Rootkit Agent EZ

Discussion in 'malware problems & news' started by Rasheed187, Mar 5, 2008.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    This is quite a nasty rootkit that bypassed a lot HIPS, but I discovered something very disturbing! It seems like this rootkit can unhook the SSDT succesfully even in non admin mode? Is this true? I thought LUA is supposed to protect you against this stuff? :blink:

    http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632

    Unless I'm missing something very important, this is what the tester himself says :

    :D
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes, and that´s what makes it so strange, I would like to ask Aigle and other folks who have this rootkit sample if they can check if this rootkit is able to bypass LUA. And perhaps you all can also test if it can install the rootkit driver, this is something that I can´t seem to figure out.

    Btw, does anyone have samples of the other rootkits from nicM´s tests? They all seem to make use of interesting technique´s, and if they can even bypass LUA (perhaps only on unpatched machines) then it´s kind of scary. :ninja:
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The tester clearly said that none of these samples work under limited account.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I can PM u the sample link, testing is upto U. It,s already done by nicM so I don,t think we need to test it again esp for me I can,t test it like him.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes I know, but this is not what I´m seeing! So can someone please check it out? In order to make it work, it´s probably needed to test it on an unpatched XP Home/Pro SP1-SP2 system.

    What do you mean, do you have samples from the other rootkits used in the test? Also, I think nicM might have tested it on a fully patched system, and isn´t aware of the fact that it perhaps exploits some serious bug, so it´s worth looking at, no?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Only two ATM.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    OK perhaps you can put them on Rapidshare and PM me the link. Also, if I may ask, do you have a virtual machine? How do you test all these apps? :)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ur PM box is full.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Aigle, you can PM me again. And if someone is able to test this rootkit inside an unpatched VM, let me know. Actually, I´m a bit surprised that no one has bothered to do this yet, because if it´s true what I said, it means that even LUA could be bypassed by nasty rootkits. :eek:
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    Did you test it with all security tools turned off? And was the OS not fully patched? I almost know it for sure now, that this rootkit can do the unhooking even when in LUA, because everything else is stopped by LUA on my VM´s, except for this. So it´s a damned good idea to always keep your system patched. :rolleyes:
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    HI Rasheed

    The operating system XP Pro SP2 was almost up to date. At the time I probably hadn't patched for 2 months. When I run that kind of a test, I don't turn the security tools off, as I want to see what the pop up's are alerting on. But I did allow everything, so essentially the security software was off.

    Pete
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    While the best prevention against any data loss or file system corruption that can render a working system disabled beyond repair, it's always going to fall to backup programs and their images for nearly 100% safeguard in event of such disaster. That's a given.

    But i relate and take up the same torch as many countless of other users do in that at some point there must come a time that there will rise an impegnetrable shield of repelling against and and/or all possible malicious intrusion on the front lines itself.

    And all of these topics and security apps work feverishly to accomplish what is never before or yet been realized, A security app or combo of just the right security apps that absolutely cannot be disobeyed or bypassed, but that requires quite an intense effort to chart every single point of instruction built into Windows Core system and a safe way to more or less take up residence in those areas with powerful enough self-protection that should one be dispatched from position, another can on an instant replace or even terminate the offending file code entirely.

    Untill or if that ever happens, image back up programs will continue to have to serve the purpose of emergency recovery IMO.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    OK thanks for letting me know. Btw, my VM´s haven´t been patched for about 1.5 years, so that could explain it. But perhaps it´s not even a bad idea to leave certain machines unpatched (for testing purposes), because otherwise I would´t even have discovered that this rootkit is able to bypass LUA. :)
     
  15. tlu

    tlu Guest

    I seriously doubt this. I'd rather think that your system is misconfigured. Just in case that you changed your old admin account to a limited account you should read what I wrote here - there might be some holes that should be fixed if you chose that approach. These holes might explain why this rootkit got through. Otherwise I deem this impossible, particularly if you created the limited account anew. I'm sure that nicm would have discovered that problem if it existed.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    OK, now we´re getting somewhere. I will test it again, but I think I´ve already tested it on a freshly created admin account. Also, I don´t see why this would be impossible, because if I´m correct, once in a while there are serious privilige elevation bugs in the OS, so maybe this rootkit tries to exploit it.
     
  17. tlu

    tlu Guest

    Your post here confirms that your system is heavily misconfigured. Please follow the advice I gave in that thread. After this is done I'm sure that the rootkit will fail.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Nope, it´s my VM´s that I´m talking about, not my "real" machine. I will test it again, but I´m pretty sure that (except for this) my non-admin account is functioning just fine inside VM, with or without SuRun.
     
  19. tlu

    tlu Guest

    Rasheed, now I'm really confused. In this post you are saying that on your "real" system you use DropMyRights but not a limited account. But you use LUA in your VM, and you performed that rootkit test in that VM, didn't you? If that's true that doesn't answer my assumption that it is misconfigured. Have you tried what I suggested?
     
Loading...
Thread Status:
Not open for further replies.