UnHackMe Version 4.0

Hi Dmitry

Files(x3) have been sent to support@greatis.com .Password= infected

Merry Christmas!!!112

 

Hi,

I received the samples.
Here it is the promised report.
UnHackMe detects (using Partizan) a lot of rootkits keys.
Screenshot:
http://greatis.com/unhackme/UnHackme4.gif
It's notthe useful keys.
I thiunk they are used to confuse a user.
RegRunb Reanimator displays the driver:
c:\windows\system32:lzx32.sys
I can see teh contents of the driver in the Windows using the sample command:
more <system32:lzx32.sys
But It could be deleted by Partizan.
Partizan returns "not exist" result.

I tried UnHackMe Pro:
http://greatis.com/unhackme/UnHackMePro.gif
It's correctly identified the real driver PE386.
The same thing I can see using RegRun Trojan Analyzer (included to the Platinum):
http://greatis.com/unhackme/TroJanAnlyser.gif

I think detection is good?

Unfortunately removal is not worked now.
The lzx32.sys driver hooked the registry/files and doesn't allow the Partizan to delete it.
I can use the boot CD to do it but I think I have a good solution using regrunrm.sys driver.
It can work as the device driver and it can decline the loading of the specified boot drivers.
Now I'm going to play some melodies on my guitar and going to sleep some hours. Tomorrow I hope I will send more news.

Thank you!
Dmitry

 

Hi Dmitry

Thank you for returning your findings,I reran my test model for the following sample that was sent to you inorder to recheck i was not mistaken or in error etc
http://www.castlecops.com/t175142-MD5_b67c2117c39846ac1380c84f229b9a9e_winsyst32_exe.html

Here is my test methodology & results.
1)Install unhackme4 free trial.
2)Enabled resident scan & Boottime scan and then rebooted.
3)Nothing detected at bootime or check me now scan
4)Executed Winsys32.exe No alert from resident scan or check me now.
5)Executed Rootkit Unhooker(My resident ARK/ADS tool) to confirm Lzx32.sys had loaded into ADS,inline hook was dropped and hidden driver visible.
http://img72.imageshack.us/img72/6366/rkucodehookdetectorrepojq4.jpg
http://img81.imageshack.us/img81/2289/rkuhiddenfilesdetectorrzh7.jpg
http://img155.imageshack.us/img155/1807/rkuhiddendriverreportnb2.jpg

Rustock B(Lzx32.sys) is native& live

6)Reboot for boottime check= Unhackme warning box

http://img413.imageshack.us/img413/4531/unhfo7.jpg

*warning dialogue box moved so behind report box is visible.
A quick check of all invisible/deleted keys show all detections has *RKU* listed in them
** Attached is report log produced by Unhackme during this test run.

7)Last "check me now" scan after bootime sequence = All clear,no trojan present


My assumption previously(whether or not in error which it might have been )is that there is no reference to PE386 service entries or Lzx32.sys in the tool reports = failure to detect Rustock B by the tested tool.

I will forward the Rustock(Lzx32.sys) file extracted from ADS generated by this test to you for your inspection

STATUS: FINISHEDComplete scanning result of "_DATA", received in VirusTotal at 12.26.2006, 00:26:42 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.25.2006 TR/Rootkit.Gen
AVG 386 12.25.2006 Generic2.NFM
BitDefender 7.2 12.25.2006 Trojan.Rootkit.Procob.A
DrWeb 4.33 12.25.2006 Trojan.Spambot
eSafe 7.0.14.0 12.25.2006 Suspicious Trojan/Worm
Ewido 4.0 12.25.2006 Hijacker.Costrat.ac
Fortinet 2.82.0.0 12.25.2006 Adware/Costrat
Ikarus T3.1.0.27 12.25.2006 Trojan-Clicker.Win32.Costrat.ac
Kaspersky 4.0.2.24 12.25.2006 Trojan-Clicker.Win32.Costrat.ac
NOD32v2 1938 12.25.2006 Win32/Rustock.NAX
Panda 9.0.0.4 12.25.2006 Trj/Clicker.VW
Prevx1 V2 12.26.2006 Win32.Rootkit.Gen
UNA 1.83 12.25.2006 TrojanClicker.Win32.Costrat.FEAE
VBA32 3.11.1 12.25.2006 Trojan.Win32.Rustock.NAX



Aditional Information
File size: 68944 bytes
MD5: 5295788e5489330c0bba8ad90dadc2eb
SHA1: 5064c51595c2ecfd3ebf6cc839da03fae59f5ce0


HTH

 

fcukdat

I think he used Reanimator to see the driver. What I asked people to do was run the newest Regrun on those two rootkits which offers way more tools but nobody wanted to
I don't think unhackme has Reanimator included but can be downloaded as a standalone app free.



controler

 

From this statement I am assuming rustock c is already in the wild.

controler

 

looking back at your posts i now see the question being asked...
For now(i pocess niether software) will take a *pass* on testing them at the moment.

But you maybe can I will PM you with a guide/info

 

@Dmitry
>>The lzx32.sys driver hooked the registry/files and doesn't allow the >>Partizan to delete it.

lol

When you will know how it really work you probably will find answer Just FYI - BootExecute is not a panacea.

Looking on fcukdat screenshot #3 I see that this is not fully workable version of Rustock - driver was not hidden.

@controler
>>From this statement I am assuming rustock c is already in the wild.

