New Anti-Rootkit Tool: Packed Driver Detector [Beta, Testers Needed!]

Discussion in 'other anti-malware software' started by Magnus Mischel, Sep 20, 2008.

Thread Status:
Not open for further replies.
  1. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    We've just released the beta version of a new tool called Packed Driver Detector.

    Download: http://www.misec.net/products/PDD.exe (No installation required - simply run file)

    pdd1.png

    What does this thing do?

    Drivers are system files that are used in kernel mode to execute system code. Rootkits use a driver (.sys) file to subvert the Windows kernel and hide their presence in the system. Recent rootkits have begun packing and/or encrypting their driver files to make them harder to detect.

    This tool identifies packed driver files. On an uninfected system there should be no packed driver files. Use this tool to identify any packed driver files on your system.

    How can I help?

    This is the first beta release of Packed Driver Identifier. If you want to help out testing it, download and run it to scan your system. If the tool identifies any packed drivers, don't panic. This is the first release of the tool and the identified files are very likely legitimate. Please email the detected driver files to support@misec.net along with your scan log. We will analyze the files for you and tell you if they really are something to worry about.

    It would be very helpful if you could post your scan report even if no packed drivers are identified. This is to help verify that the tool is actually not reporting any packed files on clean systems.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i just try it and this is the results:

    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (270 files scanned).
    what is this mean?
     
  3. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    That means that the tool scanned 270 driver files on your system and didn't find any packed ones. This is a good thing since a packed driver would very likely be a rootkit. Regular driver file authors would not encrypt or compress their drivers.
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Results. Probably the 64 bit protection (which in fact looks like a rootkit behavior itself)
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for the value info,nice app.thats good to know that my H.I.P.S and Sandboxes programs are really doing their job.no antivirus here for long time:thumb:
     
  6. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    What Windows/Service Pack version is this on?
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I just tried it, not sure if the error means anything:


    Scanning C:\WINDOWS\system32\drivers\
    Error: This is not a PE format
    Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
    No packed driver files were detected (223 files scanned).
     
  8. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    The first error means PDD tried to scan a file that was not a regular driver file. This is a harmless message - I will add code to show which file this happens on.

    The second message means sptd.sys could not be accessed. sptd.sys is the driver for Daemon Tools - I'm guessing Daemon Tools takes additional steps to make sure its driver file cannot be read. This is good information; I will make sure this can be worked around so that all driver files are read.
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Windows Vista 64 bit Sp1.
    I see PDD.exe Buffer Overflows (QueryNameInformationFile) in procmon for each called driver.
     
  10. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Ah, it's 64-bit, that's why you are getting that error. I'd have to say that this utility won't work on 64-bit for now then. Also explains why the program only found 7 driver files - those would be the 32-bit drivers.
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Ah okay good to know. I will try it asap in 32 bit. (Btw probably windows 64 bit protection could block forensic research for rootkits if rootkits bypass patchguard or nameinfo redirection that could prevent official or beta tools to scan for patched 64 bit regions (vista botch?))
     
    Last edited: Sep 20, 2008
  12. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    are you the maker of trojan hunter?
     
  14. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    And here is the utility in action detecting the TDSServ rootkit that is used by Antivirus XP 2008:

    tdd_detect.png
     
  15. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Yes, that's right :)
     
  16. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool and welcome to wilders:thumb: :thumb:
     
  17. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Someone just emailed the file ctdvda2k.sys which is detected as packed. This is a Creative DVD driver that contains a large block of compressed data. So there are some legitimate driver files out there that contains this kind of data.

    This file could easily be filtered out though since it is digitally signed by Creative Technology Ltd. If anyone else has any files that are being detected, please do email them to support@misec.net
     
  18. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Just downloaded and ran the program. I am running XP SP2. results:
    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (360 files scanned).
    Will this be included as a utility in TrojanHunter?
     
  19. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    It all depends on how much users requested it. I don't think it would be helpful for most home users as you'd have to be pretty tech savvy to interpret the results. Perhaps it should just be made available as a stand-alone tool - I'm not sure yet.
     
  20. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    Code:
    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (207 files scanned).
    No problems.
     
  21. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    Windows 2000

    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (222 files scanned).
     
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Can always use another tool. Thanks for making it available to test.
     
  23. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    Windows XP SP2

    Scanning C:\WINDOWS\system32\drivers\
    Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
    No packed driver files were detected (203 files scanned).
     
  24. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Vista SP1 (32-bit)
    spsys.sys seems to be a Vista RTM driver for making kernel stops as part of their latest WGA program.
     
  25. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Correct - it's a legitimate file used to protect Vista against piracy. And they have huge blobs of binary data in there. If the day had 36 hours I would analyze it just to find out what it does...
     
Loading...
Thread Status:
Not open for further replies.