System Virginity Verifier

Discussion in 'other anti-trojan software' started by devil's advocate, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. big grin

    big grin Guest

    I wish I had this program before I started dating my current girlfriend. ;)
     
  2. yes. drop to command line. then it's obvious.
     
  3. controler

    controler Guest

    In case some don't know much about the command line, here is a simple way to run it.

    If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

    Then go to assessories, command prompt., open the DOS window.

    Type cd desktop\svv

    type svv

    you will then get a list of switches such as /a ect.

    type svv check or type svv check /and a switch such as a.

    use a space after svv and before the switch, such as

    svv(space)check(space)/a

    I think you can make an autoexec.bat file to run it at boot. Not sure I have not tried it yet.

    If you are running a program such as deep freeze, shadowuser, or windows shared tookkit, You may see errors.

    In my case I can only run svv one time, then need to reboot to run it again.

    controler
     
  4. Thanks Controller for these instructions. Many people here started using computers after the windows er, so they are not comfortable with using the command line.
     
  5. controler

    controler Guest

    yes and I am happy at times to go back to the DOS prompt and look around.
    It is like another world I am in.

    You can still go to DOS and type Help to see all the commands.
    Even tree still works. I sure remember the days of XTREE though LOL

    Then if you hit the up arrow key, you don't have to retype the commands.
    If you keep hitting the up arrow, you view all the commands you were typing.

    I think that is because DOSKEY loads with windows these days.

    I wonder if FC would work on registry entries?

    controler
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Controller

    I suspected thats one had to do. 1st time I tried it didn't work, so I asked. Thanks for posting good info. I Finally got it to run, but frankly I don't believe the results.

    It says all my system DLL's are infected to a 5 level.

    So my choice is do I believe this unknown proof of concept code or do I believe, the fact all the other software I run has never found anything, the F-Secure Rootkit detector says I am clean, I have monitored my systems port traffic via Port Explorer for up to an 8 hour period with no strange traffic, and no suspicious system behavior that might indicate infection.

    I suspect what is happening is several programs I use to have kernel level drivers and that is messing up the results.

    Pete
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi controler,

    Sorry for not getting back to you sooner. The SSDT view showed nothing unusual, but, today, I looked more closely at the Kernel Module view and saw a module with the following path: \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp. The SVV output I posted above included something similar: mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!. The mc2*.tmp naming convention is well known to be related to madshi's madCodeHook DLL injection.

    This was confirmed by installing/running RegDefend, which alerted to the following at startup:

    11:39:33 | Create Key | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | | swdoctor.exe
    c:\program files\spyware doctor\swdoctor.exe
    "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    HKLM\System\Controlset001\Services\Mchinjdrv

    11:39:38 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | start | swdoctor.exe
    c:\program files\spyware doctor\swdoctor.exe
    "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    start
    [REG_DWORD] 4 (0x00000004)

    11:39:43 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | imagepath | swdoctor.exe
    c:\program files\spyware doctor\swdoctor.exe
    "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    HKLM\System\Controlset001\Services\Mchinjdrv
    imagepath
    [REG_SZ] \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp


    Note that it is Spyware Doctor (swdoctor.exe) installing the driver. After removing Spyware Doctor, SVV's output looked like this:

    C:\svv>svv check /a
    ntoskrnl.exe (804d7000 - 806eb780)...
    Null.SYS (f8bff000 - f8c00000)... error code = 0x490
    mnmdd.SYS (f8a1e000 - f8a20000)... error code = 0x490
    RDPCDD.sys (f8a20000 - f8a22000)... error code = 0x490
    dump_atapi.sys (f288c000 - f28a4000)... Image file not found!
    dump_WMILIB.SYS (f8a22000 - f8a24000)... Image file not found!

    SYSTEM INFECTION LEVEL: 2
    0 - BLUE
    1 - GREEN
    --> 2 - YELLOW
    3 - ORANGE
    4 - RED
    5 - DEEPRED
    Nothing suspected was detected.


    I suppose you could call this a false positive similar to what Pete is seeing (given that, I have read, Online Armor uses madshi's tools as well). What troubles me is that I no longer see any McAfee errors (such as Viruscan being occasionally disabled) after uninstalling Spyware Doctor.

    Nick
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Pete,

    It might be unknown now, but I suspect it may eventually become more mainstream. If you monitor the registry (in my case, with RegDefend), you will catch SVV creating (and later deleting) a temporary service. Note the Arcabit in the service name...