Yes

 

Hi,

I found the simple way how to remove Rustock.
You need to use RegRun Rescue (RegRun Platinum, Gold).
It allows to make backup copies of the registry.
What I did. (Rustock is active)
1. Make registry backup using Rescue.
2. I check the "system" file (includes the system hive).
I doesn't contain the infected keys.
Looks like rootkit filters own key
3. Immediately I choose "Restore".
Select only "system" file.
Rescue prompts to reboot.
4. After that Rustock doesn't start
5. I checked the stream in the "System32" folder.
Stream exists.
5. I removed it using Partizan but you can use another software.

Partizan.rri contents:
RR
\??\C:\WINDOWS\system32:lzx32.sys

I think I can do the program for automatize this process for end users.

Best regards,
Dmitry

 

EP_XOFF

Thanks for verifying rustock C

Dmitry

Thanks for showing results using Regrun.

.

One thing I noticed about Regrun was that is was a bit hard to navigate through the screens of all the tools. I know you have improved that a lot since I tried it but some could use a bit more automation even if regrun is more for the IT type at this time.
I understand Unhackme being more for the home user. Anytime a developer can make a great set it and forget it without a lot of pop ups, you will have a home user application.

That is the course why BoClean went along time ago.
I think that is why they are so successfull. They made it as easy as they could for corporate and government users, plus home users.
I do know that Kevin added the new driver because of other security software more then maleware.

Dmitry

I kow you have been working with rootkits for along time but as you may have guessed, MP_ART and EP-XOFF have been working with longer and do know what they are talking about.
I am happy to see you are taking them seriously.

controler

 

It is great that Partisan can do something. So PE386 was a little wrong in his opinions about your software that he told me yesterday
I found more simplest way to remove Rustock without buying this Great software Unhackme.

1. D/L Rootkit Unhooker.
2. Start Hidden files detector scan
3. Select detected rustock driver and do wipe operation

Reboot and no rustock on your system. Ready for cleanup with AV.

 

Rootkit Unhooker is not designed for the average user and in Beta, isn't it? Reason enough for all non-testers to keep away from it for now.

A neutral question: is there a direct connection between the developers from RKU and coders from (all) Rustock variants?

 

It is not in Beta, it is in release candidate state, so I see no problems in using it now. As for average users, well if they can do clicks by mouse and read from screen they probably can work with our software. Just like with Unhackme shining interface.

Aha, yes like with Gromozon author and PrevX development team. PE386 is our sponsor =)))))))

 

Not good enough. Iron out all issues and release the Final.

"probably" is the crux here. As for now, RKU from a users point of view cannot be compared with Unhackme.

Total irrelevant and foolish untrue remark. Back it up first.

Very funny indeed. Still awaiting for a valid and straight answer...

 

It is absolutely no difference what will be in version info - RC, beta, or final. Main difference between our program and unhackme - the last one is not so good as described by its authors, that is all. Anybody can test unhackme and our program/or any other antirootkit and see the difference. It will be.

Probably because you are one of Unhackme users. No offense, just comment.

The same I can say about your question. The direct answer will be - "no", is it enough?

 

On the contrary - the Final Release is proof of the pudding.

No proof of this statement sofar.

I did. "It will be" still has to be proven.

No offense taken. I've used (amongst others) your RKU as well so I am able the compare.

It's certainly noted and archived - Dobre.

 

Ok. Even if I will post here results you will not believe me. I believe my own tests and my own reserving of Unhackme and opinions of malware rootkit writers. They can't lie me in such things, because I always can check their words. So for me Unhackme was and will be useless thing. Of course, I can be wrong. For some peoples it is really good product, so good luck to Dmitry in understanding BootExecute nature

May I ask you now my neutral question: What was the reason to ask me about PE386? What kind of interest? I can tell you why we contacting with PE386 as well as with some others authors of well-known user mode malware, it's not a secret

 

Hi All,

Thank you very much for your help!
I hope you agree that UnHackMe and RegRun can do something this rootkits
We will work to make it better.
An easy in use

The comparison is so difficult task. The programs change everyday
New UnHackMe and RegRun version will be available soon.

I will take off any comments regarding other anti-rootkit programs.
I think they are useful and the users will make your choice.

Best wishes,
Dmitry

P.S. Happy New Year!

 

Hi All,

Released free tool for removing Rustock:
RegRun Reanimator.
http://greatis.com/security/Rustock(lzx32.sys)_free_removal_tool.htm
User need only click on the "Remove Rustock" and restart computer.

Happy New Year!
Dmitry

 

Good work! But you are late for four months.

 

Version 4.1 Beta is available to download

http://www.greatis.com/unhackme/

 

Some information about "rkdetector" UnHackMe
http://forum.sysinternals.com/forum_posts.asp?TID=9918&PN=1

And my personal answer to Dmitry Sokolov, sorry almost in russian
http://forum.xell.ru/viewtopic.php?t=137

 

EP_X0FF - Is there any way of reading the output of a scan with your program? It is very comprehensive but I am not sure I can interpret the results.

 

Is that the new Beta of RegRun Reanimator? I heard from someone that it needed upgraded first?

 

Easter.2010 it is Beta 1 version of the latest UnHackme I believe.

"UnHackMe - Rootkit Killer.
Version 4.1 beta (February 9 2007)
Supported Windows NT4/2000/XP(64)/2003(64)/Vista.
What's new in version 4.1
Added detection/removal of the rookits use Unreal Rootkit technology.
Read our article about Unreal rootkit..."

http://www.greatis.com/security/Unreal_rootkit_removal.htm

 

OK, Ok, but does anyone have an idea when the RegRun Reanimator will become an updated release? That is only main one of my interest, thanks.