RootRepeal- a new strong ARK tool

Discussion in 'other anti-malware software' started by aigle, Jul 25, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Just ran the tool, simple to use, I like it....now what the hell is this?

    Name: PCI_PNP6052
    Image Path: \Driver\PCI_PNP6052
    Address: 0x00000000 Size: 0 File Visible: No
    Status: -

    I can't even Google it.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t know either. :D

    Better post at sysinternals.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Guess I should, lol. That's the only entry I couldn't look up.

    Edit: Posted the entire log there, some conflicting opinions on some results maybe being from Daemon Tools and maybe not according to Google.
     
    Last edited: Jul 25, 2008
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Wow, that was quick, lol. They told me it was in fact Daemon Tools drivers.
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Because all available public ARK detectors todate do not offer the scope of detection as RR so this is why this is *new* data returned and not known by google search til now;)

    Alcohol/Daemon tools RK techniques just got royally uncovered:thumb: :D
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Lol, true :) As long as Daemon doesn't try any other funny stuff it can stay. One false move and it's evicted!
     
  8. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    Worked on one of my Windows 2000 Pro computers but crashed the other one instantly (repeatedly...on subsequent re-boots) when I pressed the scan drivers button.
    It is still beta though...but just thought I'd mention it
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you aigle :)
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U r welcome. Thanks to fcukdat by the way, for introducing it.
     
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I tried it on XP Pro SP3: simple, fast, no conflict problem, and the same results as GMER on my pc: clean.
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Well is kudo's to the author ad_13 for his creation:thumb:

    So far none of my zoo collection of malware RK's and POC's have defeated it so IMO opinion it capabilities as in range of detctions excede's GMER & IceSword latest build's as well as last available RKU public release:thumb:

    Here's 2 malware RK's where GMER& last RKU are bypassed:ouch:

    Sample 1 Latest DNS Trojan has a rootkit driver(inch.sys) that borks raw disk read of virtually all ARK tools in the public arena:'(

    dns RK.jpg

    Sample 2 The elusive Rustock C(Ntldrbot)

    Rustock C.jpg

    dr web C.jpg
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    And here's a couple of advanced POC's RK's in the mix:cool:

    Sample 1 Unreal

    unreal loader.jpg

    unreal file.jpg

    unreal driver.jpg

    Sample 2 Phide_ex

    phide.jpg
     

    Attached Files:

    Last edited: Jul 28, 2008
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks for the tests fcukdat :).
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi fcukdat! What is this phide.exe- a newer version of it?. I get only BSODs with it. In the past I managed to run it but never got a box like this. Do u need to run it via Command Prompt?
     
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    My bad<oops>

    Is old phide tool hosted at VX heavens and nothing to do with PE386's Phide_ex POC...So my bad on testing as have 2 folders containing totally unrelated Phide samples....Gonna nip back...retest Phide_ex and edit previous post hopefully to include RR versus phide_ex test results!
     
    Last edited: Jul 27, 2008
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... that,s OK. Atleast I was able to play with phide. It,s interesting POC.

    Thanks
     
  18. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    AD has released a new version adding MBR detection and more.

    Version 1.2.3 (link)

    -Added: Stealth Objects scan (scans for hidden handles, threads, modules, kernel code and IRP handlers)
    -Added: Hidden Services scan. -Improved: Initialization speed and compatibility.
    -Added: RootRepeal can now fix MBR modifications caused by the Mebroot trojan.
    -Improved: Files scan speed.
    -Improved: Scan speed in the Drivers and Processes scan.
    -Fixed: Display names in the SSDT scan.
    -Fixed: Intermittant bug in the files scan.
    -Fixed: Bugs in handling some FAT32 directories.
    -Added crashdump reporting. If RootRepeal crashes, it will generate two files: a crash dump text file, and possibly a RootRepeal.dmp file. If you experience a crash, please send me those two files.
     
  19. progress

    progress Guest

    Any experiences with this tool? :p
     
  20. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  21. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    PROROOTECT,

    GMER at the moment is byapssed by any RK that fakes the SSDT.
    POC published back in November last year.
    http://www.rootkit.com/newsread.php?newsid=922

    Discovered being used by certain ITW rootkits by January this year:oops:

    Rootrepeal had been updated to handle this hiding technology shortly after publishing of POC at rootkit.com.

    That is the definitive sign of a tool that is still under ongoing developement and really should give a pointer as to the effectiveness of it.

    Alas the arms race goes on and no doubt another POC will come along or new RK hider ITW then it will be time once again for the tools to upgarde or be bypassed:oops:

    HTH:)
     
Loading...
Thread Status:
Not open for further replies.