Rootkits headed for BIOS

#81 is what you would expect of a folder with the hidden attribute set and typing attrib NextSecurity.NET should list this folder with the H attribute (and is most likely one of the 6,001 security utilities SJ has installed just to see how many conflicts he can create on his system...).

#82 simply shows an odd folder name - no conclusion can be drawn from this. The only things that SJ has shown good proof of are faulty memory (despite his subsequent refusal to test it properly) and an adware (Claria) install which no-one would consider a rootkit.

 

Hi,

A rootkit needs to patch the place where it needs to hide.
Tools exist to find a trace of this "patch": System Virginity Verfier is one of them.
On the hard drice, it hides objects (registry keys, drivers, process) and also needs these objects to work.
And in the same way, tools exist to find these hidden objects: RootkitRevealer, BlackLight and so on.

Currently, only the new version of FU is difficult to detect (bypasses many tools like SVV, BlackLight, KprocCheck etc).

If there is a trace of rootkit or rootkit technology, SVV will report the event:

-example with EyeeBootRoot Rootkit/Backdoor: http://idata.over-blog.com//0/22/17/61/lastfile/eyeebootrootvssvv1.jpg

The patch of an important driver (network connection) is suspect, even if reported as a level 2/innocent hooking.

-example with HaxSpy which hooks ntdll:
http://idata.over-blog.com/0/22/17/61/lastfile/haxspyvssvv.jpg

The level 5 for a module is very suspect, and can be considered as rootkit presence.
If a driver and a service is hidden, SVV reports level 5 hooking of some API functions like EnumServicesStatus, NTDeviceIoControlfile, NTReadVirtualMemory, NTQuerySystemInformation and so on (case for HackerDefender for instance).

Since a driver is hidden, it can be found: this is the case for the latest IRCRootkit (KFtpServ driver), currently undetected by AV (Mister NOD32 and Ewido should open an eye to this thread and another one to the greg Hoglund's site ).

I give an example on the attached image of FU that can be found via device/driver utilities (DeviceTree and NTDevices).


So if i've not missed a rootkit (i've experimented them all), i can suppose SystemJunkie, that your system is not infected by a known rootkit or a malware which uses this technology.

NB.Controler, if you're interested by auditing your host/network, you can choose opensource tools like Nessus or Attack Tool Kit (SSS is paid).

Regards

 

The only thing which really annoy me to hell is the fact that csrss.exe kill my selected exe files, this is the collection of exe files csrss.exe wants to kill, even in restricted user accounts! Restricted user or guest accounts have no chance against: csrss.exe kills: switchsniffer.exe, spybro.exe, peid.exe, portexplorer.exe, apt.exe; hardtcp.exe (this was tried to be killed by firefox.exe).

No matter, how often I reinstall xp, changing hds, both computers I own are affected, no matter if restricted accounts, admin accounts.

Once I removed all Hds from the newer computer, but linux OS BootCD still showed Unknown Device under device manager Disks on both computers.

The 4 KB is no shortcut it was a copy of another systemfile called actmovie.exe which transformed to explorer.exe. COncerning superhidden and no mistakes, every individual make mistakes even the most sophisticated intruder.

Kareldjag I also discovered the msdirectx.sys but with procexp.exe! The new fu hide itselfs from icesword and anything else but not from procexp! (what a fun... go into system and look.. you will discover msdirectx, the rootkit.com guys did not thought about, haha, simple antidote procexp.)

Hopefully I am not infected, but why csrss.exe kills all these processes without any reason?

What about that? (is definitely admin account)
http://i2.tinypic.com/v8pwds.png

and that? (address area of win32k.sys I guess)
http://i2.tinypic.com/v8q07q.png

Look how adinf become ill after a while...
http://i2.tinypic.com/v8q2rq.png

Ntdll.dll root problem.

http://i2.tinypic.com/v8q6tz.png

The Unknown again.
http://i2.tinypic.com/vcq4g9.png

I randomly post event pics that happened during the last weeks, maybe someone is interested in and may find something more or less suspicious.

 

http://i2.tinypic.com/vcuydj.png


Sh*t and now? This is the damn prove, thanks kareldjag

 

SJ? and you ran SVV without any of your other security programs running?

controler

 

No, procguard.sys is the one with level 3 infection, but level 5 is true, sh*t.
BlackICE sys is level2 but there is a changed fragment with level 5. I know that already for 2 years a persistent rootkit is on my system, but I never was totally sure.

