Sample Rootkit passes all Detector

Discussion in 'other security issues & news' started by Tommy, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Story

    Important:
    Only try this RK on a test machine. It hides the .sys file/process and service, then on a restart it would not allow to reach the windows GUI.
     
  2. minceypw

    minceypw Registered Member

    Joined:
    Sep 25, 2005
    Posts:
    22
    Hi Tommy

    Does that also include the new NOD32 2.7beta?

    Regards
     
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I seriously don't know, but the chance is great that NOD32 also failes. This sample RK was published on October 24. I will give it a try when my test machine is up again.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Pls can u try against Sandboxes. My test PC is gone otherwise I would have done it.
     
  5. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Could take a while till my poor test machine it up again, as i have it total disarmed.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. BTW if possibel try against many like GesWall, Sandboxie, BufferZone etc.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I wonder if my frozen snapshot would remove it.
     
  8. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Give it a try and report, if you can :D
     
  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Just played arround a little bit with RkU.
    Sounds funny, but when i start Rku it tells me that there is a parasite on my machine. The attempt to delete it, fails for luck in this case.

    The detected parasite is 'C:\Program Files\System Safety Monitor\SysSafe.exe' which of cource is in no way a bad guy. It is only not available from Usermode.
     
  10. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Well, I tried this RK on my machine and all I got was this file:

    C:\phid_ex.log

    Every five seconds a new line was written to the log:

    [00:49:30] phide_ex is ****ing you system!
    [00:49:35] phide_ex is ****ing you system!
    [00:49:40] phide_ex is ****ing you system!
    [00:49:45] phide_ex is ****ing you system!
    [00:49:50] phide_ex is ****ing you system!
    [00:50:03] phide_ex is ****ing you system!
    [00:50:08] phide_ex is ****ing you system!
    [00:50:13] phide_ex is ****ing you system!
    [00:50:18] phide_ex is ****ing you system!
    [00:50:23] phide_ex is ****ing you system!
    [00:50:28] phide_ex is ****ing you system!
    [00:50:33] phide_ex is ****ing you system!
    [00:50:38] phide_ex is ****ing you system!
    [00:50:43] phide_ex is ****ing you system!
    [00:50:48] phide_ex is ****ing you system!
    [00:50:53] phide_ex is ****ing you system!
    [00:50:58] phide_ex is ****ing you system!
    [00:51:03] phide_ex is ****ing you system!
    [00:51:08] phide_ex is ****ing you system!
    [00:51:13] phide_ex is ****ing you system!
    [00:51:18] phide_ex is ****ing you system!
    [00:51:23] phide_ex is ****ing you system!
    [00:51:28] phide_ex is ****ing you system!
    [00:51:33] phide_ex is ****ing you system!


    LOL. But when I rebooted it seemed my PC was back to normal. Is that supposed to happen?

    I thought it was supposed to not allow me back into windows. o_O

    What exactly is supposed to happen? Maybe I did something wrong.
     
  11. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    LOL/ROFL Your system is secure :)
    The the log is correct, but this Rk should bring after a reboot following result:

    - It should be impossible to have access to the phide_ex.sys file - so far undetected by all Rootkit detector
    - It should be impossible to reach the full Windows GUI.

    If you start you PC with the 'Last Known Good Configuration' everything should be ok again.
     
    Last edited: Oct 28, 2006
  12. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Tommy, it's a clean Windows XP installation running off a virtual machine.

    Security software: NONE.

    I wanted to test it first without any security to see what would happen but it seems like nothing really did.

    I rebooted and everything seems normal. No problems getting back into windows. The phid_ex.log file is still there, but nothing is being written to it after the reboot.

    I don't know what you mean by "You should have no access to the .sys file" but all I can say is that I am definitely back in windows after the reboot and everything appears to be fine.
     
    Last edited: Oct 28, 2006
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can u please explain a bit in detail what behaviour/ effect u will see if it is installed successfully and when installed successfuly how u can detect it, any means. Thanks
     
  14. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    First i havn' done this test my self, i only follow the thread at Sysinternals and SSM.

    Effects:
    - The exe file is not the rootkit itself, it has the rootkit inside.
    - There will be a log created, in which the rk writes in a sequenz of 5 seconds.
    - After a reboot, the sys file is loaded but _not_ detactable. (Tha'ts the main rootkit effect)
    - After a reboot Windows is not loading the full GUI. (what ever that means)

    The whole thread you find under the link in my first post. When my test machine is up again i will give it a try also.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. I will try it anyway.
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Hello,
    Nice to see so many people infecting themselves deliberately.
    Mrk
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't know how to infect my computer with this rootkit. Any tips ?
     
  18. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    I got BSOD every time I ran it :/
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I ran it and just found a log file that even stopped after a while, may eb after a reboot.
    No other effects. I am running my PC since many hours, nothing wrong. So if it is not doing anything how u can know it was able to install breaking ur security?

    I tried first in GesWall, then out of it, same results.
    Here is the GesWall pop up.
     

    Attached Files:

  20. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Can you detect the sys file? :)
    BTW, some people reported a BSOD, other same as you.
     
  21. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,887
    Location:
    Stockholm Sweden
    No I cant see any .sys file because I got BSOD all the time :)
    So I got rid of that [Firstdefense] snapshot with my current config. But I will try it on VMWare.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Where I should look for this file?
    Just via explorer or by soem scanner?
    So what about not being able to access windows GUI?
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    U could have tried to see via BartPE.
     
  24. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    The only chance to detect it in some cases (depends on your OS) for now is with the 'System Virginity Verifier' from Joanna Rutkowska with the parameter: 'SVV check /m '
    But in your case the Rk seams to have no affect, God knows why :)
    The effect is that it BSOD's the machines at a certain moment of the GUI load process.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ok, pls let use know if u do some testing with it later.
    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.