Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Download freeware RKR scanning software (detect Sony rootkit & others)

Reply
Thread Tools

Download freeware RKR scanning software (detect Sony rootkit & others)

 
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-20-2005
Where can mere mortals download necessary WinXP RKR scanning software?

All over the airwaves is Mark Russinovich's Sysinternals admonition
"most users stumble across cloaked files with an RKR scan". I've never
run an RKR scan. I don't even know what an RKR scan is. But I, like all
of us, am interested in the results of an RKR scan on my Windows PC.

But, where do we obtain the RKR scanning freeware download?

Pamela

 
Reply With Quote
 
 
 
 
Trax
Guest
Posts: n/a
 
      11-20-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

|>Where can mere mortals download necessary WinXP RKR scanning software?
|>
|>All over the airwaves is Mark Russinovich's Sysinternals admonition
|>"most users stumble across cloaked files with an RKR scan". I've never
|>run an RKR scan. I don't even know what an RKR scan is. But I, like all
|>of us, am interested in the results of an RKR scan on my Windows PC.
|>
|>But, where do we obtain the RKR scanning freeware download?
|>
|>Pamela

From Mark Russinovich himself
http://www.sysinternals.com/utilitie...trevealer.html

--
Napster, gets down and...
http://www.getthewholething.co.uk/
 
Reply With Quote
 
 
 
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-20-2005
(E-Mail Removed) wrote:
> Where can mere mortals download necessary WinXP RKR scanning software?


I should have noted that even though I've never installed Sony CD
software (to my knowledge), when I created & then renamed a text file
to "$sys$myfile.txt", it immediately disappeared from view.

That in and of itself makes me suspect incipient malware other than
Sony audio CDs, which makes me now want to run the freeware rootkit
scanner everyone is alluding to even more urgently.

But where do we obtain this freeware RKR scanner for Windows XP?

Pamela

 
Reply With Quote
 
Trax
Guest
Posts: n/a
 
      11-20-2005
(E-Mail Removed) wrote:

|>(E-Mail Removed) wrote:
|>> Where can mere mortals download necessary WinXP RKR scanning software?
|>
|>I should have noted that even though I've never installed Sony CD
|>software (to my knowledge), when I created & then renamed a text file
|>to "$sys$myfile.txt", it immediately disappeared from view.
|>
|>That in and of itself makes me suspect incipient malware other than
|>Sony audio CDs, which makes me now want to run the freeware rootkit
|>scanner everyone is alluding to even more urgently.

If your comfortable editing your system:
http://www.sysinternals.com/Blog/ scroll down to "Sony, Rootkits and
Digital Rights Management Gone Too Far" towards the end Mark explains
how he deleted it. And so can you with the info..

All files are located in the
Windows\system32\$sys$filesystem
you can't see the directory but you can enter it by accessing it
directly in a CMD window ie:
Windows\system32> CD $sys$filesystem


--
Napster, gets down and...
http://www.getthewholething.co.uk/
 
Reply With Quote
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-20-2005
Trax wrote:
> All files are located in the
> Windows\system32\$sys$filesystem
> you can't see the directory but you can enter it by accessing it
> directly in a CMD window ie:
> Windows\system32> CD $sys$filesystem


Thanks Trax.
I just finished the RKTDU scan with the results shown below.
Does this look suspicious to you or is are these normal rocket
discrepancies?

Note that I removed the numbers for fear they may have contained
personal identification information (what are those 8-4-4-4-12
character numbers anyway?).

HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{number}\InprocServer3 2* 3/21/2005 4:23 PM
0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s1 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s2 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\g0 11/19/2005 3:06 AM 32
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\h0 11/19/2005 3:06 AM 4
bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\number 3/21/2005 2:24 AM 0
bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\33084D91d01
11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
Windows API or MFT.
C:\Documents and Settings\Administrator\Local Settings\Application
Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\9ED97802d01
11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
Windows API or MFT.

 
Reply With Quote
 
pamelafiischer@yahoo.com
Guest
Posts: n/a
 
      11-20-2005
Trax wrote:
> http://www.sysinternals.com/utilitie...trevealer.html


Aha! So simple. So elegant. A RKTDU right under my nose!
http://www.sysinternals.com/utilitie...trevealer.html

I downloaded and executed this freeware Windows XP Sysinternals
RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
just now on an idle system and was much chagrined to find voluminous
reports of "Key name contains embedded nulls (*)", "Hidden from Windows
API", "Visible in directory index, but not WIndows API or MFT", etc.
discrepancies.

Is this normal to find so many of these rktdu registry discrepancies?

Pamela

 
Reply With Quote
 
Trax
Guest
Posts: n/a
 
      11-20-2005
(E-Mail Removed) wrote:

|>Trax wrote:
|>> http://www.sysinternals.com/utilitie...trevealer.html
|>
|>Aha! So simple. So elegant. A RKTDU right under my nose!
|>http://www.sysinternals.com/utilitie...trevealer.html
|>
|>I downloaded and executed this freeware Windows XP Sysinternals
|>RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
|>just now on an idle system and was much chagrined to find voluminous
|>reports of "Key name contains embedded nulls (*)", "Hidden from Windows
|>API", "Visible in directory index, but not WIndows API or MFT", etc.
|>discrepancies.
|>
|>Is this normal to find so many of these rktdu registry discrepancies?

