Sample Rootkit passes all Detector

Discussion in 'other security issues & news' started by Tommy, Oct 27, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Hi Tommy, here is my svv scan report.
     

    Attached Files:

  2. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Verdict 5!
    You seam not to be infected buy this Rootkit (it is not allways detected by SVV depending on the OS), but can you please run the same with additional option /m. The modifications you have are quiet suspicious, as i don't think that they are done by SnoopFree.

    You should post this also in Sysinternal Forum/Malware. There are the Rootkit experts.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Ok, I will run again. The system already has a rootkit ATM, Morgud,s threat simulator. First detection seems fo CH and secondly for SnoopFree. There may be others as system was used to test CH with some malware.
    Also when I restore it I will rerun the scan.

    I have no idea how to save the output of scan with /m.
     
    Last edited: Oct 29, 2006
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    It,s so weired. I think I will try it on a clean system again.
    Or this rootkit is just very benign.
     

    Attached Files:

    • kit.jpg
      kit.jpg
      File size:
      18.6 KB
      Views:
      417
  5. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Well I tested it again.

    I executed phide_ex.exe and the same thing happened with the log file and the message every 5 seconds.

    I checked with pwalker and it detected the hidden process phide_ex.exe loaded.

    So then I rebooted my PC and windows loaded again, with no problems at all.

    I ran pwalker again and it says there are no hidden processes. Which should be true because the phide_ex log file isn't being written to anymore.

    But anyways, the point is, I am back in windows and everything is normal again.

    So does this mean that phide_ex is killed by rebooting? Or is it supposed to survive the reboot?

    I never got any BSOD's like people mention. The only time I get any BSOD's is when I use SVV (but that's because SVV doesn't work in VirtualPC from what I've read). The SVV BSOD happens even on a clean install without running phide_ex so it has nothing to to with it.

    I am sad because I want phide_ex to kill my PC so I can test it later against my security setup and see what happens. But if it wont kill my PC even without any security, then how can I test it? :(
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Sad! ha, ha,..very funny.
    Can u pls scan ur windows directory for the phide_exe sys file? I found it in my windows directory as u see in my post above.
    BTW never heard of pwalker. How it can walk on my system? Is it good enough t do that.

    Thanks.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Just download it and run.
    BTW as u see still we are struggling to make this malware work. Crazy work!
     
  8. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    aigle, you can get pwalker here: http://www.rku.xell.ru/?l=e&a=dl (Process Walker)

    And in my system I can't find any phide_exe sys file :(
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    That is strange. Ok I will retry on my clean system. I guess may be this file came on my system when I tried the rootkit within GesWall and the GesWall stopped it from being hidden( it might be on ur system hidden). However the chance is remote as if it is stopped by GW, it must have been marked as isolated by GW.
    Will haver to try it in another Sandbox to see what happens.

    Thanks for the link. How good it is?
     
  10. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    It is detected by BOClean :)

    10349. PHIDE
     
  11. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Supposedly it's pretty good as it is the only one I can find that detects phide_ex.

    I tried Security Task Manager and even that can't detect it :(
     
  12. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    john2g, did you execute it first? Or did BoClean stop the execution?

    Because once executed, the process can't be detected. Only pwalker (as far as I know) can see the hidden process.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    I ran phide exe again and pwalker did not dtect it running, also RootKit UnHooker hidden process tab did not show it.
    Does pwalker refreshes itself or u have to restart it to update process list. Thanks.
     
  14. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    pwalker doesn't refresh itself. It only shows you the processes loaded at the time of its execution.

    So if you run phide_ex and then run pwalker you should be able to see it there.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Yes it showed it now.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    This is what I got in GesWall, BufferZone, and Sandboxie, log and virtual files/ reg enteries etc.
     

    Attached Files:

    • gw.jpg
      gw.jpg
      File size:
      82.4 KB
      Views:
      7
  17. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    When they willl make an XP version? error :)
     
    Last edited: Nov 2, 2006
  19. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    Neither.

    However, I do not know of one instance where BOClean cannot remove malware from a system (post infection), although the normal way it operates is prevention of execution. This comment assumes that the malware is in the database, but in the case of new rootkits, they can be detected by heuristics.
     
  20. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    Do you mean when was it added to the definitions? If so, I don't know,
    Ask Kevin, he will probably tell you: support@nsclean.com
     
  21. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Lol, no i ment did id detects the Rk when you tried to execute the exe file, or when it wanted to go active?
     
  22. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    I have sent Kevin at NSclean a link to this thread, Whether he has time to answer your questions, I don't know.
     
  23. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi all

    Try the latest version of GMER 1.0.12.

    Code:
    GMER 1.0.12.11865 - http://www.gmer.net
    Rootkit scan 2006-10-29 23:16:40
    Windows 5.1.2600 Dodatek Service Pack 2
    
    
    ---- Processes - GMER 1.0.12 ----
    
    Process  D:\rootkit\phide_ex.exe (*** hidden *** )  [4] 81473768  
    
    ---- EOF - GMER 1.0.12 ----
    Regards
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    That,s nice to see.
     
  25. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Wonderfull, let's wait till the next Rk Method appears :)
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.