sophos rootkit false positive or not?

Discussion in 'other security issues & news' started by theflamingbush, Sep 24, 2006.

Thread Status:
Not open for further replies.
  1. theflamingbush

    theflamingbush Registered Member

    Joined:
    Sep 17, 2006
    Posts:
    25
    hi ive recently been doing a root kit scan, with the blacklight f-secure software, which ive found to be pretty good. But to check it against some of the other alternative software out there i decided to try a comparison test with the sophos rootkit scanner. Initially i didnt pick up any anomoly's, but intimitant scans have revealed 8 hidden registry values. They are marked as 'not removable'....which i found bizarre!....and im not clear as to whether these are false positives, and therefore safe to delete when i enter the registry. wonder if anyone here has had a similar problem.

    I post them here for your perusal.

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\Parameters\Tcpip\DhcpDefaultGateway
    Removable: No
    Notes: (type 7, length 26) "IP ADDRESS "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\Parameters\Tcpip\DhcpSubnetMaskOpt
    Removable: No
    Notes: (type 7, length 30) "SUBNET VALUE "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpNameServer
    Removable: No
    Notes: (type 1, length 40) "IP ADDRESS "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpDefaultGateway
    Removable: No
    Notes: (type 7, length 26) "IP ADDRESS "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpDefaultGateway
    Removable: No
    Notes: (type 7, length 26) "IP ADDRESS "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpRetryStatus
    Removable: No
    Notes: DWORD 0x0 = 0

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer
    Removable: No
    Notes: (type 1, length 40) "IP ADDRESS "

    Area: Windows registry
    Description: Hidden registry value
    Location: \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
    \{F09EB37A-8236-45D2-9BF1-E86B9D49047D}\DhcpRetryTime
    Removable: No
    Notes: DWORD 0xc20f = 49679



    Ive deleted the subnet and and ip paths for obvious reasons in the notes sections,replacing with the appropriate title, but needless to say they are mentioned in there in the log.
     
  2. theflamingbush

    theflamingbush Registered Member

    Joined:
    Sep 17, 2006
    Posts:
    25
    am i being a munter?.....why hasnt anyone answered?.....is it my ignorance? :-/
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    100% No rootkit !


    StevieO
     
  4. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    That's no Rootkit.
    I advice allways to check the results with a second Rootkit detector like IceSword.
     
  5. theflamingbush

    theflamingbush Registered Member

    Joined:
    Sep 17, 2006
    Posts:
    25
    thanks guys!....wanted to check!, and i concur with you tommy!, i always double check, hence the comparison test with the F-secure blacklight.

    I have to assume it was a false positive, and that it was worth mentioning on here for anyone else who might have had the same problem and been tempted to dive into a catastrophic intervention.

    quick question: do you find IceSword more comprehensive than the sophos or Blacklight?.....i have to say so far ive been very impressed with the F-Secure.
     
  6. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Let's say it this way.
    In the opinion of the so called experts Blacklight and IceSword are the best and very dificult to bypass for Rootkits. IceSword is an advanced tool and very sufisticated. I use both and they never failed me, but i nevver had Rootkits on my machines. Lucky me:D
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi Tommy, what so called experts would these be out of interest ?

    There are various rootkit detectors that are now available, including Blacklight and IceSword, some much better than others at different things for various reasons. It might surprise some people to find out that most of them are actually not difficult to bypass.

    One that's not so widely known is RKU that is being constantly worked on, refined and updated. So far it's proven to be the most resistant to bypass on real world rootkits and also test rootkits. A brand new version is expected very soon with even more features and capabilities.

    Please take a look in this thread for more details and info http://forum.sysinternals.com/forum_posts.asp?TID=7003&PN=1 Also on that site you will find other hopefully useful ifo as well.


    StevieO
     
  8. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Regarding to the 'socalled experts' i just wanted to make fire in this thread :)

    I tested Rootkit Unhooker a while ago, it crashed my system and also the latest reviews on CastleCops board regarding the actial build are not quiet good.

    Edit:
    Just tested RKu 2.0.22. Seams to run stable, i will keep an eye on that one.
     
    Last edited: Sep 25, 2006
Loading...
Thread Status:
Not open for further replies.