Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Download freeware RKR scanning software (detect Sony rootkit & others)

Reply
Thread Tools

Download freeware RKR scanning software (detect Sony rootkit & others)

 
 
Karl Levinson, mvp
Guest
Posts: n/a
 
      11-21-2005

"nemo_outis" <(E-Mail Removed)> wrote in message
news:Xns971558063E5D3abcxyzcom@127.0.0.1...

> Hmmm, root kits are not a significant risk? Tell that to the folks who
> bought Sony CDs.


Yes, I would tell that to the folks who bought sony CDs.

> I've posted on this group in the past that I myself have used them - very
> successfully, I might add - to hide things from company sysadmins. It
> provoked much righteous indignation, of course, and bold assetions of
> "you'd never get away with that on my network" but, as we now all see, it
> is by no means trivial to detect a well-done rootkit (or even, for that
> matter, some clumsily-done ones


Or, you could just put your files onto a CD, a gmail account or an Internet
file hosting server, a PGP encrypted folder, etc. Just because it can be
done does not make it the biggest risk to worry about.


 
Reply With Quote
 
 
 
 
nemo_outis
Guest
Posts: n/a
 
      11-22-2005
"Karl Levinson, mvp" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> "nemo_outis" <(E-Mail Removed)> wrote in message
> news:Xns971558063E5D3abcxyzcom@127.0.0.1...
>
>> Hmmm, root kits are not a significant risk? Tell that to the folks
>> who bought Sony CDs.

>
> Yes, I would tell that to the folks who bought sony CDs.



Thanks for the clarification. I originally thought you were merely badly
informed; it now seems instead that you have poor judgment.


>> I've posted on this group in the past that I myself have used them -
>> very successfully, I might add - to hide things from company
>> sysadmins. It provoked much righteous indignation, of course, and
>> bold assetions of "you'd never get away with that on my network" but,
>> as we now all see, it is by no means trivial to detect a well-done
>> rootkit (or even, for that matter, some clumsily-done ones

>
> Or, you could just put your files onto a CD, a gmail account or an
> Internet file hosting server, a PGP encrypted folder, etc. Just
> because it can be done does not make it the biggest risk to worry
> about.



You clearly have not even begun to understand what I said.

Regards,



 
Reply With Quote
 
 
 
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-22-2005
karl levinson, mvp wrote:
> Where did you get that IP address? Is it really the one on your PC? How
> did you find that IP address? Can you do Start, Run, type CMD and
> click OK, then type IPCONFIG to doublecheck that that is your IP
> address?


Thank you yet again Karl for your expert advice,

Not fully understanding what I was doing, I simply had run the exact
command and IP address given in the RKDetect README:
C:\> cscript rkdetect.vbs 200.4.4.4

An ipconfig /all on my machine reports the standard IP address:
IP Address. . . . . . . . . . . . : 192.168.0.101

Was I supposed to use my IP address in the script command?

Easy enough to do, I ran:
C:\> cscript rkdetect.vbs 192.168.0.101
Which reported:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Query services by WMI...
Detected 96 services
Query services by SC...
Detected 96 services
Finding hidden services...

Possible rootkit found: FGLRYUtil - FGLRYUtil
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FGLRYUtil
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME :
C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FGLRYUTIL
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

Done

Hmmmnm Did we find a hidden rootkit?

Running "GetServices" from
http://www.bleepingcomputer.com/files/getservice.php combined with the
SysInternals psservice.exe reveals:

C:\> psservice config > getservice.txt
C:\> type getservice.txt

PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
.... blah blah blah ...
SERVICE_NAME: FGLRYUtil
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME :
C:\Program Files\ATI Technologies\Fire GL Control
Panel\atiisrgl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FGLRYUTIL
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
.... blah blah blah ...
SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
.... blah blah blah ...

I'm not sure what to make of this but I did run the suggested command:
C:\> sc \\%computername% query state= all
Which reported:
.... blah blah blah ...
SERVICE_NAME: Wmi
DISPLAY_NAME: Windows Management Instrumentation Driver Extensions
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

.... blah blah blah ...

> RKDetect relies on the WMI service being able to run. Is there any chance
> you disabled it? As you probably already know, you can right-click on My
> Computer and left-click on Manage, Services to check.


I'm confused about this as the "Computer Management" console reports:
Windows Management Instrumentation Started Automatic Local System
Windows Management Instrumentation Driver Extensions <blank> Manual
Local System

Which WMI above is the one in question?
Does it look like it's operating properly to you?

