«

nemo_outis wrote:
> Yeah, I've got Hiren's and Winternals Admin Kit but I'm leery about
> posting them (the XP I pointed you to earlier was posted by others).
> Here's the list of the utilities on Hiren but more for system
> recovery than for Sony rootkit squashing.
> Sorry, I only know about geekware because I'm a geek
> Let me know if you think Hiren's might be useful.

Wow that is an impressive list of tools! You could email me a download link
but I don't really need that, and, anyway, I think the best part of the
usenet is that by helping one person publically we help all others with the
same problem.

So I'd rather we found a rootkit decloaking method that works for the
general audience than that which just works for me alone.

There must be a working way to detect whether or not we have rootkit
cloaking. So far, I've tried these three rootkit cloaking detection
methods.

ROOTKIT DETECTION METHOD 1 (RKR):
- http://www.sysinternals.com/utilitie...trevealer.html
- Failed, but only due to the fact I don't know what to do
(with the score of cloaked files & keys it actually found!

ROOTKIT DETECTION METHOD 2 (RKD):
- http://www.security.nnov.ru/files/rkdetect.zip
- Failed, but only due to the need for administrator privilages
(I am logged in as administrator!)

ROOTKIT DETECTION METHOD 3 (STRIDER)
- http://research.microsoft.com/rootkit
- Failed, but only due to the fact it requires a boot WinXP CD/DVD
(which I don't yet have!)

In addition, I'm in the progress of learning how to use Ethereal (to look
at the packets going out); and I'm still working on a way to figure out
what products each of the cloaked 8-4-4-4-20 hex CLSID class id numbers
indicate.

If I only knew what those 8-4-4-4-20 class id's matched, I could figure out
which products are related to the twenty or so registry keys and files that
the SysInternals root kit revealer revealed. Whew. Learning in the news
about Sony's nefarious rootkit cloaking methods turned out to only be the
start of a long fun journey!

Better ideas for detecting rootkit cloaking are always welcome,
Pamela

"Jim Jong" <> wrote in message
news:...

> Microsoft Strider GhostBuster Rootkit Detection
> http://research.microsoft.com/rootkit
>

> All are too complicated to run by yourself but with help they can be run.

NO NO NO NO. Strider Ghostbuster is educational but is research only, for
now. The process is extremely painful to execute, and after all that work,
there are flaws. One of the biggest flaws is that the DIR command does not
display files hidden by ADS streams. There are other ways a root kit could
hide from that process even after a reboot to an alternate OS. I would not
point to its web page for anything but education.

<> wrote in message
news: oups.com...

> Given that the only reason we need to boot to a separate operating
> system is to run DOS "dir dir /s/ah/l/on/b" commands, an alternative to
> the Microsoft suggested method of booting to a Windows XP cdrom might
> be to boot to a Linux CDROM & then running the closest Linux "ls -alsF"
> equivalent to the DOS "dir /s/ah/l/on/b" command.
>
> Do the experts on this list know of anyone successful in searching for
> rootkit cloaked files using any of these boot-to-something methods?

Strider Ghostbuster is educational but is research only, for now. Do not
mistake it for an official Microsoft recommendation to customers. The
process is extremely painful to execute, and after all that work, there are
flaws. One of the biggest flaws is that the DIR command does not display
files hidden by ADS streams. There are other ways a root kit could hide
from that process even after a reboot to an alternate OS. I would not point
to its web page for anything but education.

<> wrote in message
news: oups.com...

> Q: Why is RKDetect telling me I need to run it as administrator when I
> am?

RKDetect gives that one generic error message if anything at all goes wrong
for any reason.

Where did you get that IP address? Is it really the one on your PC? How
did you find that IP address? Can you do Start, Run, type CMD and
click OK, then type IPCONFIG to doublecheck that that is your IP
address? That is an Internet IP address, and if you're using a high speed
modem or router to get to the Internet, I would suspect that may be the IP
address used by your modem or router and not your PC.

