Rootkit Agent EZ

Hi,

This is quite a nasty rootkit that bypassed a lot HIPS, but I discovered something very disturbing! It seems like this rootkit can unhook the SSDT succesfully even in non admin mode? Is this true? I thought LUA is supposed to protect you against this stuff?

http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

 

Unless I'm missing something very important, this is what the tester himself says :

 

Yes, and that´s what makes it so strange, I would like to ask Aigle and other folks who have this rootkit sample if they can check if this rootkit is able to bypass LUA. And perhaps you all can also test if it can install the rootkit driver, this is something that I can´t seem to figure out.

Btw, does anyone have samples of the other rootkits from nicM´s tests? They all seem to make use of interesting technique´s, and if they can even bypass LUA (perhaps only on unpatched machines) then it´s kind of scary.

 

The tester clearly said that none of these samples work under limited account.

 

I can PM u the sample link, testing is upto U. It,s already done by nicM so I don,t think we need to test it again esp for me I can,t test it like him.

 

Yes I know, but this is not what I´m seeing! So can someone please check it out? In order to make it work, it´s probably needed to test it on an unpatched XP Home/Pro SP1-SP2 system.

What do you mean, do you have samples from the other rootkits used in the test? Also, I think nicM might have tested it on a fully patched system, and isn´t aware of the fact that it perhaps exploits some serious bug, so it´s worth looking at, no?

 

Only two ATM.

 

OK perhaps you can put them on Rapidshare and PM me the link. Also, if I may ask, do you have a virtual machine? How do you test all these apps?

 

Ur PM box is full.

 

Aigle, you can PM me again. And if someone is able to test this rootkit inside an unpatched VM, let me know. Actually, I´m a bit surprised that no one has bothered to do this yet, because if it´s true what I said, it means that even LUA could be bypassed by nasty rootkits.

 

Hi,

Did you test it with all security tools turned off? And was the OS not fully patched? I almost know it for sure now, that this rootkit can do the unhooking even when in LUA, because everything else is stopped by LUA on my VM´s, except for this. So it´s a damned good idea to always keep your system patched.

 

While the best prevention against any data loss or file system corruption that can render a working system disabled beyond repair, it's always going to fall to backup programs and their images for nearly 100% safeguard in event of such disaster. That's a given.

But i relate and take up the same torch as many countless of other users do in that at some point there must come a time that there will rise an impegnetrable shield of repelling against and and/or all possible malicious intrusion on the front lines itself.

And all of these topics and security apps work feverishly to accomplish what is never before or yet been realized, A security app or combo of just the right security apps that absolutely cannot be disobeyed or bypassed, but that requires quite an intense effort to chart every single point of instruction built into Windows Core system and a safe way to more or less take up residence in those areas with powerful enough self-protection that should one be dispatched from position, another can on an instant replace or even terminate the offending file code entirely.

Untill or if that ever happens, image back up programs will continue to have to serve the purpose of emergency recovery IMO.

 

OK thanks for letting me know. Btw, my VM´s haven´t been patched for about 1.5 years, so that could explain it. But perhaps it´s not even a bad idea to leave certain machines unpatched (for testing purposes), because otherwise I would´t even have discovered that this rootkit is able to bypass LUA.

 

I seriously doubt this. I'd rather think that your system is misconfigured. Just in case that you changed your old admin account to a limited account you should read what I wrote here - there might be some holes that should be fixed if you chose that approach. These holes might explain why this rootkit got through. Otherwise I deem this impossible, particularly if you created the limited account anew. I'm sure that nicm would have discovered that problem if it existed.

 

OK, now we´re getting somewhere. I will test it again, but I think I´ve already tested it on a freshly created admin account. Also, I don´t see why this would be impossible, because if I´m correct, once in a while there are serious privilige elevation bugs in the OS, so maybe this rootkit tries to exploit it.

 

Your post here confirms that your system is heavily misconfigured. Please follow the advice I gave in that thread. After this is done I'm sure that the rootkit will fail.

 

Nope, it´s my VM´s that I´m talking about, not my "real" machine. I will test it again, but I´m pretty sure that (except for this) my non-admin account is functioning just fine inside VM, with or without SuRun.

 

Rasheed, now I'm really confused. In this post you are saying that on your "real" system you use DropMyRights but not a limited account. But you use LUA in your VM, and you performed that rootkit test in that VM, didn't you? If that's true that doesn't answer my assumption that it is misconfigured. Have you tried what I suggested?