StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Austin, TX
1 edit | RootkitRevealer 1.0 by Sysinternals
The guys at Sysinternals released a free Rootkit scanner today called RootkitRevealer .
Edit: BTW they have a lot of other useful free utilities (e.g. Process Explorer, RegMon, FileMon). I recommend that you check them out.
--
Don't feed trolls--it only makes them grow! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
1 edit |  Nice one! Thanks
least we forget
"...
Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen to date in rootkits. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit and do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer. ..."
Cudni |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to StuartMW
Thanks for the info, nice find!
There's a little problem with KAV 5.0 installed because this rootkit revealer shows every single file as "Hidden from Windows API" because of the alternate data streams stored by KAV. Thus with KAV installed the scan results are rather misleading.. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
1 edit | reply to StuartMW
i shall put this to the test on a suspect computer later on. thanx for the link
anyone got it handy? the site is extremely slow |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to StuartMW
said by StuartMW  :The guys at Sysinternals released a free Rootkit scanner today called RootkitRevealer . Edit: BTW they have a lot of other useful free utilities (e.g. Process Explorer, RegMon, FileMon). I recommend that you check them out. Great Lead, This is Exactly what was needed. I posted some Clues in this forum »RSA: Microsoft on 'rootkits': Be afraid, be very
about the need to watch the Directory on drives very close, because there are even ways to PARK executables in Bad Sector areas, that would remain after a format, or to even invoke un-deletes after a format.
This utility is FANTASTIC because it reads the directory RAW which means it does NOT depend on and API's to find hidden or altered records.
Thanks  |
|
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| said by ZOverLord : This utility is FANTASTIC because it reads the directory RAW which means it does NOT depend on and API's to find hidden or altered records. Actually, it doesn't read the directory raw (it's not talking to the disk controller directly): it asks the operating system to do it via low-level read and write calls - what if the rootkit intercepts this and feeds back bogus "raw" information?
And it depends on the API to display the results - what if a rootkit hooks the GDI to intercept the "This file is suspicious" display and/or logfile?
This tool is raising the bar substantially, but when running on a compromised OS, it's always possible (though perhaps very difficult) to outsmart the detectors.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV | reply to pcdebb
I just downloaded it the site seems ok to me, speed wise that is.
--
Best RegardsVampirefo |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to Steve
said by Steve : said by ZOverLord : This utility is FANTASTIC because it reads the directory RAW which means it does NOT depend on and API's to find hidden or altered records. Actually, it doesn't read the directory raw (it's not talking to the disk controller directly): it asks the operating system to do it via low-level read and write calls - what if the rootkit intercepts this and feeds back bogus "raw" information? And it depends on the API to display the results - what if a rootkit hooks the GDI to intercept the "This file is suspicious" display and/or logfile? This tool is raising the bar substantially, but when running on a compromised OS, it's always possible (though perhaps very difficult) to outsmart the detectors. Steve Steve, here is a Quote from System Internals Own Page on The utility, it also has a REMOTE run option.
"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results
of a system scan at the highest level with that at the lowest level.
The highest level is the Windows API because that is the API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format).
Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures."
The page itself is located here.
»www.sysinternals.com/ntw2k/freew···al.shtml
|
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| No offense to System Internals, they do great work. This tool talks to the controller's driver, it simply has to. There's no way it's able to talk to every disk controller out there on it's own.
-BeesT
--
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc |
|
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to ZOverLord
said by ZOverLord :Steve, here is a Quote from System Internals Own Page on The utility, it also has a REMOTE run option. Oh boy, here we go again.
First, this is a fantastic tool from some of the smartest guys on the internet. If anybody knows the ins and outs of the operating system, it's these people. I doubt that any current file-hiding rootkits will escape this tool, and probably won't for a long time. Nothing I say in this thread is meant to disparage SysInternals in any way.
OK, from user mode, it's simply not possible to talk directly to the disk drive hardware, so you are stuck with relying on the operating system to help you. In the case of this tool, it uses CreateFile("\\.\C:", ...) to open the logical volume directly - in UNIX you'd think of this as doing an open("/dev/hda1",...) - where you read the filesystem raw with ReadFile() calls.
The filesystem is NTFS and has a certain structure (blocks, directory, freespace, etc.), and the operating system knows how to walk this data and find your files when accessing it through the normal drive-letter mechanisms.
What this tool is doing is something new: the program understands NTFS natively, so it reads a raw filesystem directly and walks the directories on its own. The goal is to catch the rootkit in a lie: if a "real" NTFS directory says the file is there but the user-level directory APIs say it's not, there is funny business.
At this point I think we're all on the same page, and it's time to ask "what if?".
