Unknown SSDT hooks

Can anyone help me to sort out these unknow SSDT hooks? I never noticed them before. They are shown by both IceSword and RKU.

A rootkit scan by Antivir is clean.

Thanks

 

Re: Unknow SSDT hooks

Hi Aigle

Have you been playing with my samples yet....

A full RKU log+ list of installed security software might wield some more light on these entries

 

Re: Unknow SSDT hooks

Hi thanks for the quick response.

Using XP SP2 with Antivir( on-demand), EQSecure, NeoavaGuard and GesWall. I also use ShadowSurfer for testing. Also I install and unistall many security application frequently, so their remanats can stiil be there( poor uninstallers).

RKU report is attached.

 

Re: Unknow SSDT hooks

Ok i'm going out on a whim here but i take it you have uninstalled SSM ?

Download a copy of Autoruns : http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx

Run a scan but press ESC to stop it .

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings .

Click file , save as and save the log to your desktop .

Open it , copy all and paste it into your next post .

* if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files.

Post the file generated and we can verify whether it is SSM still loading its driver that is causing the unknown value.

 

Re: Unknow SSDT hooks

Yes, not only SSM but many more. Have a look on hidden devices.
Autoruns report is attached but for some reasons it never tried for outbound although I scanned multiple times. Isn,t it unexpected?

 

Re: Unknow SSDT hooks

Slaps hand...it was'nt SSM driver but Avira SS driver,D'oh!

There is a high probability it is one of your HIBS softwares hooking thoes SSDT entries.There is no supicious data being returned elsewhere

FWIW if your really into testing i would suggest totally flattening your current install and starting afresh since as you know there will be many remnents of old installs present etc

All the best.

 

Re: Unknow SSDT hooks

Thanks. I was just concerned if something slipped passed ShadowSurfer then it would have proved unreliable for any further testing.

I agree with you that it,s time to load a fresh image. I ususally install and reinstall software and when I feel there are enough left overs/ remnanats on the system, I reload a clean ATI image.

Thanks again.

 

Re: Unknow SSDT hooks

I could have told you that.

A question, since we have a world class malware hunter and analysist here..

How can you tell if it's Avira and not something else? I suppose you could uninstall Avira and see if it disappears, but any more elegent method?

 

Re: Unknow SSDT hooks

But you did'nt need too

Thanks for the compliment but your overplaying the sarcasm part

Here's a pointer(if you have Avira installed) try backing up the file and removing it from drivers folder.Dose Avira RK scan work now ?(Read OP's first post).

FWIW You are correct in theories any file could be patched/replaced etc but then again there would be more support data retrieved to illuminate suspicious activity on the system if it was malicious code.

HTH

 

Re: Unknow SSDT hooks

Of course not, you are are a world class malware analyst and malware hunter.

What? I was perfectly sincere at the time..

You are too subtle for me. Spell it out.

BTW I'm looking for a more general answer, than one that works for a given product. Let me spell it out again.

You run rootkit unhooker, icesword or whatever and you see SSDT hooks. The module name is not set. How do you determine if it is due to one of your security programs or it is really something else far worse?

Heck if you were paranoid you could even not trust what is stated in the module name.... But okay, let's say we trust that....

What are you talking about? I wasn't even thinking about that.

 

Re: Unknow SSDT hooks

BTW I loaded a fresh image today and found only one unknown hook. When I started a shoadow mode in Shadow User I found multiple unknown hooks9 may be 5 to 6) that were obviously from ShadowSurfer.