    21:38:32 | Create Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
    HKLM\System\Controlset001\Services\Arcabitsvv

    21:38:32 | Set Value | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | imagepath | services.exe
    HKLM\System\Controlset001\Services\Arcabitsvv
    imagepath
    [REG_EXPAND_SZ] \??\C:\svv\svv.sys

    21:38:32 | Delete Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
    HKLM\System\Controlset001\Services\Arcabitsvv


    Nick
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Nick

    Clearly it will be worth watching. I guess what I was saying is at this point, I wouldn't react to the current results. It clearly could startle someone.


    Pete
     
  10. controler

    controler Guest

    I get the same results with KIS on my test box.

    SVV

    Process is trying to modify value ImagePath in controlled registry key.
    or
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ArcaBitSVV



    \??\C:\Documents and Settings\controler\Desktop\svv\svv.sys


    Attempt of process C:\WINDOWS\system32\services.exe (PID: 584) to perform suspicios actions was denied. 10/15/2005 10:38:06 PM
     
  11. StevieO

    StevieO Guest

    System Virginity Verifier SVV 1.1 released

    2005-11-05 SVV 1.1 released: fixed some minor bugs and false positives.

    System Virginity Verifier

    The idea behind SVV is to check important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discovery potential system compromise.

    SVV 1.0 implements only code virginity verification which is the first step in SVV implementation and its task is to ensure the integrity of the code sections of in-memory mapped kernel and usermode modules (that is kernel drivers and usermode DLLs).

    See the presentation for more details.

    changelog

    1.1a [05/11/2005]
    - "Important modules not found" is now *really* _warn() ;)

    1.1 [01/11/2005]
    - kernel module: MmUnlockPages() wasn't called sometimes
    - fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
    - fixed unloadDriver() to not crash when called when SVV is unitialized
    - "Important modules not found" is now _warn() instead of _error()
    - also fixed problem with "ntoskrnl.exe not found" displayed on some systems
    - isJMPingCode(): added CALL decoding
    - do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
    - report functionality enabled in public version :)

    Freeware

    http://invisiblethings.org/tools.html#svv


    StevieO
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Re: System Virginity Verifier SVV 1.1 released

    How do you actually get it to run.Click on the exe just flashes up a dos box for a nano then nothing.Same as the older version.
     
  13. smf

    smf Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    31
    Re: System Virginity Verifier SVV 1.1 released

    It's a commandline tool. It doesn't have a GUI interface. Open up a command windows and change to the directory where you extracted the program. Type svv and press return. You will get the syntax to run the program. To get started try typeing without the quotes "svv check"
     
  14. controler

    controler Guest

    Re: System Virginity Verifier SVV 1.1 released

    In case some don't know much about the command line, here is a simple way to run it.

    If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

    Then go to assessories, command prompt., open the DOS window.

    Type cd desktop\svv

    type svv

    you will then get a list of switches such as /a ect.

    type svv check or type svv check /and a switch such as a.

    use a space after svv and before the switch, such as

    svv(space)check(space)/a
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Re: System Virginity Verifier SVV 1.1 released

    OK,thanks fellas,will give it a go.
     
  16. geecantroler

    geecantroler Guest

    Re: System Virginity Verifier SVV 1.1 released

    Is this another proof of concept?


    Or is it going somewhere?
     
  17. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Not convinced. 5 Deepred's on a new pc with Sygate, BOClean and KAV5 + NOD32(on-demand). Plus disabled UPnP, DCOM and Messenger before even connecting to the net. I've only gone to a handful of websites, all totally legit. Here, BBR, BBC.co.uk, Play.com and amazon.co.uk
    So the chances i could pick up a rootkit is as pretty close to zero as you can get. So do i believe what it tells me and i delete Kernel.dll and ntoskrnl.exe Do you think my pc will be cured? Broke, but not cured i'm sure.

    Because i'm slightly paranoid, curiosity got the better of me and i ran Rootkit Revealer and it says i'm clean. I've been trying Unhackme a couple of days also and that says i'm clean too.

    No, i'm definitely not convinced by SVV. But it's a new app and i'm positive they are FP's. Still i'll keep an eye on this app and maybe try it again sometime.

    muf
     
  18. controler

    controler Guest

    muf ? have you shut down all your other security apps before running SVV?

    Then you can try the new hookanlz.exe posted else where in this forum to see what is hooking the kernel.