So many questions, so much to learn,
Pamela Fischer

 
Reply With Quote
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-22-2005
karl levinson, mvp wrote:
> some root kits have the ability to evade tools like the netstat -ano command in
> Windows XP or fport / vision from www.foundstone.com/knowledge, many of them
> don't. This tool can reveal when malware starts listening on a certain port


Does this output tell us anything interesting?
C:\> netstat -ano

Active Connections
Proto Local Address Foreign Address State
PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
1316
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
4
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
724
TCP 127.0.0.1:1028 127.0.0.1:1029 ESTABLISHED
2524
TCP 127.0.0.1:1029 127.0.0.1:1028 ESTABLISHED
2524
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING
4
TCP 192.168.0.101:1359 216.239.57.104:80 ESTABLISHED
2524
UDP 0.0.0.0:445 *:*
4
UDP 0.0.0.0:1026 *:*
1676
UDP 127.0.0.1:123 *:*
1732
UDP 192.168.0.101:123 *:*
1732
UDP 192.168.0.101:137 *:*
4
UDP 192.168.0.101:138 *:*
4


> Searching www.google.com for CLSID brought up a number of sites, including:
> http://www.sysinfo.org


I entered the suspect CLSID 47629D4B-2AD3-4e50-B716-A66C15C63153 but
nothing came of it at that web site. As far as I can tell from the
SysInternals forums, these are errant Avid Pinnacle Studio registry
keys which are designed to exploit a weakness in Windows XP (15 instead
of 14 characters and therefore unreadable, unchangeable, and
uninstallable).

Does anything look suspicious above?
Pamela Fischer

 
Reply With Quote
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-22-2005

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...

> Not fully understanding what I was doing, I simply had run the exact
> command and IP address given in the RKDetect README:
> C:\> cscript rkdetect.vbs 200.4.4.4
>
> Was I supposed to use my IP address in the script command?


Yes, it appears that was the problem, you can ignore all the other
troubleshooting suggestions about WMI etc. from this post.


> Easy enough to do, I ran:
> C:\> cscript rkdetect.vbs 192.168.0.101
> Query services by WMI...
> Detected 96 services
> Query services by SC...
> Detected 96 services
> Finding hidden services...
>
> Possible rootkit found: FGLRYUtil - FGLRYUtil


> Hmmmnm Did we find a hidden rootkit?


Maybe, I'm not sure. Can you submit that file for a scan to
www.virustotal.com ? It should scan it in a minute. It's also possible
that whatever it is is using ADS streams so that atiisrgl.exe is innocent
and the real file is atiisrgl.exe|hiddenmalware.exe

The people in the various Hijack This! support forums may have more
knowledge of whether this file is good or bad.

http://www.spywareinfo.com/~merijn/forums.html


 
Reply With Quote
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-22-2005

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> karl levinson, mvp wrote:
>> some root kits have the ability to evade tools like the netstat -ano
>> command in
>> Windows XP or fport / vision from www.foundstone.com/knowledge, many of
>> them
>> don't. This tool can reveal when malware starts listening on a certain
>> port

>
> Does this output tell us anything interesting?
> C:\> netstat -ano


I didn't see the information I would expect to see in that output.
Netstat -ano only works on Windows XP. I suspect you're not running XP?
In that case, Fport or Vision does the same thing.


 
Reply With Quote
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-22-2005

"nemo_outis" <(E-Mail Removed)> wrote in message
news:Xns9715C693F733Eabcxyzcom@127.0.0.1...

>>> Hmmm, root kits are not a significant risk? Tell that to the folks
>>> who bought Sony CDs.

>>
>> Yes, I would tell that to the folks who bought sony CDs.

>
> Thanks for the clarification. I originally thought you were merely badly
> informed; it now seems instead that you have poor judgment.


If you don't trust me, listen to Symantec. There is exactly one Trojan
[Ryknos and Ryknos.B] that exploits the Sony rootkit. Symantec rates its
risk as a "2."

http://securityresponse.symantec.com...or.ryknos.html
http://securityresponse.symantec.com....ryknos.b.html

Note that virus definitions that detect thi were put out on November 10, 12
days ago. If you're running up to date anti-virus, it is unlikely that you
will be infected by this, because the antivirus will detect this before it
can be hidden by the root kit.

If you haven't updated your anti-virus in the past 12 days, you've got
bigger security problems to worry about than the Sony root kit. Root kits
hide malware from being detected, but if your anti-virus is woefully out of
date, the file is probably not going to be detected whether you've got a
root kit or not.


> You clearly have not even begun to understand what I said.


No, I just have a different opinion.

What kind of risk assessment did you do to assess this as a high risk?



 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      11-22-2005
"karl levinson, mvp" <(E-Mail Removed)> wrote in
news:#(E-Mail Removed):

>
> "nemo_outis" <(E-Mail Removed)> wrote in message
> news:Xns9715C693F733Eabcxyzcom@127.0.0.1...
>
>>>> Hmmm, root kits are not a significant risk? Tell that to the folks
>>>> who bought Sony CDs.
>>>
>>> Yes, I would tell that to the folks who bought sony CDs.

>>
>> Thanks for the clarification. I originally thought you were merely
>> badly informed; it now seems instead that you have poor judgment.

>
> If you don't trust me, listen to Symantec. There is exactly one
> Trojan [Ryknos and Ryknos.B] that exploits the Sony rootkit. Symantec
> rates its risk as a "2."



Here's how Symantec defines risk level 2:

"Medium : Increased alertness
This condition applies when knowledge or the expectation of attack
activity is present, without specific events occuring or when malicious
code reaches a moderate risk rating. Under this condition, a careful
examination of vulnerable and exposed systems is appropriate, security
applications should be updated with new signatures and/or rules as soon
as they become available and careful monitoring of logs is recommended.
No changes to actual security infrastructure is required."

