender is still detected by the apps I listed.

Nick

 

Hi,

Spy, for more information; take a look at the interview of Holy Father:
https://www.wilderssecurity.com/showpost.php?p=411339

https://www.wilderssecurity.com/showpost.php?p=411447

The gold version of Hacker Defender is not detected by all softs and tools mentioned by NickS.
More informations on: hxdef.czweb.org/antidetection.php

Regards

 

kareldjag - Isn't it only reasonable to expect that this "gold version of Hacker Defender" will be modified shortly once again to avoid detection by UnHackMe?

<g> How many copies of the "gold version" do you reckon the government's bought? After all, if it's for sale, it's "commercially available", right? Pete

 

Hi,

***UnHackMe has a behaviour detection of HKDef. and it may bypassed by the golden version.
In a PM technical discussion with Dimitry, he said that they (Greatis team) testing all rootkits and are developing new features to increase UnHackMe (like detection of hidden process, see the image).

***Rootkits are really a big problem only if we don't know how they work.
It's the same for Hacker Defender.

-The next page explains how it works (hidden service/registry...):
http://desigeek.com/weblog/amit/archive/2004/05/04/219.aspx

-The next one is more interesting and show the sign of an infection and how to remove the rootkit ( the first link provides analysis and 2 clean up files).

http://www.dshield.org/pipermail/unisog/2004-October/023770.html

But i can't certified that it works at 100%.

***For the rest, Spy, i think that criminals gangs are more interested in the golden version than Government agencies.
But as usuals, nobody knows...

Regards

 

I like Dimitry's style, and I will purchase UnHackMe when my trial expires ... because I like his style. It's my way of supporting the good guys. It is going to sit right next to ProcessGuard and RegDefend on my system. Thanks for the product!

Rich

 

LOL, the government methinks does not need to "purchase" anything from some second rate hacker. They have their guys to come up with stuff easily more advanced than this godfather.

 

gold version of Hacker Defender that by passess

here is a list of currently supported modern detectors

Detector name version
F-Secure BlackLight ≤ 1.2.1003.0
F-Secure BlackLight Console ≤ 1.28.1006.0
RootkitRevealer ≤ 1.32
Find Hidden Service (aka FHS) ≤ 1.1
UnHackMe ≤ 1. and 2.0
Kernel SC (aka knlsc) ≤ 1.3
Kernel PS (aka knlps) ≤ 1.0
Klister ≤ 0.4
Process Magic by WinEggDrop 1.0
icesword 1.6


ch0pper

hacker defender team

 

That's all well-and-good there, ch0pper - however, I fail to see where it's actually a realistic threat on any level to the average, everyday user. (Especially considering the price of the program! <g> Or, do you guys steal each others' stuff, too? Re-distribute it to your buddies for free once a paid-for copy is obtained?)

On a computer that's "clean", you still have to (1) get your payload "delivered" somehow and (2) have it be missed by any number of combinations of "resident", "on-access" scanners (either signature-based and/or heuristic).

Of course, I suppose it does all that, too? (Yawn). Pete

 

Pete

It is funny butb they can't do sh-t about a reformat

Not even Holly father


here them whining now?

Bruce

 

Let me respecify for the tough guys out there

They don't control hardware yet

And even if they could we would switch but yea dat isn't something the normal computer user can do.
Video card LOL see me laughing?

Bruce

 

Mr Holly Father did say those deepfreeze were cool
But I must say my usual REFORMAT EVERY WEEK. for now

I hate Linux

Never had anything good come of it just like Mc affee

Even the black hats know the feeling of nature. we all want the same thing unless
Fing money is envolved.
Then you soul goes to HELL
accept it. If that is what you want for tempory graditude go for it but
in the end You won't win !!!!!! end of story

Bruce

 

Hi Spanner,

I suspected it was you who wrote that . Good post.

Nick

 

eg >It is funny butb they can't do sh-t about a reformat

read this and weep!

A Buffer-Overflow the first time your NEW system is in place caused by SOMETHING remote, that knows the payload is STORED in those so called BAD sectors worse in EEPROM say on your Router, Wireless or otherwise, or someplace in EEPROM on your system, or other devices.

