New Anti-Rootkit Tool: Packed Driver Detector [Beta, Testers Needed!]

Discussion in 'other anti-malware software' started by Magnus Mischel, Sep 20, 2008.

Thread Status:
Not open for further replies.
  1. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Thanks for the feedback, Magnus and confirming thats its a legit file.:thumb:
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks will test...
     

    Attached Files:

    Last edited: Sep 21, 2008
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Magnus:)

    I just love playing with ARK tools so was more than happy to put PDD through it paces :cool:

    First run created 0 falsePositives which is very promising:thumb: but i had installed a packed driver to test whether it could detect and unfortunetly it failed in this instance.

    ~VirusTotal link removed per policy. - Ron~


    rootrepeal.jpg

    PDD.jpg

    dw.jpg

    Hoping to test shortly versus other malware rootkits from my extensive zoo collection but can also confirm that PDD does indeed detect CLB driver(Tdssserv):thumb:
     
    Last edited by a moderator: Sep 21, 2008
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Ok after further testing can confirm some limitations with this tool in its current form.

    Stating the obvious many malware drivers live outside of the <driver> folder or sometimes loaded in ADS,so all samples dwelling in all other location automatically go unchecked.

    So any plans Magnus to widen the targeting on this tool ?
     
  5. controler

    controler Guest

    Scanning C:\WINDOWS\system32\drivers\
    Found packed driver file: C:\WINDOWS\system32\drivers\pxfsf.sys
    Error: This is not a PE format


    controler
     
  6. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,154
    I ran it and as expected No packet drivers were found.

    Its good how it doesn,t need installing.

    Might keep a copy of this.
     
  7. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Ok, i will give it a ride and report back.

    Here we go:
    Error message:
    You will find my system configuration at the bottom.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    No problems.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Ok Magnus ...i'm going to beg to differ with you at this point:oops: and call into question the ARK capabilities within your tool!

    Earliar when i tested versus CLB driver,it was a copy and paste of the driver sample to my drivers folder at which your tool detected it....So it was not a *live*test persay.
    pgg.jpg

    I have now since had chance to test versus a loaded CLB driver infection and find the following results>>>

    ppg.jpg

    Sample is available apon request but at this point your tool is fundementally very weak ARK at best(almost a joke:shifty: ) because it has yet another huge flaw:oops:

    It is blind to hidden CLB & other malware rootkit drivers when they are active and hiding themselves:ouch:

    So a question i put to you is can this ARK tool of yours(your labelling in topic title) actually detect any packed drivers when they are active and hiding themselves ?
     
    Last edited: Sep 21, 2008
  10. controler

    controler Guest

  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    Fair question no doubt and i bet mutally coincides with Magnus would agree to this and other test results.
    That being said it's agreed i would think to yield the floor to him for some reply, and as i repeat in other topics of different tools and utilities, what better place to receive honest & full scrutiny of any new introduction, and i would venture a guess this will prove useful for improving this tool.

    Let the re-building begin.............
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,084
    Location:
    Europe, UE citizen
    In my system ( XP Pro SP3 ):

    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (188 files scanned).
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Agree its incredible time consuming to look into windows abysm. Unimaginable that someone can survey this binary chaos.
     
  14. cet

    cet Registered Member

    Joined:
    Sep 3, 2006
    Posts:
    876
    Location:
    Turkey/İzmir
    Scanning C:\WINDOWS\system32\drivers\
    No packed driver files were detected (317 files scanned).

    This is my result.I am using winXP SP3.
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    lol Easter:cool:

    Now can confirm that every malware rooter i have in my extensive zoo collection that hides it driver from WinAPI enumeration bypass's this tool....in laymens terms if the driver is'nt visible in windows explorer then it will not be checked by this tool:ouch:

    Since we know that the bulk of advanced rootkits utilize hiding technology to subvert WinAPI operations/output then this really does question the quality of this tool as an ARK:'(

    That said Magnus there might be something in your *approach* if you could mate this to raw disk read ...quite possibly a basecamp for a new genre of heuristic detection:cool: :D
     
  16. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    How can I be certain that this Anti-Rookit tool isn't infected by the programmer to be a rootkit or trojan or spyware etc?
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Why would it? Good to be cautious but I'm sure the author of Trojan Hunter doesn't want to ruin his business like that:) . Try out in a vm or sandbox.

    Btw this board has endorsed Magnus with a 'security expert' tag.
     
    Last edited: Sep 22, 2008
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    All of you do realize, you are doing someone elses work here.:doubt:
     
  19. xtree

    xtree Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    96
    Scanning C:\WINDOWS\system32\drivers\
    Error: Unable to get read access to C:\WINDOWS\system32\drivers\SnopFree.sys
    No packed driver files were detected (261 files scanned).

    WINXP+SP3
    SnopFree.sys is a legit driver for SnoopFree Privacy Shield.

    xtree
     
  20. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Yeah but he done his software *rep* no favours releasing such a *useless* tool.

    Well i'm not going to apologize for being cynical but any software engineer worth their salt will know if they had constructed this tool about it major limitations as ARK tool.

    So in the absense of responce solicited from Magnus i can only assume this tool was just a brand awareness launch(thankyou for coming along for the ride:cautious: ) and not serious attempt at ARK tool as topic titling suggests:thumbd:
     
  21. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    This being the first (beta) release it does not include the necessary driver required to see packed files of cloaked (running) rootkits. I just wanted to test the reliability of the code that detects packed drivers without people having to worry about possible bluescreens from including the required driver, and so far it's worked perfectly. Almost all of the packed files that were detected that aren't rootkits have a digital signature and can easily be filtered out.

    Fear not, the driver will be added shortly and this will be a proper working tool. I'm actually surprised at how well this thing is working - it's even detecting Microsoft's packed Vista driver which is the only kernel-level component on Vista that is using compressed and encrypted code.
     
  22. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    69,175
    Location:
    U.S.A.
    Windows XP SP2
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,702
    Location:
    U.S.A. (South)
    I told you Magnus would assume the floor and indicate what he intends with this new program, and i have no doubt as neither anyone else should, he will be adding more to it's capability as he weighs the results of it during this progression.

    Keep up the good work Magnus. We're chomping at the bits in wait for your more stronger detections your tool will be registering as matters continue to return satisfactory for you and results are improved.

    EASTER
     
  24. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    I agree with you. Reading comments about how its inneffective and "what if its infected" is just silly with how early in development it is.

    I used it and nothing was found. Waiting on next release.
     
  25. sgtfrank

    sgtfrank Registered Member

    Joined:
    May 20, 2003
    Posts:
    1
    Location:
    Aurora, IL.
    I found this tonight.

    Scanning C:\WINDOWS\system32\drivers\
    Found packed driver file: C:\WINDOWS\system32\drivers\ctdvda2k.sys

    You can probably forget about this one. I checked in WINDOWS and it is a Creative file for DVD created in 07/2005. I have Creative Soundblaster on this system.
     
    Last edited: Sep 27, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.