Sure as **** doesn't sound trivial to me. Perhaps you have a more
phlegmatic temperament, are lackadaisical and sloppy regarding security,
or, most likely, are trying to wriggle away from the silly and
thoughtless things you said. Or perhaps all of the foregoing apply to
you.

Moreover, Symantec's rating applies only to the first exploit to take
advantage of the Sony rootkit - within just the first few weeks of it
coming to light. It is highly likely there will be more, some of which
may be of an even nastier character than the current one.

The average user is a clueless twit, or is sloppy, careless and
indifferent regarding security (as you so clearly are). Many do not
patch their systemms as regularly as they should, have virus definitons
which are out of date, run with badly configured security software, or
even run naked. Yes, that's regrettable, but your cavalier attitude of
"to hell with them" doesn't cut it.

Lastly, antivirus checkers can do only a poor to fair job exposing
rootkits in the first place; well-done rootkits can only be reliably
"outed" by booting from an independent OS (e.g., from CD or USB).



>> You clearly have not even begun to understand what I said.

>
> No, I just have a different opinion.
>
> What kind of risk assessment did you do to assess this as a high risk?



You clearly understand as little about risk as you do about security.
There are many dimensions to risk assessment. I don't have time to fill
in the lacunae in your knowledge (which, actually, are more like chasms)
but with respect to particular risks there are at least two major
independent dimensions regarding assessment: probability of occurence,
and severity of consequences.

The Sony rootkit has a moderately high profile in both dimensions.
First, the probability of occurence, at least for some users, is very
high. Mistakenly believing Sony is a reputable company, they may treat
Sony CDs as coming from a trusted source, and thereby voluntarily (but
unknowingly) install the rootkit, letting it within the security
perimeter. The Sony rootkit thus becomes a true Trojan in the historical
sense. Accordingly,probability of occurence is very high for the
particular class of users that buys Sony CDs - a not insignificant
segment of the computer-using populace.

As for consequences, they too are high. This arises because the Sony
rootkit is an "enabling" technology for other exploits. We have one
exploit already; there may - no, there will! - be more to come. In other
words we have an ongoing security breach. Yes, antivrus programs may be
able to sqelch some of the nasty stuff that comes through the breach -
one by one, after the fact! - but there can be more and more to follow.
That's serious!

Regards,








 
Reply With Quote
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-23-2005
karl levinson, mvp wrote:
> Can you submit that file for a scan to http://www.virustotal.com ?


I submitted this file to www.virustotal.com for analysis:
C:\Program Files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe

The result was no virus found in that file.

Here are the results:

This is a report processed by VirusTotal on 11/23/2005 at 07:41:41
(CET) after scanning the file "atiisrgl.exe" file.

Antivirus Version Update Result
AntiVir 6.32.0.6 11.22.2005 no virus found
Avast 4.6.695.0 11.22.2005 no virus found
AVG 718 11.21.2005 no virus found
Avira 6.32.0.6 11.22.2005 no virus found
BitDefender 7.2 11.23.2005 no virus found
CAT-QuickHeal 8.00 11.22.2005 no virus found
ClamAV devel-20051108 11.23.2005 no virus found
DrWeb 4.33 11.22.2005 no virus found
eTrust-Iris 7.1.194.0 11.23.2005 no virus found
eTrust-Vet 11.9.1.0 11.23.2005 no virus found
Fortinet 2.48.0.0 11.23.2005 no virus found
F-Prot 3.16c 11.23.2005 no virus found
Ikarus 0.2.59.0 11.22.2005 no virus found
Kaspersky 4.0.2.24 11.23.2005 no virus found
McAfee 4634 11.22.2005 no virus found
NOD32v2 1.1297 11.22.2005 no virus found
Norman 5.70.10 11.22.2005 no virus found
Panda 8.02.00 11.22.2005 no virus found
Sophos 3.99.0 11.23.2005 no virus found
Symantec 8.0 11.22.2005 no virus found
TheHacker 5.9.1.042 11.22.2005 no virus found
VBA32 3.10.5 11.22.2005 no virus found

 
Reply With Quote
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-23-2005
karl levinson, mvp wrote:
> I didn't see the information I would expect to see in that output.
> Netstat -ano only works on Windows XP. I suspect you're not running XP?
> In that case, Fport or Vision does the same thing.


Just to confirm - I am running Windows XP.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Antivirus choice: F-Secure's rootkit scanning vs Trend Micro Mizter T Computer Support 10 04-08-2006 05:13 PM
Download freeware RKR scanning software (detect Sony rootkit & others) pamelafiischer@yahoo.com Computer Support 43 11-24-2005 12:20 AM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM
Sony EVIL DRM Rootkit/malware timeline Goro DVD Video 0 11-15-2005 04:47 PM
Sony CD Rootkit as a hack for itself... Goro DVD Video 1 11-09-2005 10:53 PM



Advertisments