It is much easier to bring back to life using a Trigger based on a buffer-overflow, than to re-install it AGAIN.

Once a 'rootkit' can find a Happy Home on a Drive, that survives a format, or EEPROM somewhere on your network, or system. You will find there is little you can do to make it go-away forever.

Every Kiddie in the world, will just cause Buffer-Overflows, and test for payloads, when found, on CLEAN newly formatted drives or in EEPROM, based on some Keys, it's OMG How did that get back, I removed it time!

I think it will be known as RootKitEEPROM

The folks at rootkitDotCom are working on projects to hide 'rootkits' in EEPROM
... and 2) we are back to basics on an old concept of BIOS kills & Eprom




The folks at rootkitDotCom are working on projects to hide 'rootkits' in EEPROM on motherboards, as well as hide payloads by creating bad sectors on drives and so on.

Also, the concept of loading/unloading 'rootkits' on the fly in memory is going to be used as one example shows here:

http://www.eeye.com/html/resources/whitepapers/index.html



Cheers

ch0ppe

 

Hi,

Just a few points:

***perhaps ChOpper wanted to link this page:
http://www.eeye.com/html/resources/newsletters/vice/VI20050301.html#toolkit


***Klister was updated yesterday (available on rootkit.com)

***RepScan is an anti-rootkit scaner for workers on ORACLE Databes:
http://red-database-security.com/repscan.html

***Holy Father has written Hack.Def. just for fun.
And i understand that bypassing the security provided by the giants of the Soft security business could be very exciting for him and his team.

Since i've heard that Vladimir Levin has stolen the CityBank by using internet, i'm still really impressed by the computer guys from eastern Europe in general, and Russia (ST-Petersbourg) in particular.

If the web was only "Peace and Love" and attackers like Ghandi, the industry of security business would be a desert.
And it will not be good for the employment.

Attackers are legally and morally reprehensible if only they break the LAW.
Not if they increase the advancement of the software technology with their exploits.
As i've said it once time, the fight between Attack and Defense is really a funny "catch me if you can game".

And against new rootkits exploits mentioned by ChOpper, i've found a radical solution: by learnig how to smell and sniff a rootkit to our dog!

Regards

 

Yes chopper

I have looked over rootkit dot com long ago.

I also know it is tough to go after ALL graphics cards memory with only one rootkit. You still have to take into account all mobos, graphics cards ect.
now about router bios? don't you reflash your mobo bios and router bios on every reformat?
Also there is now way a rootkit can survive a LOW level format.
You see I have not used computers since the old Sinclair and commador
but have been doing electronics as long. I remember the foot breaks during the flintstones days LOL.
So you see I really do know hardware and that ALL code is bacicly binary code of ones and zeros. A large magnet held over your hard drive with do a good job on it. I mean a good sized electro magnet, not one of those cheap ones you get in a scetch-all pad. LOL

Bruce

 

Think about it for a moment. Why would any legal organisation deal with some shadowy unknown person when they can have their pick of the best brains around? How can they be sure that there isn't some hidden backdoor in what they purchase or that it really works?

Lastly, even if we are talking about some limited power authorthy, being caught committing such an act, is likely to end the career of whoever who authorthised it. Not that they wouldnt commit such iffy actions, but All in all, it's much safer to use your own stuff.

If you really think any legal authorthority will borther to actually buy such stuff, I can tell you ,you don't know much about how they work.

And do explain to me why it is very wise to go collect every peice of junkware out there. The authorthies have better things to do.

That's not the point. He might be good, but he's not the best, just the most well known for selling stuff.

Believe you me, to fool a well known public detection kit is not that tough. And to beat a released malware is not that tough either. That's why you see a dingdong cycle between the good guys and the bad guys software.

I really wonder at your logic. Being able to come up with rootkits as good or better than what GD produces does not mean they can catch the guy. That's a totally different matter.

Besides, there is little point in getting such people, everytime you catch one, another invariably surfaces.

I rely on something not so public if I were you

 

http://forums.net-integration.net/index.php?showtopic=26897&hl=

If you use a really loose interpretation of the phrase "commercially available key loggers", that may be what Spanner intheWorks is referring to.

I know that's (the post I linked to above) what made me think about that in my earlier post. Pete