Since RootkitRevealer is not actually talking to the hard drive directly, but instead asking the operating system "fetch me disk block #137473", a very sophisticated rootkit could figure out that block #137473 contains the directory that it's hiding in, so it could modify the data handed back to the tool in a way that also hid the data.
This sounds like an awful lot of work, but since it's probably only a few blocks that needs to be protected in this way, I believe it's not at all out of the question that this is possible. Just because it's not being done now doesn't mean that somebody with a lot of time on his hands won't figure it out.
When you ask a compromised OS for information, you can never know when it's lying to you.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | reply to ZOverLord
said by ZOverLord :Steve, here is a Quote from System Internals Own Page on The utility, it also has a REMOTE run option. What was that saying about using the same information to make different points? It's not the same information, but in the section right below, it says:
quote:
Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised.
More importantly, this should be quite useful in that it significantly raises the bar. This is a good thing.
One note -- I haven't tested yet, but I suspect that the remote option, which runs the command line version through PsExec, probably won't work on XP Home Edition, which has crippled remote admin capabilities (compared to all other versions of NT).
Edit: spelling
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
Portmonkey
scurvy
Premium
join:2004-04-09
Southern IL
| reply to StuartMW
Ok, so what exactly should people be looking for in the results of a scan, seeing as how not all discrepancies in the output list are necessarily something bad.
"you should expect to see a number of such entries on any NTFS volume since NTFS hides its metada files, such as $MFT and $Secure, from the Windows API."
Other than the HackerDefender rootkit as shown in the screen shot at the Sysinternals website I don't have much of a clue as what to look for.
I'm glad progress is being made to deal with this type of potential threat, and hope that in the future a new scanner will be created to help those of us with little understanding of rootkits, to interpret the results.
--
Live life on the edge. Use IE6 |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to Steve
Steve,
The Utility allows you to use the tool remotely if I were to use your LOGIC, I could still eventually use a CLEAN system to use the NATIVE READ on that system of the Directory on the other.
I am very AWARE that this utility does not communicate to the Driver Directly! however, the driver in fact could be modified as well.
By using a CLEAN system to remotely CHECK another, currently this is the best method.
The ONLY possible way this tool could be fooled would be if the system being checked, had a 'rootkit' installed in the Driver interfacing to the DRIVE itself.
If that is the case, there are methods to check the driver as well. Much like SPYWARE, there is NO single tool that will do it all, however, to date, this is the BEST general 'rootkit' FREE utility I have seen. |
|
StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Austin, TX
1 edit | reply to Portmonkey
said by Portmonkey :Ok, so what exactly should people be looking for... Well for starters create another screenshot with the columns resized so we can see all the output.
In general you should be looking for hidden registry keys (you appear to have some) and hidden executables.
--
Don't feed trolls--it only makes them grow! |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
2 edits | reply to Portmonkey
Are you using the program in Administrator account?
Also is that C:\WINDOWS\winsx.dll ? "this is spyware" on your pc.
We need to be able to read the pic.
--
Best Regards
Vampirefo
|
|
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to ZOverLord
said by ZOverLord :The Utility allows you to use the tool remotely if I were to use your LOGIC, I could still eventually use a CLEAN system to use the NATIVE READ on that system of the Directory on the other. No, this doesn't help either.
Obviously the clean system is not going to lie to you, but their remote capability is done with:
psexec \\remote -c rootkitrevcon.exe -c
But, for the sake of argument, let's say that it was somehow integrated better (and putting aside the fact that I don't believe that the Win32 API allows across-network access to \\.\C:), this would still rely on the infected machine to feed data to the network stack. This is even more opportunities to lie.
If you ask a compromised operating system any question, it can lie to you.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
rogue_
I Have A Secret Window
Premium
join:2001-10-17
Lake Hiawatha, NJ
1 edit | reply to StuartMW
Neat stuff.
But it seems I have 31 descrepencies. Uh oh. What does that mean? |
|
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Vampirefo
said by Vampirefo :Are you using the program in Administrator account? This program fails very loudy and badly if it's not run from an Administrator account - it would not have produced that output had he been a regular user.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Vampirefo
We need to be able to read the pic.
Yes, we do: please do not use JPEG for screenshots. JPEG comression is great for photographs, but it's poor with high-detail, high-contrast images. Use GIF/PNG instead.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
Portmonkey
scurvy
Premium
join:2004-04-09
Southern IL
| reply to Vampirefo
Yes I'm using the program in an Administrator account.
StuartMW I'm not sure how to re-size the columns so everyone can see all the output? I have ran another scan but haven't taken a screen shot yet, because I'm looking for a way to re-size the columns.
--
Live life on the edge. Use IE6 |
|
