Rootkits and PE

Discussion in 'Port Explorer' started by Rilla927, Dec 15, 2005.

Thread Status:
Not open for further replies.
  1. Rilla927
    Offline

    Rilla927 Registered Member

    Hi everyone! I was thinkin, since Rootkits can hide themselves so well from detection, would you be able to spot it through PE in any way? Rilla927
  2. Pilli
    Offline

    Pilli Registered Member

    Hi rilla, when the rootkit phones home PE should show a hidden process (in red) at work but I think it would be too late by then, though it might give you a clue as to what it is and from that there MAY be a way of fixing it.

    Pilli
  3. Rilla927
    Offline

    Rilla927 Registered Member

    Hi Pilli! Happy Holidays to You! When you say "there may be a way of fixing it"; does that mean PE can lead you to the brain of the Rootkit so you 1) know file path 2) run a Rootkit Removal Tool to get rid of it?
  4. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Not something I've tested, but some usermode rootkits would likely be fooled and show up connections in PE.

    Kernel rootkits should be able to hide, although some poorer implementations again could be fooled by the LSP. I'll test PE out against Hacker Defender 1.00
  5. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    I'd suggest rootkit revealer etc... PE might show there is something wrong, but if a rootkit like Hacker Defender is installed then it will probably show unknown traffic - maybe as SYSTEM. At least if it does show, it would be a hint at infection..
  6. Rilla927
    Offline

    Rilla927 Registered Member

    Hi Gavin,

    I think that would be a great idea about testing Hacker Defender with PE. If you come up with something that shows infection you could give a screen shot. That may give folks some insight as what they would see/ look for in PE with a Rootkit.

    If you get a Rootkit that you couldn't remove, will a simple reformat take care of the problem? Or should you wipe the disk with something like KillDisk also?
  7. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Well it was supposed to be hiding a port, but PE could see it. Will have to confirm in a live environment and will also test connecting to the backdoor.

    Good news if it works though :)

    Formatting is enough, just do it right, FDISK /mbr as well, and DON'T install anything from infected backups ;) that's the hard part. The best thing to do first is try to isolate a sample and send it to all AV's and AT's :)
  8. Rilla927
    Offline

    Rilla927 Registered Member

    Yes I agree!
    Are you saying after reformatting, you would need to re-write a standard MBR or before, to be safe? Just tryin to understand a little about it.
    As far as I know I can't use fdisk with the Imaging/Partioning Software (Bundle of Boot-It NG, Image From Windows, Image From Dos from Terabyte Unlimited) that I bought, but he has a couple of free add-ons for the MBR that does many different things.

    What if you had an image when system is totally clean, before ever connected to internet or any software installed except imaging of course, would that be exceptable in this case?

    Truthfully Gavin, if I got a Rootkit I wouldn't know how to isolate it? I'm assuming zip it and send it off.

    I'm anxious to see the outcome of your testing.

    Merry Xmas and Happy New Year!
  9. indi majjanno
    Offline

    indi majjanno Guest

    **********************************************************

    Only if it is communicating back to it's creator, Port Explorer will be able to show it up.

    Try Unhackme at http://www.greatis.com/unhackme/ and it not only stonewalls the rootkits but also roots them out. If it says there is no rootkit, that's it.

    It's word is final.

    Process Guard full version damns any rootkit from playing hide and seek games.

    Also use Antihook Pro from http://www.infoprocess.com.au/as a further disabling measure and locate the rootkit fingerprints in the registry.

    To completely paralyse the rootkit, take back owneship of your boot drive, folders and files by changing the access permissions from the Security Tab of File Properties.

    You can use File Security Manager from http://www.ungsoft.com/

    Block all NetBios and RPC Locator ports with wwdc.exe from http://www.firewallleaktester.com/tools/wwdc.exe.

    Step up intrusion prevention with the world's best firewalls Look 'n' Stop or ZoneAlarm Pro.

    Have Trend Micro OfficeScan as your virus fighting shield and buzz off in the bed with your PC wide open to everyone.

    Wake up fresh everyday morning and you will remain the owner of your PC for lifetime.

    No one can take back what is yours !

    I had enough of the rootkit rut for six months and built up defense by hard work to stop for ever these rootkit nightmares.

    Mind me guys ! Even kernel-mode rootkits are not invincible.

    If my ideas turn out well, say thank you without scrubbing your disks.

    **********************************************************
  10. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Yes in the end if you are UNSURE then you can BECOME sure by using such measures. Scrubbing disks is fine for the paranoid, but they just need a 2nd level (called lowlevel) format. Even just a format is going to be OK. If you're paranoid scrub it from a different clean machine.

    Or just buy a new drive :) thankfully they are cheap and plentiful and large these days. New OS install is painful and unwanted but this is for the UNSURE after all.

    I prefer different products, but the key points are the same. Be sure you're clean, set up perimeters and keep updated OS. Block intrusions and lock down as much as you can. PG blocks memory interaction, injection, PhysicalMemory access (probably THE attack of 2006) and lots more.

