Unknown SSDT hooks

Discussion in 'other anti-malware software' started by aigle, Oct 19, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can anyone help me to sort out these unknow SSDT hooks? I never noticed them before. They are shown by both IceSword and RKU.

    A rootkit scan by Antivir is clean.

    Thanks
     

    Attached Files:

  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: Unknow SSDT hooks

    Hi Aigle

    Have you been playing with my samples yet....

    A full RKU log+ list of installed security software might wield some more light on these entries:)
     
    Last edited: Oct 19, 2007
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Unknow SSDT hooks

    Hi thanks for the quick response.
    Using XP SP2 with Antivir( on-demand), EQSecure, NeoavaGuard and GesWall. I also use ShadowSurfer for testing. Also I install and unistall many security application frequently, so their remanats can stiil be there( poor uninstallers).

    RKU report is attached.
     

    Attached Files:

  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: Unknow SSDT hooks

    Ok i'm going out on a whim here but i take it you have uninstalled SSM ?

    Download a copy of Autoruns : http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx

    Run a scan but press ESC to stop it .

    Click options .

    Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

    Now press F5 to rerun the scan with the new settings .

    Click file , save as and save the log to your desktop .

    Open it , copy all and paste it into your next post .

    * if your firewall requests outbound connection for Autoruns(grant it permission) as it is phoning home to the central databse to verify signatures of files.

    Post the file generated and we can verify whether it is SSM still loading its driver that is causing the unknown value.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Unknow SSDT hooks

    Yes, not only SSM but many more. Have a look on hidden devices.
    Autoruns report is attached but for some reasons it never tried for outbound although I scanned multiple times. Isn,t it unexpected?
     

    Attached Files:

  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: Unknow SSDT hooks

    Slaps hand...it was'nt SSM driver but Avira SS driver,D'oh!

    There is a high probability it is one of your HIBS softwares hooking thoes SSDT entries.There is no supicious data being returned elsewhere:thumb:

    FWIW if your really into testing i would suggest totally flattening your current install and starting afresh since as you know there will be many remnents of old installs present etc

    All the best.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Unknow SSDT hooks

    Thanks. I was just concerned if something slipped passed ShadowSurfer then it would have proved unreliable for any further testing.

    I agree with you that it,s time to load a fresh image. I ususally install and reinstall software and when I feel there are enough left overs/ remnanats on the system, I reload a clean ATI image.

    Thanks again.
     
  8. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Unknow SSDT hooks

    I could have told you that. :)

    A question, since we have a world class malware hunter and analysist here..

    How can you tell if it's Avira and not something else? I suppose you could uninstall Avira and see if it disappears, but any more elegent method?
     
    Last edited by a moderator: Oct 20, 2007
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: Unknow SSDT hooks

    But you did'nt need too:-*

    Thanks for the compliment but your overplaying the sarcasm part:cautious:

    Here's a pointer(if you have Avira installed) try backing up the file and removing it from drivers folder.Dose Avira RK scan work now ?(Read OP's first post).

    FWIW You are correct in theories any file could be patched/replaced etc but then again there would be more support data retrieved to illuminate suspicious activity on the system if it was malicious code.

    HTH:)
     
  10. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Unknow SSDT hooks

    Of course not, you are are a world class malware analyst and malware hunter.

    What? I was perfectly sincere at the time..

    You are too subtle for me. Spell it out.

    BTW I'm looking for a more general answer, than one that works for a given product. Let me spell it out again.

    You run rootkit unhooker, icesword or whatever and you see SSDT hooks. The module name is not set. How do you determine if it is due to one of your security programs or it is really something else far worse?

    Heck if you were paranoid you could even not trust what is stated in the module name.... But okay, let's say we trust that....



    What are you talking about? I wasn't even thinking about that.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Unknow SSDT hooks

    BTW I loaded a fresh image today and found only one unknown hook. When I started a shoadow mode in Shadow User I found multiple unknown hooks9 may be 5 to 6) that were obviously from ShadowSurfer.
     
Loading...
Thread Status:
Not open for further replies.