While you're there at the command prompt, try running the following command
which is part of RKDETECT and see if you get any more informative error
message:
sc \\%computername% query state= all

RKDetect relies on the WMI service being able to run. Is there any chance
you disabled it? As you probably already know, you can right-click on My
Computer and left-click on Manage, Services to check. You might also check
the Windows Event Logs for any errors around the time you ran RKDetect.

You could also try temporarily disabling your firewall. It is remotely
possible it blocked something necessary.

"Andy Walker" <> wrote in message
news:...

> Rootkit Revealer implemented a defense mechanism against being
> disabled by spawning a randomly named copy of itself and running it as
> a service. This makes it very difficult for any other process to
> identify and disable Rootkit Revealer

I am aware of that, but that was not really what I was thinking of. Unless
I am mistaken, that is no longer the latest method by which root kits can
disable or otherwise evade Rootkit Revealer. I would also not describe that
evasion method as being very difficult to evade. They can now identify
rootkit revealer and other detection tools by file signature instead of
name, like antivirus tools do to viruses. They could also theoretically
monitor the Rootkit Revealer launch process or enumerate the shortcuts
created to detect when it is run. Also, while the copy is randomly named, I
believe the original copy is not.

> You can also use the MicroSoft method of identifying rootkits by
> following their instructions at http://research.microsoft.com/rootkit/
>
> Simple steps you can take to detect some of today's ghostware:
>
> Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
> infected OS and save the results.

That is not the Microsoft method for identifying root kits. That method as
it is has serious flaws [such as that the DIR command does not detect files
hidden by ADS streams, to name just one] and is not really for use right now
except as an educational tool. I also wouldn't describe that as "simple."

<> wrote in message
news: oups.com...

> Q1: Where do mere mortals obtain root kit scanning procedures?
> A: Those of us who are not experts can still obtain rootkit detection
> procedures at
> a. Rootkit Revealer
> http://www.sysinternals.com/utilitie...trevealer.html
> b. GhostBuster Rootkit Detector http://research.microsoft.com/rootkit
> c. RKdetect Rootkit Detecter
> http://www.security.nnov.ru/files/rkdetect.zip

Those are pretty much what the experts use, except that no one should be
using or relying on the GhostBuster method yet.

Another tool by the way is Encase Enterprise edition from Guidance Software,
although you need to set up a server, and it is not cheap, so it is for use
in enterprises, not at home. There is also no guarantee that a future root
kit won't evade its detection method.

Keep in mind that root kits don't exactly do anything themselves, they hide
another program. That other program can do things that

And, because people using rootkits are usually sloppy, the usual malware
tools you use can still often detect rootkits. For example, although some
root kits have the ability to evade tools like the netstat -ano command in
Windows XP or fport / vision from www.foundstone.com/knowledge, many of them
don't. This tool can reveal when malware starts listening on a certain
TCP/IP port. Doing a search of your computer for files that have changed in
the last day might also reveal clues that something is hidden, if a
keystroke logger or sniffer is logging to a file that the attacker forgot to
hide. Root kits can be used to hide hidden pubstro FTP servers, but you
will often notice that your hard drive suddenly has a LOT less free space or
is all out. Many of these also generate network traffic that cannot be
hidden from your high speed modem / router, network IDS and maybe even your
personal firewall software, if you have these. These are not just
theoretical examples, they are among the most common scenarios where root
kits are used and discovered, in my experience.

> My remaining questions are off topic so I will post them separately:
> Q2 Where do mortals obtain the smallest reliable Windows XP bootable
> CDROM?
> Q3: Where do I find a lookup table for each of these 8-4-4-4-12 CLSID
> class ids?

Searching www.google.com for CLSID brought up a number of sites, including:

http://www.sysinfo.org/

which may or may not be complete. I'm not sure Microsoft can necessarily
maintain a complete list, because I would expect non-Microsoft third parties
can create their own CLSIDs at any time.

<> wrote in message
news: oups.com...

> ROOTKIT DETECTION METHOD 1 (RKR) failed me due to cryptic output:
> - http://www.sysinternals.com/utilitie...trevealer.html

> Do others see the same set of problems I am running into (or is it just
> me)?

