Free rootkit detector from Sysinternals

seems like a much better detector than the one from Sysinternals where posibilities are already ruled out.

 

One thing I am certain of is that Sysinternals, as they typically do, will develop RootkitRevealer into a must-have tool.

Nick

 

I am not sure Flister actually works, I execute it in a DOS prompt and it does not scan anything, just immediately shows the same thing lynchknot said he got.


FLISTER 0.1, (c) 2005 by joanna
http://invisiblethings.org
flister.exe <dir> [ZwQueryDirFile_Syscall_Index]

Should it not do a scan like the RootkitRevealer does?

I got 90541 discrepancies with RootkitRevealer by the way, most with a KAV tag.

 

As an example, type and execute flister.exe c:\windows\system32 and you will see the output in the command window. You can save the ouput as text file by typing and executing flister.exe c:\windows\system32 > flister.txt. You can find the text file wherever flister.exe is located.

Nick

 

Hi,

***It seems that Nicks was the first to give the news.
So "give to Cesar which pertain to Cesar": also thanks for the link.

***Flister could help in order to detect a rootkit.
But as i already said, there is no one method and one tool/utility/soft.

**My line defense is more based on prevention than in detection.
I foud a sentence about IPS/IDS/NIDS whch summarizes exactly what could be a policy's security against all malwares in general and rootkits in particular:

"That which can not be detected should be prevented,
that which can't be prevented should be detected."

***Against rootkits the best defense is the knowledge.
The more we learn about a kind of malwares, the more we'll be able to prevent/detect and to eradicate them.

I can just strongly recommend to have a powerful integrity protection of the system.

In any cases, if someone-newbie or expert-have a radically solution (for home users, not for big firms), i'll be glad to see his post.

***For anyone who wants to dive into this question (rootkits), there is one of the most interesting presentation by Jan Rutkowski (a specialist).
This presentation (html or powerpoint) works better with Internet Explorer, but it could be downloaded (zip file).

Have a nice read:

http://www.redbrick.dcu.ie/~biteme/hivercon/html/talk-rutkowski.htm

Rootkis? well...this is just one of The Dark Side Of...The Web.

Regards

 

Thanks,

I got it working now, and so far so good on the scans I have done.

 

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\MRxDAV\EncryptedDirectories 2/11/2004 12:12 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Services\MRxDAV\EncryptedDirectories 2/11/2004 12:12 PM 0 bytes Access is denied.
C:\$AttrDef 2/11/2004 7:00 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/11/2004 7:00 AM 152.66 GB Hidden from Windows API.
C:\$Bitmap 2/11/2004 7:00 AM 4.77 MB Hidden from Windows API.
C:\$Boot 2/11/2004 7:00 AM 8.00 KB Hidden from Windows API.
C:\$Extend 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$LogFile 2/11/2004 7:00 AM 64.00 MB Hidden from Windows API.
C:\$MFT 2/11/2004 7:00 AM 36.27 MB Hidden from Windows API.
C:\$MFTMirr 2/11/2004 7:00 AM 4.00 KB Hidden from Windows API.
C:\$Secure 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$UpCase 2/11/2004 7:00 AM 128.00 KB Hidden from Windows API.
C:\$Volume 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.


Results from flister:

C:\Documents and Settings\spy1\My Documents\Unzipped\flister>flister.exe
FLISTER 0.1, (c) 2005 by joanna
http://invisiblethings.org
flister.exe <dir> [ZwQueryDirFile_Syscall_Index]

Haven't a clue whether I passed or failed here. I'll probably re-do the Sysinternals one later in safe mode. Pete

 

apparently your sysem failed and you are infected with some rootkit.

there are some cures for it Pete.

 

<g> Pete

 

AFAICS, I got exactly the same results running it in "Safe" mode:

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\MRxDAV\EncryptedDirectories 2/11/2004 12:12 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties 2/11/2004 7:07 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet003\Services\MRxDAV\EncryptedDirectories 2/11/2004 12:12 PM 0 bytes Access is denied.
C:\$AttrDef 2/11/2004 7:00 AM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/11/2004 7:00 AM 152.66 GB Hidden from Windows API.
C:\$Bitmap 2/11/2004 7:00 AM 4.77 MB Hidden from Windows API.
C:\$Boot 2/11/2004 7:00 AM 8.00 KB Hidden from Windows API.
C:\$Extend 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$LogFile 2/11/2004 7:00 AM 64.00 MB Hidden from Windows API.
C:\$MFT 2/11/2004 7:00 AM 36.27 MB Hidden from Windows API.
C:\$MFTMirr 2/11/2004 7:00 AM 4.00 KB Hidden from Windows API.
C:\$Secure 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.
C:\$UpCase 2/11/2004 7:00 AM 128.00 KB Hidden from Windows API.
C:\$Volume 2/11/2004 7:00 AM 0 bytes Hidden from Windows API.

 

You can always google the results. For example that last ClSID is your MS floppy disk driver..
http://www.glocksoft.com/Reports/System_info_report.htm

 

http://www.ntfs.com/ntfs-system-files.htm and http://www.ntfs.com/ can be of help, too.

Please keep in mind that there isn't the slightest shred of doubt in my mind that I'm not infected with anything - much less a rootkit!

Lazy, ignorant savage that I am, though, I'd rather that whatever program I'm running to verify that would do its' thing and then pop me up a great big box (and possibly play some patriotic music) saying:

"Congratulations! Due to your incredible knowledge of defensive pratices (safe hex) , your excellent ability to un-erringly pick only the BEST defensive software and just the fact that you're an all-around NICE GUY, we're pleased to announce that your computer is un-infected by anything known (or even ever likely to be discovered in the future!). Thank you for deigning to use our product!"