    Like the man says, kernel hooking has to be still done by some security software

    controler
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,839
    Hello,
    That does not justify the code 5 flag.
    I tried the same on a fresh machine I installed and configured myself and got the same deepred warning. I do not approve. This means valid and legal hooks are misinterpreted as malware. Not good. Besides, I don't want to kill every secuirrty apps I have and run only 14.33 processes to make sure the tool works properly. There are about a trillion security configurations. And each one will give a different result then? The tool has to be universal. Run on all platforms regardless of what is installed.
    Or perhaps in safe mode?
    Mrk
     
  20. controler

    controler Guest

    Mrkvonic

    I only gave that advice so that you can see what else is hooking. Your regular windows config won't show deep red ever. Only if you have other kernel touching things installed.
    You are correct SVV is not for the home user and may never be. She may leave it as just another proof of concept. She may sell it. you just never know.
    Why wouldn't you dare run SVV with your other security stuff dissabled? If unhook your internet cable, you can't get hurt, unless you don't trust the app (SVV). I have asked Johanna what her plans for SVV where but never did get a complete answer and that is her buisness anyways. :D
    If she does post at Wilders, it is anon. Like DA mentioned, she posts at the rootykit site but might think she is too good for Wilders.

    Mrkvonic ? Do you like to test alot of software or did you fear you have a rootkit?


    controler
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,839
    Hi,
    First, I'm not afraid of getting infected.
    I did not disable the security software on purpose. I wanted to see how this program fares with a standard windows installation plus anti-virus, some anti-spyware, firewall etc. My findings are not good. I have discovered that your average home computer returns a deepred code without anything being compromised on it.
    Imagine someone with less confidence using this tool - BOOM, deepred. He's already running 14 security programs. And yet, this little tool indicates he's rooted deeply deeply. So he formats. Installs again. Tries it, BOOM, deepred. A diagnostics tool should never give a warning like that in normal circumstances. And I mean normal, because I think 90% + of all users run anti-virus and firewall.
    Therefore, a security tool should be able to give 0 false positives when running in usual environment or it should be run in a special environment. Special requires very precise definitions - like safe mode for example. It should never be up to a user to disable his firewall, anti-virus, system restore, registry, whatever ... to be able to get trustworthy results. What if you forget some process or application? What if? What if?
    Take an average anti-spyware for instance. Spybot. You don't need to shut off any process or anything before running it. Now, the comparison is not fair, I know. Therefore, then the SVV should not be more than an information tool. Not a diagnostics, and certainly not a repair tool.
    Did you read the svv presentation? It says, if you got code 5 = infected! Not true.
    Diagnostics and repair demand far more accuracy than just objective information.
    And therefore, the tool should be run with very specific instructions or none at all, but with true results in both circumstances.
    This tool is not for home users at all. If you don't know how kernel works, you shouldn't meddle with it. If you DO, you don't need svv ...
    One more thing: People trust dry artificial intelligence results from their scanner bots too seriously. They get a flag they are infected and they start to panic. Not the right course of action.
    People who are not sure if they are infected or not do not use their computers properly. If you're not sure, no scanner is good for you.
    I had false positives with several programs in recent months and years. I never erased the keys and values and files the scanners found. Why? Because I know that what they found are not infections. Even without looking at the actual keys and files. And true, when I sent these finding to the respective companies, they proved false positives.
    Getting your computer infected requires an effort. A deliberate effort.
    I wanted to test svv on a clean machine to reduce any slightest doubt as to the cleanness (virginity) of the test machine. I'm not saying the tool is not good. On the contrary. But not for average users. It's too dangerous for average users.
    And finally, I like to test software, some if it, anyway. The interesting ones.
    And I did not fear rootkit. Not sony or anything else. Not that I would ever buy the Bolshevik-branded DRM music.
    I repeat: computers are dumb machines. No matter what happens you can always format. Or replace hard disk. Nothing you cannot live without. Just dumb sweet machines.
    Mrk
     
  22. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well i retried it with all my security apps shut down and the deepred's went from 5 to 1. So i zipped up the Kernel32.dll file that it was reporting and sent it to Kevin McAleavey(BOClean) because i value his opinion and diagnostic. He says it's (in his words) "peachy". So it apears not to be rootkitted.

    As i said earlier. One app to look out for but in it's current incarnation it could get people to hose their systems believing in what it says. Worrying.

    muf
     
  23. Yes, any scanner that ever produces a false positive is not recommended for newbies. Or anyone else for that matter.

    This list includes spybot,adaware,cwshredder all antiviruses etc etc.
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,839
    Hi,
    You really ARE the devil's advocate!
    BTW, are you Pachino or Reeeves?
    Apropos false positives, I never had one with spybot, anti-virii or adaware, yes I did with cwshredder. However, still, removing those fps would be a game compared to removing your kernel dlls.
    Mrk
     
  25. controler

    controler Guest


    Do any of these apps find rootkits? There is a big difference.


    controler
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.