Suspicious driver files

Discussion in 'malware problems & news' started by bluekey23, May 31, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello,
    I tried to post to Spy's thread on rootkits in another forum, but evidently forgot to his "submit." Hoping this post is in the rigth forum now.
    At any rate, I've become interested in rootkits and have installled TaskInfo2003. It's an excellent program. At
    http://scheinsicherheit.funpic.de/rootkits.htm
    You can see the gui and where to look to see if you have any rootkits in the driver folder. On my machine I found 3 suspicious files:
    BANTExt.sys (96 bytes)
    dump_atapi.sys (0 bytes)
    dump_WMILIB.sys (0 bytes)
    Out of all the many driver files shown by TaskInfo, these are the only ones which have no version and no description listed(only exception is proc guard, which is of course trusted). They are also the only 0-byte files(again, with the exception of proc guard). So, I'm not sure about this. Are these files okay, or are they possible rootkits?
    Can anyone shed some light on this?
    By the way, check out rootkit.com to get an idea how insidious rootkits are!
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Those files cannot possibly be rootkit drivers, the smallest possible rootkit driver file would be around 3k (if it hooks very little)

    Keep in mind a rootkit driver could quite easily be called the following, with the file info, description

    msidedrv.sys | Microsoft Corporation 2003 | IDE Disk driver
     
  3. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Gavin,
    Thanks very much. This now raises the obvious question: just how do you detect rootkits? I have full versions of TDS-3 and Proc Guard installed, run TDS full sys scan usually every day(with all boxes ticked). But after browsing a few rootkit/vuln sites, I've come to realise just how malicious these rootkits are. I found something called rootkit hunter, but it doesn't seem to be supported on XP. I also am trying RegdatXP and followed the suggestion of another poster here a few days ago on how to use it. It didn't find anything. Nothing to worry about? Any suggestions?
    Thanks.
     
  4. controler

    controler Guest

    Hi bluekey23

    Have you tried Vice yet? Located on the same rootkit website.
    Curious to see what it turns up on your machine. I also posted in Spy1's other thread but none responded. And here I thought I was getting on the latest bandwagon , rootkits LOL
    surly if all rootkits do is HOOK, there must be software out there that watches all hooks for whtever reason. Maybe even some antikeylogging programs will do some of it. I know of one that is based on the same principals as hackers use in their keylogging programs. Me thinks that any monitoring software would have to be kernel mode and not user?

    ;) ;)
     
  5. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Controler,
    Thanks. I just got Vice and will try it. And yes, I'm a little surprised that this topic hasn't generated much interest here(yet anyway). I'm not a hacker, but rather always trying to learn new things about how to protect my machine.
     
Loading...
Thread Status:
Not open for further replies.