Possible rootkit activitie: what´s the purpose of "aa9ak670.sys" and similar?

Discussion in 'other security issues & news' started by Cerxes, Sep 29, 2008.

Thread Status:
Not open for further replies.
  1. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    As the thread title says, I´m wondering since it´s labelled as a hidden registry entrie/rootkit activitie from MS when scanning with OSAM autorun manager. When trying to google regarding this driver it doesn´t show any info at all. That doesn´t surprise me at all since it keep changing name after each reboot. I can´t delete the driver file either using RkU, it shows "Can´t delete content".

    Therefore my real question is: when something is shown as a hidden registry entrie/rootkit activitie, and also been labelled coming from a known source (MS in this case), should it be considered as reliable or suspicious? In each laptop/desktop I have with a Windows OS installed (XP), I have one or two of these "hidden entries/rootkit activities" from MS so it kind of worries me a little bit.

    /C.
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
  3. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    That tool isn´t completed since it clearly misses the driver for detection of active rootkits, so it´s basically useless in its present version. But that´s not the problem since I´ve already detected these files using RKU and OSAM. My problem is to determine whether these are legitimate or malicious, and how get rid of them if confirmed been malicious. Thanks anyway :).

    /C.
     
  4. Mihail Fradkov

    Mihail Fradkov Registered Member

    Joined:
    Apr 12, 2008
    Posts:
    93
    Location:
    St. Petersburg, Russia
    I'm working in company that develops the OSAM.

    If you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver ("aa9ak670.sys") is not a malicious and it is not a rootkit (just using rootkit technologies) -- it's a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn't allow to work a CD-emulator software.
     
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Mihail Fradkov
    that is an interesting line-up of products you are developing. :cool:

    Thaose CD/DVD emulator hidden drivers installed with Alcohol 120%, Daemon Tools etc is always popping up in Rootkit posts: it can bea pain in the butt, causes a lot of angst.
    Hard to be sure what it is when you first see it.
     
  6. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Hi Mihail!

    Thanks for replying my question. I understand that since I´m both using Alcohol 52% and Daemon Tools they have to hide their drivers in some way and randomize their names because of the reason you have mentioned. But what both puzzles and worries me is that they have Microsoft as the publisher for those drivers, and therefore it ain´t obvious that they originate from the above applications. The other thing that puzzles me is that I can´t delete those drivers from my system.

    I will PM you these two dump files if it´s o.k, since I don´t know how to send specific files using OSAM.

    Indeed.

    /C.


    EDIT: O.k, I thought I could send you dump files through private messages, but it wasn´t possible doing that. Anyway, as a poor substitute instead, here are the names and keys of the above mentioned files:

    HKLM\SYSTEM\CurrentControlSet\Services\a0n5qaz1
    C:\WINDOWS\system32\drivers\a0n5qaz1.sys

    HKLM\SYSTEM\CurrentControlSet\Services\aqj14o7u
    C:\WINDOWS\system32\drivers\aqj14o7u.sys


    EDIT 2: I found out that the reason why these files refused to go away, was that the SPTD driver were left behind in my system even if I uninstalled both Alcohol and Daemon Tools which I didn´t noticed at the time. Now when I erased this driver, I no longer find these random files any longer when scanning with OSAM, so it´s confirmed for my sake anyway, that they truly belonged to the above mentioned applications.

    /C.
     
    Last edited: Oct 14, 2008
  7. Mihail Fradkov

    Mihail Fradkov Registered Member

    Joined:
    Apr 12, 2008
    Posts:
    93
    Location:
    St. Petersburg, Russia
    This is OK. :)

    The publisher "Microsoft" - it's a small bug of interpretation of information. We know about it and thought that it was fixed already. It's just a "Details Information" of ATAPI.SYS (the first driver in the internal list with detailed information). We will fix this in the next release. Sorry for that.

    About deletion. You cannot delete this driver from disk, because it is not on disk. :) With new version of OSAM you will get status: "Hidden registry entry, rootkit activity | File not found". And this file is really doesn't exist on disk. If you want to delete this driver from memory - just disable SPTD.SYS. :) Set "Start" value in registry to 0x00000004 (Disabled).

    Good. :) BTW, there is an instruction 'how to remove SPTD' on a vendor's site. Here is a link on message with information regarding SPTD and "rootkit" driver on our forum:
    http://translate.google.com/transla.../viewtopic.php?t=9&hl=en&ie=UTF-8&sl=ru&tl=en
     
Loading...
Thread Status:
Not open for further replies.