RKU not detecting Rustock??

Discussion in 'other anti-malware software' started by aigle, Oct 23, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    RKU not detecting rootkit??

    Yesterday I installed a samples of Rustock rootkit. I then scanned my PC for hidden files using RKU and other ARK tools.

    The sample I used creates two hidden files system 32 folder named:

    p81eskse.sys
    pasksa.dll

    RKU scan fails to detect any of these two files while these two files were deteted by almost all other ARK tools I tried. Antivir, TF, IceSword, Gmer, SAS all detected these two files.

    I am not sure where is the problem. Never expected it from RKU.:oops:
    I used XP SP2 and tested in ShadowMode of SS.

    Any ideas?
    Thanks
     
    Last edited: Oct 23, 2007
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Aigle IRC that is Haxdoor small type and not one of the Rustock variants.

    Its always detcted this trojan no problems on my setup.
    http://wiki.castlecops.com/Image:Huy32.png

    Did you get this load warning on opening RKU ?
    http://img341.imageshack.us/img341/6194/rku1ei7.jpg

    RKU should list the drivers SSDT hooks.
    List driver under driver tab.
    Both files in hidden file scan.


    If you are looking for possible bug hunt then are you clearing house(reset image/uninstall previous test ARK) inbetween testing individual ARK's versus individual samples.
    Possible software conflict might cause this bug....
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the reply. Very helpful as always.
    Thanks. I thought it Rustock, probably it was in a folder named Rustock in my samples, not sure. Anyway I changed the thread title.
    I don,t get these files detected at all.
    I am using RKU version 3.7.300.506.
    I do get it.
    I was interested in hidden file scan only so did not check other modules.

    I did reboot my PC with ShadowSurfer, so no other leftovers except my routine HIPS-- EQS and NG.

    BTW ehen I run RKU I get this warning( see pic) although I used its own uninstaller to remove older version. I click OK and RKU loads fine. Not sure if this is causing the problem.
     

    Attached Files:

  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Aigle

    Possible work around for driver loading bug...Uninstall and reboot.
    Next check system32/drivers folder to see if any RKU driver(s) persist and then delete if needed.

    Open Regedit and delete the following key(s) if present
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rkhdrv40
    HKEY_LOCAL_MACHINE\SOFTWARE\RkU4 older key IRC is SOFTWARE\UGNRKU

    Reboot and reinstall.

    :oops: Jus' realized that screenshot was of 3.2 version so i quickly executed i2.exe and ran a hidden file scan with the latest version.Screenshot attached:)
     

    Attached Files:

    • rku.jpg
      rku.jpg
      File size:
      19.1 KB
      Views:
      191
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks fcukdat.

    I will do as you suggessted and report back in a few days.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I uninstalled RKU via its own uninstaller. Rebooted. Searched for the registry and deleted the values shown in the pic. Serached for rkhdrv40.sys, it was already deleted. Rebooted, reinstalled a newer version, same error. Not sure why I get thsi error. May be a conflict with some security software on my system.

    Also I have checked again with the rootkit, the two files I mentioned above are not detected by RKU on my ssytem.

    May be it will work good on next clean system install!
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.