PCGuard and RootkitRevealer

Discussion in 'ProcessGuard' started by george75, Sep 15, 2005.

Thread Status:
Not open for further replies.
  1. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Process Guard and RootkitRevealer

    Just a quick question: Process Guard does not keep RootkitRevealer in its list of allowed processes. I've run RootkitRevealer with Process Guard in Learning Mode; I've clicked on Remember this action in allowing the process; but every time I run RootkitRevealer, Process Guard wants authorization. Any reason? Thanks.

    George75
     
    Last edited: Sep 18, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi george75, When windows loads it's drivers there is a bit of a race and possibly roortkit revealer is starting first thus PG misses it.
    This can change over time as I had a similar thing happeneing with KAV. Not sure what the answer is on that as it is probably an inherent Windows "feature" :) I just gave KAV the allow fro drivers and services and all is well. on my other PC's PG loads first. I

    I suppose in theory that a kernel mode Trojan could do the same but first it would need to be run, with PG active it would have ask to install a service or driver so the likelyhood of that happening is small though a possibility. Then after eboot and providing it won the race PG would not see it and the Trojan would be active

    That is why Wilders always reccomends a layered defence.

    HTH Pilli
     
  3. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Re: Process Guard and RootkitRevealer

    Thanks for your answer, Pilli.

    However, the problem is that RootkitRevealer is an on-demand program that checks for discrepancies that indicate a possible rootkit installation. Hence, the explanation you give that it's a matter of which loads first can't be correct.

    As for layered defence. I am very much interested in layered defence. Elsewhere, if you look for other posts today under my name, you will see that I raise the issue of layered defence in the context of the relationship between Process Guard's protection and Prevx home's protection. I could generalize a little here, although I admit it's not quite on the topic: At the level of adware and antivirus and firewall I have the layers properly set I think. It's at the level of Trojans that I'm ignorant and would like some guidance on proper layering with free programs.

    George75
     
    Last edited: Sep 18, 2005
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    george75,
    When you see the execution alerts do they show the rootkitrevealer executable name at the top or a semi-random name for the executable ?
     

    Attached Files:

    • pg2.JPG
      pg2.JPG
      File size:
      37.5 KB
      Views:
      249
  5. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Well, well, well! You must know something. It shows a random name, viz: uznzbmbwbujoksc.exe. I hope that's not a secret code. What does it all mean?

    George75
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again george, In that case it must be using another method to do it's job, so does it inject a .dll somehow? I am not familiar with rootkit revealer as you can see my lack of knowledge is quite obvious :)

    Pilli
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Its simple enough once you understand that the rootkit authors were trying to "show themselves" to rootkit revealer and still "hide" from everything else, so called hiding in plain sight

    The changing names for the executables simply stop the malware from predicting the executable name and uncloaking, there are other ways that they could detect that it was still rootkit revealer and several of them are plainly shown in the PG alert (some things remain constant even though the filename changes)

    It is the random filename change that causes the ProcessGuard execution alert as you have probably figured out for yourself already

    Regards
     
  8. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Re: Process Guard and RootkitRevealer

    Well, yes I finally did figure it out: I went to the website

    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    and here's what it says in part (I've highlighted the critical passage):

    'RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

    'The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.'

    No, I'm not advertising the product; I just quoted enough for Pilli to understand what it's all about. Thanks. I should have been able to figure it out without a post.

    George75
     
    Last edited: Sep 18, 2005
  9. MichelB

    MichelB Guest

    Very interesting! a rootkit trying to hide from rootkit revealer, no doubt more of this will happen, the rootkits seem to be popping up everywhere now. Glad to have ProcessGuard blocking rootkits just in case
     
Thread Status:
Not open for further replies.