Unhackme

Discussion in 'other anti-trojan software' started by Starrob, Dec 21, 2004.

Thread Status:
Not open for further replies.
  1. SokolovDmitry

    SokolovDmitry Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    32
    Unhackme. How it works?

    It is not a magic.
    UnHackMe uses the fact that the program wants to be fully invisible.
    HackerDefender installs the service and driver.
    But the service and driver registry keys are listed in the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    Anyone can delete these keys and restart the computer.
    It's simple.
    HackerDefender hides these keys from reading using regedit or similar programs.
    If we make the backup copy of the system registry hive and load a hive to regedit we also see nothing.
    But we know that the keys already in the file.
    It's very easy to get search the binary file if we know what we want to find.
    But the names of the keys are unknown.
    Our remedy:
    1) We get the list of the visible keys from current registry.
    2) We get the list of all keys from registry file.
    UnHackMe saves the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    as the hive file in binary format.
    UnHackMe reads the registry binary file and gets teh list of all keys.
    It compares two lists and displays the invisible keys.
    It's almost that we need.
    In addition UnHackMe allows you to get the full information from teh hidden registry keys.
    It reads this information from binary file.
    ImagePath value displays the path to the driver/service execution file.
    UnHackMe can stop teh service and delete the hidden keys from registry.

    UnHackMe has the simple interface for end users.
    I think the price is not large for this work.
    It costs $15 USD for RegRun's users.

    Best wishes,
    Dmitry
     
  2. SokolovDmitry

    SokolovDmitry Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    32
    Regarding FU...

    Hi,

    > "The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!)."

    I can say that the FU hides the processes. It's true.
    When I tried to hide a driver it gets the blue screen.
    Is the FU invisible?
    NO.
    It's driver msdirectx.sys you can easily find in the registry.
    You can delete its registry record and delete the file of the driver.
    My program RegRun Security Suite warns me immediatelly when the driver was loaded.
    It doesn't have a way to auto start with Windows.
    You need to launch FU.EXE to run.
    For removal you should simply reboot your computer.
    It's the rootkit but it's not invisible and it can be detected using standard tools.
    UnHackMe was made to detect invisible Trojans.
    For example, HackerDefender can live onto your computer fully hiddenly and fully automatically.
    Regarding to the custom versions of FU Trojans:
    it doesn't resolve really the problem how to hide this Trojan.
    Anyone can change driver name, change its code to aboid be found using stamp scanners. But it will be found by analyzing the startup and be removed soon.
    I think, that HackerDefender is the higher step of invisibility.
    I will not be surprised if this code is already used on the users computers.
    UnHackMe is the simple tool to get rid of such Trojans.

    Merry Christmas,
    Dmitry
     
  3. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Re: Regarding FU...

    Thank you for your answer. MERRY CHRISTMAS!!!



    Starrob


     
  4. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Well guys what do you think? I am not concerned about the money. But do I need it? I have PG but I could mess up and allow something that I shouldn't. What worries me is that my wife may allow anything. What do you all think as far as the need?
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Guest Sum1's post removed as it was an off topic pun.



    snowbound
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    Rats! I loooove puns. Couldn't you at least move that sucker over to TenForward, instead of deleting it? :cool:

    Question- Does unhackme have to run full-time in the background? Or would it be effective if I just cranked it up whenever I'm getting ready to install a new piece of software?
     
  7. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    I didn't get to see the pun either. I was just wanting to get some opinions and discussion on Unhackme.
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Unhackme does not run in the background. It just performs a quick scan searching for rootkits. The scan is very quick....maybe less than 10 seconds.

    How effective it is in actually finding rootkits, I dont know since no one has run any independent tests with different types of rootkits.

    Greatis Software, however, has built a excellent reputation with Regrun, so one can make a assumption that Unhackme would also be a decent tool.


    Starrob


     
  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    and a happy new year to everyone.

    I must admit that from the website I got a wrong impression of UnHackMe - It says Rootkits hide by encrypting their files, and I thought, well, the point in rootkitting is messing with the OS's methods of providing system info (API hooking either in user or kernel level). So I thought it to be a gimmick, maybe taking advantage of a weakness of a particular rootkit, but of not much generic power.
    This thread has convinced me otherwise - and I would suggest changing the info on the webpage to better reflect how UnhackMe actually operates.
    I will definitely check it out soon.

    The trick is to compare the result of the usual OS's methods of providing system info with not-so-usual methods of getting the same piece of information. If the information is not identical in both cases, chances are there is something bad going on. I suppose most rootkits start themselves by using registry keys, so if the scan is covering all the relevant areas, it should be fine - and quick.
    As far as "relevant areas" are concerned, I suppose that RegRun has yielded some very good experience in what can be used. But may I humbly suggest to Dmitry to also have a look at the Registry Monitors comparison thread, where even more keys are mentioned.
    That leaves the bypass possibility - the rootkit could mess with binary file access as well and show a fake version of the file to UnhackMe. But in order to do that, it would need to know how exactly UnhackMe tries to access the files, something that Dmitry does good not to mention.

    Still, are there plans to add other such comparisons (like different methods of getting the lists of running processes or of installed/running services)...?

    Andreas
    (a happy RegRun (now Pro) user from the old 2.xy days.)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.