Antirootkits - List of ARK's for x64

Discussion in 'other anti-malware software' started by StevieO, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I've noticed frequent requests enquiring about the availability of ARK's for x64 systems.

    So here's a bunch of ARK's that i've put together that will work on x64, mostly on Vista too.



    Avast anti-rootkit Edition, based upon the powerful GMER engine - http://files.avast.com/files/beta/aswar.exe

    RootKit Hook Analyzer now = SanityCheck - www.resplendence.com/sanity

    Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

    UnHackMe - http://www.greatis.com/unhackme

    F-Secure BlackLight - http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/help.html



    For your information -


    " Arbitrary code can be injected into Vista x64 kernel despite code signing requirement, and in really any other operating system " http://209.85.229.132/search?q=cach...t detection for x64&cd=22&hl=en&ct=clnk&gl=uk

    http://www.task.to/events/presentations/Hidden_RootKits_in_Windows_2006.ppt


    Have fun,

    S
     
  2. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So in spite of driver signing and patchguard malicious code can still get kernel access?
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Dregg Heda

    Err, looks like it !

    Also it's not just Ring 0 and Ring 3 stealth anymore, soon it'll be Ring 1 and Ring 2, according to various different reliable sources i've read.

    The baddies just won't give up, as there's so much $ to be made.

    A lot of these newer coders are top class Zeros & Ones writers, even more talented in some respects than people who work for big name companies. Not that working for big name companies automatically makes them " all that " of course, and as we know, often doesn't !!!
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Even with UAC on x64, by design (not by error) objects and processes with same or lower rights have access to each other.

    That is why it is so important to use UAC and Sully's PGS (to implement SRP). Throw Iron into the set (with a policy sandbox which is much stricter implemented than in Vista/Win7 itself) and you have a decent x64 OS security.

    MSE also works splendidly on x64, it is as fast as x64 bit defender and Comodo's CIS. Advantage of MSE over bitdefender is, it is free. Advantage over CIS is that it is problably ranks better as an AV. Advantage of MSE in general = the AV uses the IDS agents of Windows Defender, problably in the most effective way due to the inner circle knowledge.

    Regards Kees
     
    Last edited: Sep 11, 2009
  5. JohnnyDollar

    JohnnyDollar Guest

    I am glad to see a thread like this, thanks for posting it StevieO. I had wondered if there were any antirootkit products in existence for x64, but have not done the homework like you have. As of right now IMO I would say that x64 users still have the advantage over x86 users when it comes to being infected with rootkits or malware in general. Unfortunately with the rise of the x64 os, these good days are winding down.
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    JohnnyDollar

    Pleasure.

    On the face of it, it might appear that x64 should be more resistant, but the bad guys won't give in just like that. So i imagine even x64 stuff will be targeted more and more as time goes on !
     
  7. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    Did you read that properly ?

    That bit was talking about a hardware based "Blue Pill", AFAIK really dependant on hardware type and rather theoretical. Never heard of any of these ITW.

    Can you (or anyone) tell us about one single verifiable ITW rootkit that can load an unsigned driver into the x64 kernel ??
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    peteck

    They don't need to be unsigned !


    Example of just one previous method -

    Loading unsigned drivers on Vista - http://www.rootkit.com/newsread.php?newsid=759

    Example of a current method -

    Unsigned drivers - http://www.vistax64.com/drivers/9351-unsigned-drivers-2.html

    Conficker Worm Targets Microsoft Windows Systems - http://www.doecirc.energy.gov/bulletins/t-091.shtml

    Vulnerability in Server Service Could Allow Remote Code Execution - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    SYSTEMS AFFECTED
    -------------------------
    Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC. - http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

    Plus the baddies don't seem to have problems getting some things signed -

    Comodo continues to issue certificates to known Malware - http://www.broadbandreports.com/forum/remark,22400172

    Comodo Continues to Damage It's Reputation - http://www.broadbandreports.com/forum/remark,22689347

    Also -

    Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking the operating system - http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Yes, but LUA does fully protect the kernel... With LUA, no FU, no hacker defender, no blue pill, ...
    Left are the ring3 (userland) rootkits. These ones are handle in two ways:
    - the use of KAFU or similar method will prevent them to survive a reboot if ever run (if run, it is very bad as your private data may be stolen).
    - SRP will prevent them to run in the first place.
     
  10. peteck

    peteck Registered Member

    Joined:
    May 16, 2008
    Posts:
    10
    Location:
    Far Eastern Australia
    Hi StevieO, thanks for the links.

    Hadn't seen that one, didn't last long tho. Bit sus that letting a signed component load an unsigned one.