It's not just you. Hunting for root kits is pretty much always going to
require better than normal understanding of your computer to decode
"cryptic" output.

Generally speaking, malware detection can be signature-based or generic /
behavioral anomaly-based. Signature-based detection can tell you exactly
what a given malware is. This kind of detection would be if you booted to
the www.bitdefender.com or Bart PE CD and ran their anti-virus on your hard
drive, and that might work, depending. But there are some things that
aren't found by antivirus or are hidden from it. When this happens, you
often want to try generic detection. Generic detection only tells you when
something is changed or may be suspicious. It usually cannot reliably tell
you whether that change is malicious or not, or what exactly caused that
change. With generic detection, it's up to the user to use his or her
knowledge to determine the next course of action. All three of the root kit
detection tools you've listed use generic detection.

The cryptic output from generic detection can be a little easier to decode
if you can run the tools on your computer before it becomes infected, so
that you know what the normal baseline is and can notice when things change.
Running the tool on an identical or similar computer and comparing the
results can be helpful, as can posting any questions you have to the
Internet such as here.

wrote:

|>One suggestion for your tests above, if I may, are to use:
|>dir /s/ah/l/on/b c:\ > all_hidden_files_before.tdir /s/a-h/l/on/b c:\ >
|>not_hidden_files_before.txt
|>
|>Instead of:
|>dir /s /b /ah > all_hidden_files_before.txt
|>dir /s /b /a-h > not_hidden_files_before.txt
|>
|>The additional lower-casing (l) and name-ordering (on) options should,
|>I would guess, make the difference utility faster and more accurate (or
|>is my logic off?).

Just use the format (switches) that is best for you, ON and I just
make the output easier to read.


--
Napster, gets down and...
http://www.getthewholething.co.uk/

<> wrote in message
news: oups.com...
> karl levinson, mvp wrote:
> > For a second opinion, try RKDetect
http://www.security.nnov.ru/soft/rkdetect
>
> Hi Karl,
>
> You provided useful information for all of us which I'm sure many
> others like I will follow. So I don't feel so badly about asking a bit
> deeper since the answer will help all the other mothers out there too
> follow verbatim in our footsteps.

One other question: why is it exactly that you are concerned about root
kits? Many attackers out there don't even bother with root kits. Root kits
are much less common than other threats such as viruses. I wouldn't worry
about root kits so much unless your security setup is already good enough
that viruses and monthly Microsoft patches are not a problem for you.

The other side of dealing with root kits is prevention. If you keep your
computer fairly secure, with anti-virus, firewall, and monthly patches, root
kits are not a significant risk.

"Karl Levinson, mvp" <> wrote in
news::

>
> <> wrote in message
> news: oups.com...
>> karl levinson, mvp wrote:
>> > For a second opinion, try RKDetect
> http://www.security.nnov.ru/soft/rkdetect
>>
>> Hi Karl,
>>
>> You provided useful information for all of us which I'm sure many
>> others like I will follow. So I don't feel so badly about asking a
>> bit deeper since the answer will help all the other mothers out there
>> too follow verbatim in our footsteps.
>
> One other question: why is it exactly that you are concerned about
> root kits? Many attackers out there don't even bother with root kits.
> Root kits are much less common than other threats such as viruses. I
> wouldn't worry about root kits so much unless your security setup is
> already good enough that viruses and monthly Microsoft patches are not
> a problem for you.
>
> The other side of dealing with root kits is prevention. If you keep
> your computer fairly secure, with anti-virus, firewall, and monthly
> patches, root kits are not a significant risk.
>


Hmmm, root kits are not a significant risk? Tell that to the folks who
bought Sony CDs.

I've posted on this group in the past that I myself have used them - very
successfully, I might add - to hide things from company sysadmins. It
provoked much righteous indignation, of course, and bold assetions of
"you'd never get away with that on my network" but, as we now all see, it
is by no means trivial to detect a well-done rootkit (or even, for that
matter, some clumsily-done ones

Regards,