Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential anonymous rootkit revealed


  • Please log in to reply
1 reply to this topic

#1 gezolad

gezolad

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 24 February 2009 - 01:20 PM

Hi,

Since my earlier post on this topic, I have run Rootkit Uhooker (an exellent tool - gives way more information than anything else I've seen). The Report shows that the anonymous module that was hooking the kernel, does so with jumps from lots of intercepted kernel processes and threads, looking VERY SUSPICIOUS e.g.

NtUserGetAsyncKeyState,
NtImpersonateThread,
NtAllocateVirtualMemory,
NtMapViewOfSection

On closer inspection the jumps go to the handler sysfer.dll, and the Rootkit Unhhoker report ends with "!!POSSIBLE ROOTKIT ACTIVITY DETECTED!!"

A quick search on the internet reveals that sysfer.dll seems to be a Symantec library file related to the Symantec CMC Firewall or Network threat protection component, depending on what you read.

I'm not convinced of the pros & cons of using Rootkit technology (that can itself be tampered with or substituted for) to provide protection against malware, especially if for no other reason it causes wiped and rebuilt hard disks where the user just thinks he has a malicious rootkit.

So just be aware that NOT ALL ROOTKIT ACTIVITY IS MALICIOUS (also bear in mind Sony's recent admission of using rootkits here http://en.wikipedia.org/wiki/2005_Sony_BMG...ection_scandal) - With a clever scanner, you might save yourself hours of unnecessary or lost work!!!

Gez

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 PM

Posted 24 February 2009 - 03:10 PM

Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues.

You already had an topic opened here which I closed and another on which I removed.

Anytime you come across a suspicious file or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.

If you're not sure how to use a particular ARK or read its logs, then use another. There are many free ARK tools but some require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

There are various reasons for ARK tools to encounter problems during a scan resulting in misleading or inaccurate results.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users