Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Or Not Malware?


  • Please log in to reply
1 reply to this topic

#1 Gengiskhan

Gengiskhan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Shanghai
  • Local time:01:40 PM

Posted 03 November 2007 - 05:38 AM

I am using regularly IceSword in order to check whether I have rootkits's at my PC. Recently I found the following suspected things:

Kernel Modules:

Filename Base ImageSize Flags LoadOrder Name
-------------------------------------------------------------------------------------------------
afdrldxk.SYS 0xf7006000 0x00066000 0x09104000 48 \SystemRoot\System32\Drivers\afdrldxk.SYS

SSDT:

Index Curr Addr KModule Name
----------------------------------------------
0x35 0xf7c6ce8c Unknown NtCreateThread
0x7a 0xf7c6ce78 Unknown NtOpenProcess
0x80 0xf7c6ce7d Unknown NtOpenThread
0x101 0xf7c6ce87 Unknown NtTerminateProcess
0x115 0xf7c6ce82 Unknown NtWriteVirtualMemory

What suspected is, is that although afdrldxk.SYS is loaded as a Kernel Module that the corresponding file does not exist (anymore). I suspect that in order to avoid discovery the malware deletes this file. What also suspected is that after every restart the name of the file related to this Kernel Module different is and looks like that the name is randomly generated (the last time the file name was aezot01t.SYS).

The offset between the SSDT Hooks is only a few bytes so I suspect that it are only jumps to suspected Kernel Module.

I posted this question before at the Nucia forum (see http://www.nucia.nl/forum/showthread.php?t=30560), but after an investigation with several malware detection and removal tools I still have the suspected SSDT Hooks and Kernel Modules.

I have now several questions:

1. Have I malware at my PC, although an investigation by an expert did not reveal anything and I do not see any negative affects?
2. If it is not malware what is it?
3. Did anyone see something similar before?
4. Do tools exist with which I can read and disassemble the suspected SSDT Hooks and Kernel Module?

Edited by Gengiskhan, 03 November 2007 - 05:39 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 03 November 2007 - 06:52 AM

Marckie is well known in the security community and if investigation revealed nothing malicious, then I would not be too concerned.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. Daemon Tools use rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software.

\SystemRoot\System32\Drivers\aipoo3sv.sys
\SystemRoot\System32\Drivers\a8gmqt1g.sys
\SystemRoot\System32\Drivers\a17bv1ll.sys
\SystemRoot\System32\Drivers\a6coz31f.sys
\SystemRoot\System32\Drivers\a8w1z6pv.sys
\SystemRoot\System32\Drivers\ajmgz8bs.sys

One of our experts here at BC recently encountered such a file. It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users