Sample Rootkit passes all Detector

Discussion in 'other security issues & news' started by Tommy, Oct 27, 2006.

Thread Status:
Not open for further replies.
Page 3 of 3
  1. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Yes Tommy, I have no idea when it ends ;)

    BTW. In v1.0.12 I have added kernel & user code sections scanning. It compares memory code with related file code.
    Few samples here: http://www.gmer.net/gromozon.log, http://www.gmer.net/rustock.log
     
    gmer, Nov 2, 2006
    #51
  2. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Tommy, Nov 2, 2006
    #52
  3. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Exactly, but I have no idea why SVV dosn't detects BadRKDemo or IceSword hooks ?

    Code:
    GMER 1.0.12.11859 - http://www.gmer.net
Rootkit scan 2006-10-29 22:02:28
Windows 5.1.2600 Dodatek Service Pack 2


---- System - GMER 1.0.12 ----

Code    ObOpenObjectByName                                        F9A83155

---- Kernel code sections - GMER 1.0.12 ----

PAGE    ntoskrnl.exe!ObOpenObjectByName                           80560B88 5 Bytes  JMP F9A8315A

---- Modules - GMER 1.0.12 ----

Module  \SystemRoot\system32\BadRKDemo.sys (*** hidden *** )      F9A82000

---- Threads - GMER 1.0.12 ----

Thread  4:104                                                     F9A83278

---- EOF - GMER 1.0.12 ----
    Code:
    GMER 1.0.12.11877 - http://www.gmer.net
Rootkit scan 2006-11-02 13:28:49
Windows 5.1.2600 Dodatek Service Pack 2


---- System - GMER 1.0.12 ----

Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        ZwCreateThread
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        ZwOpenProcess
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        ZwOpenThread
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        ZwTerminateProcess
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        ZwTerminateThread
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        NtOpenProcess
Code   \SystemRoot\System32\Drivers\IsDrv118.sys                        NtOpenThread

---- Kernel code sections - GMER 1.0.12 ----

PAGE   ntoskrnl.exe!NtOpenProcess                                       8057459E 3 Bytes  JMP FB575DA2 \SystemRoot\System32\Drivers\IsDrv118.sys
PAGE   ntoskrnl.exe!NtOpenProcess + 4                                   805745A2 1 Byte 
PAGE   ntoskrnl.exe!ZwTerminateThread                                   8057E97C 5 Bytes  JMP FB575D28 \SystemRoot\System32\Drivers\IsDrv118.sys
PAGE   ntoskrnl.exe!ZwCreateThread                                      8057F262 5 Bytes  JMP FB5761BC \SystemRoot\System32\Drivers\IsDrv118.sys
PAGE   ntoskrnl.exe!ZwTerminateProcess                                  8058AE1E 5 Bytes  JMP FB575B7A \SystemRoot\System32\Drivers\IsDrv118.sys
PAGE   ntoskrnl.exe!NtOpenThread                                        80597C0A 5 Bytes  JMP FB575E2C \SystemRoot\System32\Drivers\IsDrv118.sys

---- User code sections - GMER 1.0.12 ----

.text  C:\rootkits\tools\IceSword.exe[512] kernel32.dll!LoadLibraryExW  7C801AF1 5 Bytes  JMP 00402A70 C:\rootkits\tools\IceSword.exe

---- EOF - GMER 1.0.12 ----
     
    gmer, Nov 2, 2006
    #53
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    StevieO, Nov 2, 2006
    #54
  5. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    @GMER: whats the easiest way in updating....disable all settings..reboot..or is there easier way whitout unticking all settings?
     
    fred22, Nov 2, 2006
    #55
  6. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    I will not comment this ...

    Remove old gmer.sys driver and reboot.
     
    gmer, Nov 2, 2006
    #56
  7. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
    :thumb:
     
    fred22, Nov 2, 2006
    #57
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Keep in mind, I'm new to this.

    1. I downloaded "phide_ex.exe"
    2. Clicked on it.
    3. It caused a BSOD
    4. My system rebooted and everything was normal.
    5. The file "phide_ex.exe" was gone.

    What is the purpose of this test ?
     
    ErikAlbert, Nov 2, 2006
    #58
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, any futher news on this rootkit. Any newer version?
     
    aigle, Feb 1, 2007
    #59
Page 3 of 3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...