I am wondering where all those loud guys are now who told I wouldn´t be infected? It

http://i2.tinypic.com/veccjb.png

Look what linux tells me about the date of hds and floppy.
http://i2.tinypic.com/veljsg.jpg

Look how it infected the memory of vmware according to adinf.

http://i2.tinypic.com/velngo.png

Tiny searching the

 

Ever seen a black process guard now look (its pg 3.3beta)

http://i2.tinypic.com/velwy9.png

 

I told you to run svv a while ago.
You told me it could not open ntoskernel.
Now it works ? nice.
Please do three steps:


1) uninstall known hooker software (pg...gss...zonealarm)
2) run svv check /m
3) Post complete result for our analysis.

( a screenshot of a popup saying Atchtung You are infected is not very useful for analysis)

** step 1 is very important.
THere is only one hook in a kernel function
So if there are multiple program wanting to implement the same hook
Each of the program create their own stack system.
The result of this is that you'll only see the last one who hooked the function.


4) Please ... for the forth time ...
Does your rootkit hiddens folder (those that contain a dot) are hidden from
other file manager ? This question IS VERY IMPORTANT

----------------------------------------------
Now about your others questions.
Time for a computer is an integer.
It's a number of day since January 1st 1970.
If that integer is 0 then it's normal that it show that date.
You have an unmounted floppy drive, so it's normal that it have no time information or (0).



@ all the other guy.
Can anyone with Zonealarm and "adavanced protection" run a svv test.
I wonder if it's a very nasty firewall hook in tcpip.sys

 

I only get level 3 with Zonealarm or Jetico.

I get level 5 with PG.

Did SJ try Autoruns while looking at drivers? Without any security software running?

con

 

@fx3: svv does still not work on my new computer and also sdtrestore doesn´t, probably someone managed to redirect the pointer to ntoskrnl on my 64 bit cpu, isn´t it?

Svv works well on my old 32bit cpu and therefore also on this computer.

So you think I should uninstall all security software.

I think I made a mistake with the dos thing: I used the command dir *. instead of simply dir. Dir *. only list directories but doesn´t list directories with a ., did not know that until now.

I made svv fix, seems that it fixed the tcpip.sys, but I am not sure.

http://i2.tinypic.com/vg05jp.png

 

No. 64 bit cpu are very different that 32 bit CPU.
I almost consider it normal for svv not to work.

Controler tested that svv will report a level5 on a computer with PG.
So you are not neceserly infected... just very well hooked by PG.


Overall you show no sign of infection.
What have hooked tcpip.sys ?
Another security software ?

----------------------

Why do you show me BlackIce configuration files ?
It's nto a sign of infection ... only configuration file lol.


Now that we know it's possible your CPU is clean would you run a memtest...
Just to make other user of wildersecurity happy. Anywais it's never bad to do hardware test just to know we have it in perfect shape.

 

Hi f3x,

Just to clarify things, SVV runs with no problems on my 64-bit CPUs (FX53, FX55, FX60) as long as the OS is 32-bit. SVV does not, and should not, work on my x64 systems (dual-boot). On another point, SVV's ntoskrnl.exe "error" is common and shows up consistently on clean machines. Even so, it's a good tool to have around.

Nick

 

Great to hear that nick, these are the things I want to know, it´s very important to get feedback from users of such software, so it´s usual that ntoskrnl is not found. I use 64 bit cpu with 32 bit windows and a 32 bit cpu with 32 bit windows.

I made svv fix some days before, it would have been better to do this after the svv check.

Now I disabled all security software and restarted, I even closed nearly all exes (incl. explorer), except the essentials, then ran svv, this is the result:

http://i2.tinypic.com/vhqqtd.png

Is someone able to explain the results, what do they mean?

svv all check

http://i2.tinypic.com/vhrcp4.png

pci? hm.

 

The results likely mean that when you choose to use tools/utilities such as those you have employed in the last 3 pages of this thread, you need to step back, relax for a moment, and take some time to train yourself on their usage.

Blue

 

The idea is not bad, but what about this:

 

Please read on the site how svv work.
It compare "passive" code in exe file on the hardrive with memory.
However it's normal to have it somehow changed during the windows load.

I have the same result on the clean system. It's the only explanation i can give.
Even after "fixing" svv will show these. The result of the story is that svv show no sign of infection.

as i told you csrss is resposible for closing program.
Why it close them is a complex subject and it can be anything from program conflict to rootkit. However ... As svv detected nothing special it have low chance of being a rootkit.

 

Hardware conflict is not possible, because I use two totally different computers and they kill exactly the same files and miss rutkowska also wrote that it is by far not impossible to circumvent svv.
Look at all anomalies above, it was real chance to get windows defender running (once gss could protect it but only for a short time), normally it is killed by csrss.exe, actually I don´t manage to get it working.

Adinf is still sure that there is a memory and boot virus.

Beside csrss.exe wants to kill adsched.exe, if blocked with gss system got 100% cpu.

So this is also usual behaviour.. ;-)

 

Systemjunkie,

I think someone should pull your pants down, bend you over their knee, and spank your bare bottom until it's raw because of your great stubborness.

You have refused to perform simple troubleshooting steps that members have asked you to do to get rid of possible causes to your elusive "rootkit". Instead you have run around yelling, "FIRE! FIRE!", about things happening on your computer that knowledgable people here have kept telling you over and over again is normal program/OS behavior or has been caused by your own actions of installing so many kernal level apps. Even I, who is not so knowledgable about such things, can clearly see that some, if not all, of what you think is suspicious is really normal behavior by OS components. You should really learn more about how the different Windows components interact with each other before you go off half-cocked about how some security app is alerting you to "suspicious" behavior that's really harmless. This is why it's better for people who don't know what the hell their doing to just be behind a router/XP firewall and have a good AV because 20 or 30 security apps WILL NOT protect them from themselves.

Why did you even bother asking for help on this if all you're going to do is argue with those you have asked for help from and tell them they are wrong when some of those who have posted in this thread are some of the most kernel level app "experts" there are?

I suggest that nobody give you any more help or advice until you at least show that you are willing to listen to others and show them courtesy since they have taking time out of their lives to offer assistance. You could do this by following some of the suggestions such as running a memory checker on your RAM that you claim there's no chance that it's bad. It would be a step in the right direction instead of all this running around and yelling, "THE [ROOTKIT] IS FALLING!"

 

thats normal mode: http://i3.tinypic.com/vp94ck.png
(reuploaded)

and thats in safe mode

Everything works in safe mode, nothing of the special security related apps in normal mode.

Mr.Cha.. you have 11 posts, you shouldn´t try to post unnecessary comments in here.

 

I guess I gave some hints before on this person SJ.

Seems to have an agenda. Eventualy the mods will step in.

Or the real experts. LOL

And they will ask . Dear SJ, Do you have some special proof of concept you want to share without all the BS?

If SJ's answer is no, they will remove the thread.

con

 

Hi, SystemJunkie

I see nothing that is unecessary in his advice

If you had tried to fix [and had fixed] your so called problem, you would not have made so many post either.

Take Care.
TheQuest

 

OH I do not think it is a matter of fixing at all. That is obvious.

This person just want's to be heard.

Con

 

SystemJunkie

I really hope that you don't have a rootkit in there !

The thing that puzzles me though is, if you can afford All those apps and hardware, why don't you just go out and buy 100% fresh parts and build yourself a brand new clean PC from scratch ?

Or is it that you like to TRY and get to the bottom of things, if Possible ?

If it were me, i would at least Fully test All the Ram, as it can be done for Free and won't take up hardly any time ! That way there would be one more thing you could eliminate, which surely must be very welcome i would have thought ! Also people would be more willing to assist you further, and more often, which is you what you seek, isn't it ?


StevieO

 

Controler your friend Devil´s Advocate sent me strange PMs that I would do great work with my discoveries here and that he would know what I am doing, where´s the problem?

Fresh parts? This computer is one year old. I could do that but I want to find myself the dark core of this problem. (probably it´s my unbending mind who becomes more and more curious the harder things come)

In sysinternals forum someone said the thing I want to know may be even to hard for a microsoft programmer to answer. I consider this as a compliment.

My core mentality is to dig as deep as possible to shift boundaries. But to not lose the threads theme I have a bootscreen, I wonder why the only line without description is the one with ACPI. I never paid attention til now.

http://i3.tinypic.com/vp9mpi.png

 

I think he was being sarcastic - in any case, it's high time I unsubscribed from this thread...