Golden Hacker Defender Game Over ?

Discussion in 'other anti-trojan software' started by StevieO, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. T772

    T772 Guest

    Hi ,

    What i have found with SVV is if you are running PG free or paid you cant run SVV, but if you uninstall it you get a rating of yellow. Also if you install Spyware doctor you get a rating of deepred in SVV due to the Kernel being Modified?,

    Just thought i would let people know,

    T
     
  2. controler

    controler Guest

    Longboard, Are you running Kaspersky's Suite?

    controler
     
  3. 23rwef

    23rwef Guest

  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    @Controler: No

    Regards.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,707
    Hello,
    I tried these little tools on a machine I personally formatted and installed from a scratch. Installed all updates blah blah etc ... tons of security etc ... I get the deep red code using svv. Among others:
    ntoskrnl.exe code 4
    kernel32.dll code 5
    Well, what can I say? Not everything must be bad...
    I believe these results, but I do not think the findings are bad. I would suggest all of us who cannot instantly traslate A4F into decimal to let these fear rest aside. Rootkit tools, the entire army of them (svv, is, blacklight, unhackme etc) are too ambigious to use everyday. And playing with these tools is dangerous. Deleting kernel modules is not a healthy thing. It's not like removing a simple file from some folder you think might be infected.
    To all guys who have gotten "bad" results:
    Ask yourself what you do with your computers? Do you really think you're infected? Does it sound logical that you would be infected with rootkit and nothing else at all? With all the security precautions and software you use, only a tiny tiny rootkit somewhere in there? Don't let paranoia haunt you.
    One more thing:
    If someone really wants to test these tools:
    Format a machine, set it up from a cd-rom with burned software, including all your favorites. Update windows only and all other security applications to the max. Don't surf at all except the single visit to microsoft update. Then run these tools. It could be interesting.
    Mrk
     
  7. controler

    controler Guest

    Don't all those security apps work at a kernel hooking level?

    Now you have 3 hooking the kernel. I wonder how stable that is?

    If you are going to run these new rootkit tests, you need to disable PG, prevex & regdefend. You need to disable any other apps working at the kernel level.

    controler
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Just a few informations about how to use IceSword to detect a rootkit:

    -launch it from external drives (floppy disk, CDRom and so on);

    -launch MSCONFIG and check the last box (any unnecessary service and program will be disabled), and rebbot the PC;

    -take a look firstly at Win32Services (see the image attached) and processes.
    Then it can be suited to investigate the registry (HKLM\SYSTEM\ControlSet001\Services) and kernel modules (to detect a suspect or unknown driver).

    Longboard and 23rwef are concentrated only in SSDT, but many legitimate softwares operate at a low level and use kernel drivers.
    Consequently, this is not the most important.
    If we use for instance a tool like SDTRestore ( http://www.security.org.sg/code/sdtrestore.html ), we can fix SSDT entries for most programs (then will not be shown in red by IceSword).

    For the Longboard problem, perhaps there's an uncomplete uninstallation of an ISS Scanner (the driver has the same name).
    SDTRestore can also be used in this case.
    But with SVV, the most important result concerns EnumServiceStatus, which can be a sign of an hidden service.

    The best defense against rootkits is PREVENTION.
    Once one is detected, it's often too late: bad things are probably already done...

    I've finished an article about "Rootkit free countearmesures" with examples of detection and prevention that i 'll link here if members are interested.

    Regards
     

    Attached Files:

  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  10. controler

    controler Guest

    kareldjag's

    Nice read but ur second link don't work for some reason.

    controler
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California


    Please do!

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~​
     
  12. controler

    controler Guest

    Oh yes I am excited to read your article as always :D
    would be good for the readers here. ;)

    controler
     
  13. StevieO

    StevieO Guest

    Hi kareldjag,

    Yes i'm really looking forward to your Rootkit free countermeasures article too.

    I value your research and website highly.

    I DL the 2 SDTRestore Apps from the link you gave, but Version 0.2 made my AV kick in ? I uploaded to Jottis and here's a combo Screen Shot of both results.

    http://img482.imageshack.us/img482/568/sdttrojan0oc.png

    I wonder if you know whether it's an FP ? as i'm presuming it is !


    StevieO
     
  14. shortbored

    shortbored Guest

    This thread gets more and more interesting.
    Looking forward to K'djags article/review

    Forgive my ignorance...

    To use the SSDT patch utility do all other apps need to be switched off?
    What if the app "repairs" a legitimate hook.
    Will that not disrupt the other app which would have required that particular hook?

    Regards
     
  15. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,223
    Location:
    Sydney, Australia
    Umm;
    What is an ISS scanner?

    Regards
     
  16. StevieO

    StevieO Guest

    Hi Longboard,

    Re your - What is an ISS scanner?

    It might have been a typo and meant IS = IceSword

    Or IDS = Intrusion Detection System


    StevieO
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,707
    Hi,
    ISS - internet sharing server.
    Mrk
     
  18. LBoRD

    LBoRD Guest

    No internet sharing enabled AFAIK

    Ice Sword enabled and scanner run prior to SVV.

    Regards
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,707
    ISS is not ICS.
    Internet Connection Sharing - home network.
    Internet Sharing Server - you run server on your machine ...
    Mrk
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Sorry for the vagueness about ISS.
    This a well known security firm ( http://www.iss.net/ ) which provides products mostly intented to be used in a corporate environment (IPS/IDS, vulnerability scanner etc).
    But this society is also well known by home users for BlackIce firewall.
    Then perhaps (never try BlackIce) the ISS driver shown by IceSword is due to an uncomplete uninstall of this product.

    It is quite strange that IceSword does not locate the file.

    Longboard can try some Windows commands such as:

    -start + execute + "devmgmt.msc " + enter
    Then enable the option "show hidden peripherals" on the "view" menu, and on the list of peripherals, click on non Plug and Play devices.

    -start + execute + "verifier", then next + next to check for unsigned devices.

    The first goal is to locate this driver on your system.
    And if it can be found by Windows, this probably not a rootkit.

    For SDTRestore, this not a malware or even a riskware.
    If we check a leaktest like "leaktest" from GRC, it will also be detected by AVs.
    It's just important to know exactly what this file do or not.

    Controler, here again an attached image.

    regards
     

    Attached Files:

  21. 34qwslkf

    34qwslkf Guest

    How do you get this to work? Is there a list of cmd lines published somewhere?
     
  22. a$$backwords

    a$$backwords Guest

    Me thinks some posters don't understand alot of younger people have no clue over DOS commands.

    I just love to see alot of old timers are still using batch files LOL

    here is an ATABOY.......
     
  23. 34qwslkf

    34qwslkf Guest

    Can I be an "older people" that's new to computers?
     
  24. a$$backwords

    a$$backwords Guest

    You sure can

    I am guessing you spent more of your life living life then the rest of us who sit night and day in front of a computer. Well except during fishing season or deer hunting anyway.
     
  25. a$$backwords

    a$$backwords Guest

    In my younger life, I thought all that was important was,,, eating great food, Sex, Fishing and hunting, then something threw a new link in the chain. that was the damn internet.

    So now all things revolve around, eating, sex, hunting , fishing and the internet.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.