Advice for Noob in detecting RootKit

Discussion in 'malware problems & news' started by wolf_xl, Dec 9, 2004.

Thread Status:
Not open for further replies.
  1. wolf_xl

    wolf_xl Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    48
    Hi all,

    Can someone please give me advice about detecting RootKit on a PC? I'm running XP Pro with SP2. Thanks.

    I only found out about this type of trojan today and it has me creeped. I've heard of Process Guard but its no use me using that if I'm already infected :(
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There are a couple of tools you can try:-

    Rkdetector.exe from:- http://bagpuss.swan.ac.uk/comms/RKDetectorv0[1].62.zip.

    HackDefender Disabler:- This is a small batch file, you'll need to Google to find a link!

    'Patchfinder' is a windows rootkit detector, but again you'll need to Google to find it - actually it may only work on W2000, you'd need to confirm that.

    'RegdatXP' is not free, but you can get it on trial. This tool is not affected by the registry cloaking techniques currently employed by Windows rootkits; it allows you to search for cloaked registry entries.
     
  3. wolf_xl

    wolf_xl Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    48
    Thanks for the link mate, I ran rkdetector.exe and had the following results:

    -Gathering Service list Information... ( Found: 0 Hidden Services)
    -Searching for wrong Service Paths.... ( Found: 2 wrong Services )
    -------------------------------------------------------------------------------
    *SV: procguard (procguard) PATH: c:\windows\system32\drivers\procguard.sys
    -------------------------------------------------------------------------------
    *SV: SLService (SmartLinkService) PATH: slserv.exe
    -------------------------------------------------------------------------------
    -Searching for Rootkit Modules........
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
    -------------------------------------------------------------------------------
    *SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
    -------------------------------------------------------------------------------
    *WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
    -------------------------------------------------------------------------------
    -Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
    -Searching for hxdef hooks............ ( Found: 0 running rootkits)
    -Searching for other rootkits......... ( Found: 0 running rootkits)



    I know the suspicious modules are legitimate drivers (all though they could be infected) but the ''2 wrong services'' worries me. I installed process guard (trial ver.) only yesterday so it may have been compromised

    Am I i trouble? Do I need to reformat? Any advice appreciated.


    UPDATE: Ran Hackdefender recieved error message:

    System error 1060 has occured.

    The specified service does not exist on the installed service
     
    Last edited: Dec 9, 2004
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you think you are infected with Hacker Defender, you can also boot into Safe Mode and look for an .ini file in your system32 folder that contains entries like this:

    [Hidden Table]
    [Root Processes]
    [Hidden Services]
    [Hidden RegKeys]
    [Hidden RegValues]
    [Startup Run]
    [Free Space]
    [Hidden Ports]
    [Settings]

    If you do find it, copy it to a floppy, and then rename the original to something else or delete it. Reboot and the rootkit will be disabled.

    Nick
     
  6. wolf_xl

    wolf_xl Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    48
    Ok I ran APIhookCheck. The program found 'No Discrepancies' except for the following Kernel32.dll test


    Checking exports of KERNEL32.DLL for discrepancies
    Base Address of KERNEL32.DLL at 7C800000
    End Address of KERNEL32.DLL at 7C8F3FFF

    API Address API Name API Hooked By Remarks
    7C882FC4 LoadLibraryA (unknown) API contains instruction that jumps to B2DD8FE1, this is outside KERNEL32.DLL's memory space
    7C882FD3 LoadLibraryExA (unknown) API contains instruction that jumps to B2DD9155, this is outside KERNEL32.DLL's memory space
    7C882FF1 LoadLibraryExW (unknown) API contains instruction that jumps to B2DD9222, this is outside KERNEL32.DLL's memory space
    7C882FE2 LoadLibraryW (unknown) API contains instruction that jumps to B2DD909E, this is outside KERNEL32.DLL's memory space


    Total number of exported APIs checked : 949

    Is this good or bad?

    I also ran the second program, which did not list any hidden programs or drivers. Although the kprocCheck -t command did not work. I recieved error message:

    Error getting kernal base address!

    TBH this last program is a bit difficult for me to understand.


    Nick I'm using a laptop without a floppy drive. Any workarounds to this (Just incase I'm indeed infected and need to clean it ) ?
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi wolf_xl,

    I would be concerned if ApiHookCheck finds a discrepancy. I know that on my (clean) systems I get no discrepancies. The DiamondCS team should be able to shed light on whether it is good or bad. I don't have the skills to interpret it for you.

    If you do find the .ini file, just move it to a different folder and rename it. You need to be able to read the .ini file to understand what other activities the rootkit was hiding and use it as a guide to clean your system. If you suspect a rootkit, you should be scanning with your AT/AV in Safe Mode.

    Nick
     
    Last edited: Dec 9, 2004
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I've just got back to this link and noticed your Rkdetector.exe results, I don't think the wrong service paths are anything to worry about; I have the same thing with PG!

    It does say "Found: 0 running rootkits", that sounds like a result to me!
     
  9. wolf_xl

    wolf_xl Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    48
    Well now that I've brought the full version of process guard I've decided to format my drive and start again. I dont mind doing this as the system could do with a good cleanout.

    What I would like to know is what other steps can I take help me protect myself from this type of trojans? I've heard one of the best things to use is an integrety checker which requires a clean system to compare with a possible infected system. Any Ideas about how I go about setting this up?
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Doing a clean install of your OS is a smart move if you doubt the integrity of your current setup. The first thing I would do is image that clean install and store it elsewhere. Search the forums for discussions on imaging and imaging strategies. There have been many good posts on the subject in the past few months. I use RegdatXP to monitor the integrity of the registry. I use it to compare the current registry to the stored registry in the image files I create. For general file integrity, you can use something like hkSFV which creates and compares MD5 databases of directory contents.

    Nick
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi nick,

    The first thing I did after my system was hosed was to find a program to create a clean image copy so that I wouldn't have to go through re-install of XP and my primary programs again. It wasn't easy finding a program that I could rely on. I am still not sure which one I will use but I was finally sucessful getting a verified image copy using Image for DOS (TerabyteUnlimited) and a Maxtor USB2 80GB external drive. I will be trying out Ghost 2003 also. I want to take the image under DOS in order to ensure a physical and logical consistent state of system data. I did try other Windows image copy programs but couldn't get them to work with the external drive. I am not sure why.

    Other than that, I changed to KAV 4.5 as my AV, (I was using NAV), and I have Ewido and Giant AS montoring real-time. I am using NOD32 (for its heuristics) as a backup AV scanner. Most of all, I have become more conservative in my web browsing.

    Rich
     
  12. wolf_xl

    wolf_xl Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    48
    Thanks everyone for your tips and expertise :) Much appreciated
     
Loading...
Thread Status:
Not open for further replies.