    This requires considerable deliberate user involvement, with UAC disabled, etc

    Does this load an unsigned driver ? Is it a rootkit ? Will it even work with UAC enabled ?

    I don't know what this has to do with driver signing, it appears to be concerned with site certificates. Did I miss something ?

    Sure, sure, but this thread (by inference) is about x64 rootkits. So I ask again - can you name a single ITW rootkit that works on x64 ?

    Freebies are fun why not ? But anyone trying to sell you an ARK for x64 is selling Snake Oil IMO.
     
    Last edited: Sep 14, 2009
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    peteck

    Hi there,

    As for the the certs, not drivers i know, but i posted those links to show what kinds of circumventions the baddies are prepared to take. And fake certs have already materialised. I wouldn't be surprised if fake driver signing happens either at some point.

    I can't point to an ITW rootkit that works on x64, just yet. But have to say that i have been reliably informed some time ago by an infamous ARK coder, that it is indeed possible. Not only that, but there are some Very clever people who code either directly and/or indirectly for the baddies. As there is so much money to be made out of Malware, i don't see them throwing in the towel over x64. I believe sooner rather than later there will be some kind of RK for x64 attached to Malware. If the're not working on something right now, i'd be very surprised, as they are always ahead of the Anti's ! Plus as more people take up x64 the baddies will concentrate more and more on it.

    -

    Understanding Stealth Malware

    " This course is focused on Windows systems (and Vista x64 specifically)

    " Attendees will have a chance to run, analyze and experiment with several previously unpublished samples of proof-of-concept rootkits "

    -

    Another thing to consider is, if everyone thought that x64 was 100% impenetrable, there would be no need for ARK's etc in x64. I take note of your " Snake Oil " comments, and it does make me wonder ! Apart from the dedicated stand alone ARK's i've already listed above, more and more AntiMalware companies are including AntiRootkit tech into their products. Here's just one for eg -


    Avira AntiVir Premium x32 + x64

    AntiRootkit against hidden rootkit threats - http://www.avira.de/en/products/avira_antivir_premium.html

    So is it a precaution against the unknown or ?

    -

    nProtect GameGuard - http://global.nprotect.com/product/ggp.php - is well known for using Rootkit tech in their software. I can't say whether it's used in their products for x64, but they do sell it for x64. It'd be interesting to find out if they do, or not ?


    System Requirements

    Windows XP, Windows Vista
    (32bit/64bit)

    -

    GameGuard


    Because of its method of actuation (very similar to a rootkit) - http://en.wikipedia.org/wiki/NProtect_GameGuard


    *

    For those interested in some more background info, and " possible " bypasses that could/might use in some way/s -

    Already mentioned, but not available anymore -

    Download Tool to Bypass Driver Signing on 32-bit and 64-bit Windows Vista - Atsiv, a tool created by Linchpin Labs & OSR
    -
    http://news.softpedia.com/news/Down...n-32-bit-and-64-bit-Windows-Vista-61405.shtml

    Permanently Turn Off and Disable 64-bit (x64) Windows Vista Forced Driver Signature Signing with ReadyDriver Plus -

    http://www.tipandtrick.net/2008/per...iver-signature-signing-with-readydriver-plus/

    Update on Driver Signing Bypass - http://www.alex-ionescu.com/?p=24

    Driver Signature Enforcement Overrider - http://www.ngohq.com/home.php?page=dseo

    ATT Vista 64 loader - http://forums.guru3d.com/showthread.php?t=275261
     
  12. Luxeon

    Luxeon Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    127
    Two silly questions:

    1. What is MSE?

    2. Does Avira Free contain anti-rootkit detection?
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Luxeon

    MSE ? I didn't see it mentioned in this thread, but it probably means Microsoft Security Essentials - http://www.microsoft.com/security_essentials/market.aspx

    Avira Free does contain anti-rootkit detection, see my screenies -


    avr3.jpg

    avr1.jpg

    avr2.jpg


    I just did a scan and this small extract shows the RK search listed.

    -

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: high
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium
    Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
    Expanded search settings............: 0x00001000

    Start of the scan: Wednesday, September 16, 2009 12:41

    Starting search for hidden objects.
    '19716' objects were checked, '0' hidden objects were found.
     
  14. Luxeon

    Luxeon Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    127
    Excellent, thanks for the info.

    Bob
     
  15. wutsup

    wutsup Registered Member

    Joined:
    Sep 20, 2009
    Posts:
    630
    Location:
    United States
    hey stevie o i just read that comodo certiface thing and now im all freaked ou lol. can i just delete the comodo certificates? or should i just uncheck them all?
     
Loading...
Similar Threads
  1. boredog
    Replies:
    0
    Views:
    458
Thread Status:
Not open for further replies.