I don't know, so I ran it myself; I dual boot and it check'd both
system against a registry file I can only guess is from my operating
OS. Got a ton of bad listings

Bottom line is you did the acid test and it proved positive
($sys$myfile.txt), and you need to take action...

--
Napster, gets down and...
http://www.getthewholething.co.uk/
 
Reply With Quote
 
karl levinson, mvp
Guest
Posts: n/a
 
      11-20-2005

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...

> C:\Documents and Settings\Administrator\Local Settings\Application
> Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\33084D91d01
> 11/19/2005 10:24 PM 16.84 KB Visible in directory index, but not
> Windows API or MFT.
> C:\Documents and Settings\Administrator\Local Settings\Application
> Data\Mozilla\Firefox\Profiles\p72bk7em.default\Cac he\9ED97802d01
> 11/19/2005 10:24 PM 37.73 KB Visible in directory index, but not
> Windows API or MFT.


All of the registry nulls look OK to me. I would focus first on hidden
files than on hidden registry values. The two hidden files above were the
only ones that might merit further investigation. I'm not positive these
two files are signs of anything important.

Note that there are supposedly root kits that can disable Rootkit Revealer
and make it fail to detect hidden files. For a second opinion, you might
also search for rkdetect in www.google.com and run that as well. I think
it's a little harder to run than just double-clicking on it, I think you
have to may run it at the command line. Using the same method to find and
run Hijack This! and post the logs to their web site may also be helpful.


> Note that I removed the numbers for fear they may have contained
> personal identification information (what are those 8-4-4-4-12
> character numbers anyway?).



Depending on where they are in the registry, those numbers generally
uniquely identify a program, user or other object. Here they are CLSID or
Class ID numbers, which Microsoft defines as:

http://www.microsoft.com/technet/pro...efclassid.mspx

A universally unique identifier (UUID) that identifies a COM component. Each
COM component has its CLSID in the Windows Registry so that it can be loaded
by other applications.



 
Reply With Quote
 
Mark Randall
Guest
Posts: n/a
 
      11-20-2005
In C/++ programming:

A string is represented by a series of bytes, ended by a byte that has a
value of zero.

Lots of API's (what we use to use to program windows features) let you
specify a length - meaning you can 'embed' nulls - normally once you reach
the first null it is taken as 'end of the string'.

Because most programs will only display upto the first null, anything after
it will not be shown. Hence the problem.

- MR



<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Trax wrote:
>> http://www.sysinternals.com/utilitie...trevealer.html

>
> Aha! So simple. So elegant. A RKTDU right under my nose!
> http://www.sysinternals.com/utilitie...trevealer.html
>
> I downloaded and executed this freeware Windows XP Sysinternals
> RootKitRevealer.exe Rootkit Detection Utility (RKTDU), version 1.56,
> just now on an idle system and was much chagrined to find voluminous
> reports of "Key name contains embedded nulls (*)", "Hidden from Windows
> API", "Visible in directory index, but not WIndows API or MFT", etc.
> discrepancies.
>
> Is this normal to find so many of these rktdu registry discrepancies?
>
> Pamela
>



 
Reply With Quote
 
Andy Walker
Guest
Posts: n/a
 
      11-20-2005
karl levinson, mvp wrote:

>Note that there are supposedly root kits that can disable Rootkit Revealer
>and make it fail to detect hidden files. For a second opinion, you might
>also search for rkdetect in www.google.com and run that as well. I think
>it's a little harder to run than just double-clicking on it, I think you
>have to may run it at the command line. Using the same method to find and
>run Hijack This! and post the logs to their web site may also be helpful.


Rootkit Revealer implemented a defense mechanism against being
disabled by spawning a randomly named copy of itself and running it as
a service. This makes it very difficult for any other process to
identify and disable Rootkit Revealer, but it also creates a tell-tale
sign on any system that runs Rootkit Revealer -- the randomly named
program gets deleted, but the registry key for the service is left
over pointing to a now deleted file. CrapCleaner will find and delete
the "null" service, or you can manually edit the registry and delete
the key.

You can also use the MicroSoft method of identifying rootkits by
following their instructions at http://research.microsoft.com/rootkit/

Reproduced here in part:

Simple steps you can take to detect some of today's ghostware:

Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
infected OS and save the results.

Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
same drive, and save the results.

Run a clean version of WinDiff from the CD on the two sets of results
to detect file-hiding ghostware (i.e., invisible inside, but visible
from outside).
[You can get WinDiff here http://www.grigsoft.com/download-windiff.htm
]

See Hacker Defender ghostware files revealed (highlighted) for an
example. http://research.microsoft.com/rootki...dden_files.JPG

Note: there will be some false positives. Also, this does not detect
stealth software that hides in BIOS, Video card EEPROM, disk bad
sectors, Alternate Data Streams, etc.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Antivirus choice: F-Secure's rootkit scanning vs Trend Micro Mizter T Computer Support 10 04-08-2006 05:13 PM
Download freeware RKR scanning software (detect Sony rootkit & others) pamelafiischer@yahoo.com Computer Security 43 11-24-2005 12:20 AM
Microsoft Strider GhostBuster Rootkit Detection Software Download Pamela Fischer Computer Support 4 11-21-2005 02:21 PM
Sony EVIL DRM Rootkit/malware timeline Goro DVD Video 0 11-15-2005 04:47 PM
Sony CD Rootkit as a hack for itself... Goro DVD Video 1 11-09-2005 10:53 PM



Advertisments