Pete

 

AL, over at the GRC "Security Software" forum, makes the following statement:

"The psexec thing from sysinternals can get a program running as SYSTEM with
the -s and -i switches. A lot less access denied running it that way. I
ran it as SYSTEM.

Kerio firewall 2.1.5 also has the local privilege escalation feature, which
can also be used to run a program as SYSTEM"

I'm beat and headed for the sack - some of you night owls might want to give that a try and see if it helps clean up your test reports. Enjoy. Pete

 

Tried it using PowerPrompt and it did eliminate the access denied errors. Just drop powerprompt.exe in the same folder with RootkitRevealer. Execute powerprompt.exe from a command prompt, and then execute the RootkitRevealer GUI from the PowerPrompt console.

Nick

 

Personally, I'm not too worried about eliminating those access denied errors; rather I'm more interested to know the technical reason why the properties key for certain drivers are protected from Administrator access. Anyone have any links to technical docs about this? MSDN perhaps? Ahh... well... maybe I'll try to find something later this morning.

I suspect that in version 2.0 of RootkitRevealer, the Sysinternals guys will have a little checkbox or something that when marked will hide known benign discrepancies like these driver access denied entries and the NTFS metadata entries. Perhaps, they will even add a little comment field next to each known discrepancy explaining the entry's purpose... or at least expand the help documentation to explain a little more technical background for such entries for those interested in such things. They are the Windows Internals authors after all. Also, if it is the Alternate Data Streams that is causing KAV users fits with this product, they clearly will need to add a workaround that filters out ADS discrepancies as well.

 

Hi

This may seem a bit simple but if you look at your scan result, you will notice
a date right? WEll most of your files and reg keys will show up as the date you installed Windows. If you have a rootkit it will show as a different date.
Unless the kit is smart enough to change it's file dates to match system creation DATE


We need to read the part in the help file about how the sure fire way of detecting a root kit is?

"Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus."

Bruce

 

What about UnHack Me program?

 

hello, using the gui version - I try to save file but only see this:

I was not able to copy paste this but i'm looking for an executable correct? So this is clean? Thanks (ran as system in C) I could not post entire but other volume is ram disk which also has some listings

screenshot:http://img171.exs.cx/img171/5569/root2qv.jpg


edit - I think my concern would only be with drive C - the dates are same so I believe this should be clean.

 

TopToBottom for Windows 2000 and Windows XP is a free utility that can detect the Hacker Defender rootkit driver (hxdefdrv.sys).

Nick

 

Haxorcitos Rootkit Detector

This will detect hackerdefender and also other rootkits on your windows systems.

RootKit Detector

 

What is the significance of the size reported for these items?
NTFS meta data entry C:\$BadClus:Bad is reported to be 32.01 GB on my scan (in Lynchknot's post his shows as 37.63GB; spy1 shows 152.66GB!). Is it really taking up that much space on the hard drive?

PS just downloaded v 1.1.

This no longer reports access denied for the drive keys in controlset001 and 002 in the system hive; presumably it is running as system now.

But now I get some new entries "keyname contains embedded nulls" in the software hive. These are in keys put in by Microsoft software, HKLM\Software\Microsoft\EnterpriseCertificates\TrustedPublisher (last part shown as |*ustedPublisher in the scan)
and similar.
The help file just says this technique is used by rootkits and malware, does not mention that it is also used by legit software?

 

Hi JRosenfeld,

Not an expert, but after some Googling, I see that according to File - $BadClus, C:\$BadClus:Bad should have the same size as your NTFS volume, whether or not you have any bad clusters. From Master File Table and Metadata Files, the $BadClus file is actually stored in the $MFT file. So it seems that what matters is the size of the $MFT. If you run Windows' Disk Defragmenter, click Analyze, and view the report, you should see that the MFT size reported closely equals the size reported by RootkitRevealer for $MFT (which, by default, can occupy 12.5% of your disk space).

Nick

 

Diskeeper pro 9 reports MFT size as 195MB, which corresponds with the $MFT file size as you indicate, but my NTFS volume is 111GB (my 120Gig hard drive has a small Dell OEM 32 MB FAT partition, the rest is one NTFS partition) which does not correspond to the 32GB of C:\$BadClus:$Bad. My $BadClus is 0 bytes.

Anyway, as long as it does not mean that the corresponding amount of disk space is unavailable, I won't worry trying to understand what these files really are.

 

When I ran the SysInternals program on my fresh install system, it found the following :-

C:\$AttrDef 07/01/2005 23:55 2.50 KB Hidden from Windows API.
C:\$BadClus 07/01/2005 23:55 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 07/01/2005 23:55 233.75 GB Hidden from Windows API.
C:\$Bitmap 07/01/2005 23:55 7.30 MB Hidden from Windows API.
C:\$Boot 07/01/2005 23:55 8.00 KB Hidden from Windows API.
C:\$Extend 07/01/2005 23:55 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 07/01/2005 23:56 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 07/01/2005 23:56 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 07/01/2005 23:56 0 bytes Hidden from Windows API.
C:\$LogFile 07/01/2005 23:55 64.00 MB Hidden from Windows API.
C:\$MFT 07/01/2005 23:55 91.29 MB Hidden from Windows API.
C:\$MFTMirr 07/01/2005 23:55 4.00 KB Hidden from Windows API.
C:\$Secure 07/01/2005 23:55 0 bytes Hidden from Windows API.
C:\$UpCase 07/01/2005 23:55 128.00 KB Hidden from Windows API.
C:\$Volume 07/01/2005 23:55 0 bytes Hidden from Windows API.

A mere 15 entries, none of which look suspicious.

System :-
Windows XP Pro SP2 installed on a 250GB Maxtor HD on 7th of January 2005, 11:55pm

MJ

 

Rootkit Revealer version 1.20 is now available http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml