UnHackMe Version 4.0

I had emailed the author of Unhackme about the findings in this thread. Hopefully he can respond and explain how Unhackme + Partizan work to detect rootkits.

 

@ controler

I can confirm that BOClean does detect 3 out of the 4 versions of the RkUnhooker test rootkit i have.

http://img237.imageshack.us/img237/2320/rkdtrkry0.png

These were dropped into BOClean for quick definition awareness proof, rather than actually running them. I'm presuming you have RKdemo12.sys which is RkUnhooker test rootkit 1.2. I thought i'd sent this to nsclean, will do now though.


StevieO

 

RkDemo is not malware. Adding such signatures to database is not a good decision.

 

StevO

Yup that is the one I have RKdemo12.sys. I didn't drag it, i ran it.
I found about a month ago that dragging doesn't always work with Boclean if he not created a Sig for it but the huristics might detect it per Kevin.
That happened to me on that trojan codec.

EP_XOFF

Don't you think it is a good idea to detect all rootkits even if some are for test only? I don't see any reason someone would use rootkits for any ligit application in this day and age.

controler

 

controler

Why? For further enlarging huge av base? RkDemo can't live on computer, after reboot it disappear from memory. And it doesn't takes any malicious actions on computer. The same with Phide_ex which are detected by DrWeb as Trojan.Phide.
What EICAR file is not anymore enough for antiviruses?

 

Hi All,

I need to add some comments to the discussion.

You told that Partizan starts after rootkit drivers.
It's not truth.
Partizan uses BootExecute registry key to start at the early stage of Windows boot process.
What's the stage?
This is the monent when Windows loaded Ntoskrnl.exe, NTDLL
- Device drivers.
These are the drivers for devices required to boot the machine (non PnP).
If a device is required to boot the machine, the drivers for the device
should have a start type of SERVICE_BOOT_START (0x0).
Microsoft tells:
"On system boot, the operating system loader loads drivers of type
SERVICE_BOOT_START before it transfers control to the kernel.
These drivers are in memory when the kernel gets control.
Boot-start drivers can use INF LoadOrderGroup entries to order their loading.
(Boot-start drivers are loaded before most of the devices are configured,
so their load order cannot be determined by device hierarchy.)
The operating system ignores INF Dependencies entries for boot-start drivers."

The rootkit driver need to hook the registry to hide its presence from Partizan.
But the driver can do it only during its initialization procedure.
I can tell you that the hooking on the boot stage is very dangerous and it will cause immediately the BSOD.

Partizan can see the System registry hive (other hives are not loaded at this moment),
and all files on the hard drives.
Partizan can see the real state and can save this information for a future use.
It can load any registry hive and check its contents but unfortuntaly it can't change the registry
files required for the latest boot (changes are skipped).
Partizan can delete a registry key in the System hive, any file or a stream.
Yes, Partizan can delete NTFS streams as well as a file.
If you want to check it you can do it (Hi Rustock!)

Partizan is a Native API application similar SMSS.exe, chkdsk.exe, autocheck.
It doesn't use Windows API, only the API exported by NTOSKRNL and NTDLL.DLL.
It will not work under Windows mode.
It works under Vista too.
Microsoft changed the file name using rules for Native applications in the Vista.
The latest version of Partizan (UnHackMe 4, Partizan 5) adopted for using in Vista.

First Partizan checks the floppy drive for a command.rri file.
If it's found command.rri it saves information to a floppy to avoid changing by viruses later.
(Paranoia option )

Partizan doesn't detect user mode rootkits.

Partizan is a great tool but it requires that the latest step is be done by a user.
If you understand that you are doing - great!
If not, contact our support center and we will help you.
http://greatis.com/support

Don't forget that we offer the UnHackMe Pro.
It's only for professionals.
But it allows you to use addtional detection methods:
1) Using Bootlog XP.
WMI logger is included to the Windows XP and higer versions.
Bootlog XP converts binary information to a bootlog file convenient for testing.
Bootlog XP determines all files loaded during Windows boot process (the boot drivers too )
2) Using Registry/Files drivers.
For uermode rootkits.
3) Greatis Linux.
It's the 9 Mb image of a boot CD.
It has the MC interface and can works with NTFS drives as well.

If you have a rootkit for testing, please, contact me directly to
dimasokolov@gmail.com

Thank you for your time!
Merry Chritmas and Happy New Year!
Dmitry

 

Thanks for the detailed reply - I looked but could not see how it loaded

 

Rootkits CAN use SERVICE_BOOT_START with "Boot Bus Extender" group to load itself (it processed by system before BootExecute key by you words), and can hook any registry services WITHOUT care to easily bypass any detector

edit: error in Group name

 

Yeah? Depends on what rootkits you have for testing =)))
So huge post from you and so little sense inside it.

 

Well I sent a curtious email to support (SokolovDmitry) asking about these very issues and was called 'catty' (?) Now unless it means somthing different there I presume it meant as in I was making catty remarks. I've had no explanation.

 

Hi,

> Yeah? Depends on what rootkits you have for testing =)))
> So huge post from you and so little sense inside it.

Do you have a real rootkit for testing or not?

Dmitry

 

Catty is our support specialist
She answers to the users questions.

You can contact me directly:
dimasokolov@gmail.com

 

Funny that everywhere very easy to decide was it our comrade or not. They always think that they very smart. And this is everywhere. Even if I want I will not give to you any samples, just because they are firstly -technology, and only after this - malware. Catch with your "Partisan" Rustock.C,

 

As much arrogance...

This would not be allowed in this forum...

 

Two suggestions for all participants:

1. Stick to technical matters
2. Leave personal comments of all types aside - and my personal suggestion is to do that in all venues.

This thread will be closed without further comment if these suggestions are not followed.

Blue

 

OK, no problem

 

I do not think that Unhackme can deal with boot time rootkit by obvious reasons. Any boot time kernel driver with Boot Bus Extender group will be loaded before Partisan. And the king - is who is first loaded. BootExecute is not a king

 

Folks,

A few posts dancing around the request above removed. The next step is thread closure (this one and others that may pop up, if they attempt to pursue the same lines in an effort to circumvent the closure) without notice.

Regards,

Blue

 

Yesterday i used your tool against seperate Rustock A and B infections and your tool did not *see* either in any way shape or form when they were installed.It gave my computer the clean bill of health with *no trojan present* message and nothing was detected during boottime check.

I will forward you some Rustock droppers so you can check for yourself in your lab to the contact address you have supplied previously(files Zipped and password= infected).

HTH

 

That would be the best proof and right way to solve some incomprehension here

 

Then all is well, but your email to me was addressed Dear catty and that is why I was wondering.
Dmitry what is your comment on fcukdats test on Rustock?

 

Hi,

Great!
I think it's the best way to resolve th problem!
Welcome!
O'm waiting for your files...
I promise to answer you here independently of the test results.

Best wishes,
Dmitry

 

I have tried forwarding samples as email attachments but they keep bouncing back,service unavalaible.

Dmitry do you have another address that will accept zipped files attached to email ?

 

Hi Meriadoc,

I understand you.
She forwared me your e-mail

I'm waiting for a work...

Dmitry

 

Hi,

If you want to send to gmail account zip the file and rename to "zip" extension.
Also, you can send your files to support@greatis.com or to the support@greatissoftware.com

Merry Christmas,
Dmitry