Golden Hacker Defender Game Over ?

Hi ,

What i have found with SVV is if you are running PG free or paid you cant run SVV, but if you uninstall it you get a rating of yellow. Also if you install Spyware doctor you get a rating of deepred in SVV due to the Kernel being Modified?,

Just thought i would let people know,

T

 

Longboard, Are you running Kaspersky's Suite?

controler

 

are any of these rootkits?

http://img387.imageshack.us/img387/6559/root6ti.jpg

 

Assuming you have Process Guard (procguard.sys), RegDefend (ghostsec.sys) and PrevX (pxfsf.sys) installed, no.

 

@Controler: No

Regards.

 

Hello,
I tried these little tools on a machine I personally formatted and installed from a scratch. Installed all updates blah blah etc ... tons of security etc ... I get the deep red code using svv. Among others:
ntoskrnl.exe code 4
kernel32.dll code 5
Well, what can I say? Not everything must be bad...
I believe these results, but I do not think the findings are bad. I would suggest all of us who cannot instantly traslate A4F into decimal to let these fear rest aside. Rootkit tools, the entire army of them (svv, is, blacklight, unhackme etc) are too ambigious to use everyday. And playing with these tools is dangerous. Deleting kernel modules is not a healthy thing. It's not like removing a simple file from some folder you think might be infected.
To all guys who have gotten "bad" results:
Ask yourself what you do with your computers? Do you really think you're infected? Does it sound logical that you would be infected with rootkit and nothing else at all? With all the security precautions and software you use, only a tiny tiny rootkit somewhere in there? Don't let paranoia haunt you.
One more thing:
If someone really wants to test these tools:
Format a machine, set it up from a cd-rom with burned software, including all your favorites. Update windows only and all other security applications to the max. Don't surf at all except the single visit to microsoft update. Then run these tools. It could be interesting.
Mrk

 

Don't all those security apps work at a kernel hooking level?

Now you have 3 hooking the kernel. I wonder how stable that is?

If you are going to run these new rootkit tests, you need to disable PG, prevex & regdefend. You need to disable any other apps working at the kernel level.

controler

 

Hi,

Just a few informations about how to use IceSword to detect a rootkit:

-launch it from external drives (floppy disk, CDRom and so on);

-launch MSCONFIG and check the last box (any unnecessary service and program will be disabled), and rebbot the PC;

-take a look firstly at Win32Services (see the image attached) and processes.
Then it can be suited to investigate the registry (HKLM\SYSTEM\ControlSet001\Services) and kernel modules (to detect a suspect or unknown driver).

Longboard and 23rwef are concentrated only in SSDT, but many legitimate softwares operate at a low level and use kernel drivers.
Consequently, this is not the most important.
If we use for instance a tool like SDTRestore ( http://www.security.org.sg/code/sdtrestore.html ), we can fix SSDT entries for most programs (then will not be shown in red by IceSword).

For the Longboard problem, perhaps there's an uncomplete uninstallation of an ISS Scanner (the driver has the same name).
SDTRestore can also be used in this case.
But with SVV, the most important result concerns EnumServiceStatus, which can be a sign of an hidden service.

The best defense against rootkits is PREVENTION.
Once one is detected, it's often too late: bad things are probably already done...

I've finished an article about "Rootkit free countearmesures" with examples of detection and prevention that i 'll link here if members are interested.

Regards

 

Perhaps with this link

http://idata.over-blog.com/0/03/91/26/septembre/artrtkt/hdserv.jpg

regards

 

kareldjag's

Nice read but ur second link don't work for some reason.

controler

 

http://www.rsjones.net/img/guard1.jpg​

Please do!

regards,

-rich
________________
~~Be ALERT!!! ~~​

 

Oh yes I am excited to read your article as always
would be good for the readers here.

controler

 

Hi kareldjag,

Yes i'm really looking forward to your Rootkit free countermeasures article too.

I value your research and website highly.

I DL the 2 SDTRestore Apps from the link you gave, but Version 0.2 made my AV kick in ? I uploaded to Jottis and here's a combo Screen Shot of both results.

http://img482.imageshack.us/img482/568/sdttrojan0oc.png

I wonder if you know whether it's an FP ? as i'm presuming it is !


StevieO

 

This thread gets more and more interesting.
Looking forward to K'djags article/review

Forgive my ignorance...

To use the SSDT patch utility do all other apps need to be switched off?
What if the app "repairs" a legitimate hook.
Will that not disrupt the other app which would have required that particular hook?

Regards

 

Umm;
What is an ISS scanner?

Regards

 

Hi Longboard,

Re your - What is an ISS scanner?

It might have been a typo and meant IS = IceSword

Or IDS = Intrusion Detection System


StevieO

 

Hi,
ISS - internet sharing server.
Mrk

 

No internet sharing enabled AFAIK

Ice Sword enabled and scanner run prior to SVV.

Regards

 

ISS is not ICS.
Internet Connection Sharing - home network.
Internet Sharing Server - you run server on your machine ...
Mrk

 

Hi,

Sorry for the vagueness about ISS.
This a well known security firm ( http://www.iss.net/ ) which provides products mostly intented to be used in a corporate environment (IPS/IDS, vulnerability scanner etc).
But this society is also well known by home users for BlackIce firewall.
Then perhaps (never try BlackIce) the ISS driver shown by IceSword is due to an uncomplete uninstall of this product.

It is quite strange that IceSword does not locate the file.

Longboard can try some Windows commands such as:

-start + execute + "devmgmt.msc " + enter
Then enable the option "show hidden peripherals" on the "view" menu, and on the list of peripherals, click on non Plug and Play devices.

-start + execute + "verifier", then next + next to check for unsigned devices.

The first goal is to locate this driver on your system.
And if it can be found by Windows, this probably not a rootkit.

For SDTRestore, this not a malware or even a riskware.
If we check a leaktest like "leaktest" from GRC, it will also be detected by AVs.
It's just important to know exactly what this file do or not.

Controler, here again an attached image.

regards

 

How do you get this to work? Is there a list of cmd lines published somewhere?

 

Me thinks some posters don't understand alot of younger people have no clue over DOS commands.

I just love to see alot of old timers are still using batch files LOL

here is an ATABOY.......

 

Can I be an "older people" that's new to computers?

 

You sure can

I am guessing you spent more of your life living life then the rest of us who sit night and day in front of a computer. Well except during fishing season or deer hunting anyway.

 

In my younger life, I thought all that was important was,,, eating great food, Sex, Fishing and hunting, then something threw a new link in the chain. that was the damn internet.

So now all things revolve around, eating, sex, hunting , fishing and the internet.