    PE is a tool, not intended to block or detect rootkits but will detect stealth code which doesn't hide sockets at the lowest level. Hacker Defender for example has port hiding, and PE can see the open port because HXDEF doesn't hide from the LSP, only netstat.

    My apologies for the size of the image :)

    Attached Files:

  11. Rilla927
    Offline

    Rilla927 Registered Member

    @indi majjano

    very nice informative post. Thank you!:D
  12. Wayne - DiamondCS
    Offline

    Wayne - DiamondCS Security Expert

    Gavins post demonstrates a good example of using an 'unconventional' tool to detect rootkits, including some of the most advanced rootkits in the world such as Hacker Defender as seen in Gavins example. :) By unconventional I mean using a program that isn't an anti-rootkit program - it has unique analysis capabilities that allow it to detect the presence of some rootkits even though they weren't specifically designed for that purpose.

    The art of hiding a rootkit is in many ways just as hard as the art of detecting rootkits (it's a classic cat-and-mouse game - an extension of the ongoing virus vs anti-virus battle), so rootkit authors have a lot of areas to cover in order to make themselves truly stealthy, even though they have the advantage of being offensive (whereas anti-rootkit systems are generally reactive/defensive by nature).
  13. Rilla927
    Offline

    Rilla927 Registered Member

    Gavin, can you explain what a low level format is and scrubbing from a different machine and what the procedures would be to do it?


    The testing you did is much appreciated, and the image was perfect, not so you have to squint;)

    Happy Holidays!
  14. Dreamcatcher
    Offline

    Dreamcatcher Guest

    Hi,

    Ive been reading this thread > 'Rootkits headed for BIOS'

    http://www.wilderssecurity.com/showthread.php?p=673794#post673794

    I was wondering is PE capable of detecting a hidden connection originating from the system Bios like it was when detecting Hxdef even though it maybe installed through some kind of firmware or system driver?

    Thanks

    DC
  15. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Actually, a "low level" format is misinterpreted most of the time, the real low level format is a factory format. This doesn't need to be done more than once on modern drives. A second level (aka low level) format can be done from most BIOS'es or may need special tools from the drive manufacturer. Low level format is a physical wiping of the disk. No shortcuts, it wipes every sector. Much more detailed and accurate information around if you search the web.

    Wiping the drive will take out a rootkit or suspected rootkit.. the only way to be reinfected is to have malicious code alive in memory somehow. Reinstalling Windows XP allows a format which is also enough when you have booted from the CD.

    It's really easy to change boot drives with todays BIOS with no need for changing jumpers, so booting off OTHER drives can be a great way to check your OS or even destroy a drive's data with a sector overwriting tool. I personally don't ever feel the need.. :) Perhaps something for the other forum sections though
  16. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    The BIOS is a storage area for boot ROM code. This is used to start the machine and also theoretically allows for hiding a small trojan in there. Worry about it when proof of concept appears. This one is a low risk issue which is often talked about. The paper referred to is about Intel "circuit breaker" technology which may well prove my points below - hardware will be way ahead of the advances by attackers in software. They would have to make some bad design decisions to mess it up.

    Edit - found the ACPI stuff.. disabling ACPI should be enough to take care of that. We'll see when/if code comes out.


    The main problems now for attackers are, BIOS'es can be flashed, destroying the current BIOS. Also it will be hard to have a program running under Windows XP first access the BIOS, what by loading a driver (how is this different to any rootkit?) or magically ask the system to run it as Ring0 code. You'd need PhysicalMemory WRITE access I believe. Physical Memory access is the rootkit of 2006 and where I believe many hardcore attackers will look for answers.

    Further, I also believe any rootkit-in-the-BIOS working sample would mean hardware protection was quickly built into all boards - if it isn't already by then, Intel are also working on the abovementioned feature which is basically really fast integrity checking. It has to be fast.

    As for seeing data coming from the BIOS, that's not what would happen. The BIOS isn't a program, and when you are running Windows it's little more than a tiny floppy disk stuck to your PC's board. The information in the BIOS can be read by programs and even written to, depending on the OS.

    If a rootkit was stored in the BIOS and loaded when the filesystem driver loaded, its traffic would likely be seen just like Hacker Defender. Sure it could hide some day - if it took complex steps to also hide itself from other port enumeration methods (making it much bigger and increasingly complex and buggy)... Port Explorer uses up to 7 methods if my memory serves me well.. :)
  17. DreamCatcher
    Offline

    DreamCatcher Guest

    Hi,

    Thanks Gavin for taking the time to answer my question and really explain it.

    Cheers mate,

    DreamCatcher
  18. MEGAFREAK
    Offline

    MEGAFREAK Registered Member

    fdisk /mbr?

    I see no fdisk.exe in Windows XP and

    fixmbr does not work really, I tested it several times and after I retried to fixmbr, the console still told me that something is not right with the MBR.
Thread Status:
Not open for further replies.