RE: Finding root-kits on Windows

From: Amarante, Rodrigo P. <RPAmarante(at)directvla.com>
Date: Tue May 06 2003 - 09:42:11 EDT

SW,

Like you mentioned, most Windows rootkits hide themselves by hooking into to System APIs and "filtering" based on a keyword that is normally used as a prefix for files and directories. That unfurtunetly, for the hacker himself, is a double-edged sword...since his programs must contain the prefix to be hidden and cannot be a victim of it's own poison (can't see itself or other programs) it must exclude the files that have the prefix from being "tricked" by the API filtering...therefore if you rename tools like taskmgr.exe to (in your case) droptaskmgr.exe, you should be able to run task manager without the filtering so you can list the "bad process". Or RegEdit to see the hidden registry keys. In fact this should work for any program. Again, most windows rootkits are written as Kernel Drivers as as such should be listed by drivers.exe from the Resource Kit package, or Winmsd.exe.
Another thing worth mentioning is that since it's the local kernel that is "patched", a remote connection (like mapping a network drive to the volume in the compromised machine) should be clear of any filtering...

Hope this helps.

Regards,

Rodrigo Amarante

-----Original Message-----
From: shrink-wrap@hushmail.com [mailto:shrink-wrap@hushmail.com] Sent: Monday, May 05, 2003 10:53 PM
To: forensics@securityfocus.com

If someone could help me I would appreciate it- my current situation is:

On a compromised Windows 2k Pro box I have a directory with suspect

binaries (which I discovered from a disk image via autopsy/sleuthkit-

awesome stuff) but on the compromised machine it is impossible* to view

these files or the directory. A listing of the files and the directory is

attached at the end of the e-mail. After reading more and more on windows

rootkits- one of the common ways to use them is to pick a common string to

hide and in my case all the files and the directory have the string "drop"

as part of their name. As a test I created a directory in the root of the

drive named "dropper" and it also "disappeared".

So my question is, how can I find this root-kit that is hooked into my

kernel? I am looking at my sysinfo for the box but while there are a

number of drivers running- how would I further investigate what they are

doing? BTW, it hasn't matched up with a well-known root-kit yet (like

slanret).

Thanks

S-W

*=except 'cd'ing, via command prompt only, into the suspect (drop)

directory and 'dir' listing all files *without* the "drop" name--possibly

an error with the root-kit?

File and directory listing: (md5 hash / file name / size)

MD5 Values for files in /mnt/evidence/WINNT/system32/

(images/win2kpart1.img)

39a9e5c05ffbda925da0d2ec9b4f512a drop.exe

        50688

c647b4225e022096fb125f6bc49c5c91 drop.ini 383

da0bae77d169430f23134c1bea850c10 droper.exe 1364009

d66183219dcc4df876b94507c517decd dropz.dat 244

623dfe4b51bc457a93b6cbbdeb62f3aa dropz.exe

        196922

MD5 Values for files in

/mnt/evidence/WINNT/system32/drop/ (images/win2kpart1.img)

f52d332ff50cb543c6d47d9aa4a0f608 dropclient.exe 30208

084badcff1da96797dddfd29b5038273 dropcmdsrv.exe 32768

a109f9c51681ec708342db2af6c4bebb dropFar.exe

        416800

26c1a98812d114c7ad2bc8e8d7119315 dropisql.exe 98304

e0fb946c00b140693e3cf5de258c22a1 dropnc.exe

        59392

b5f519b3844c4d3c5451d90f70c59737 dropNTUSER.EXE 114176

998c2626a275c4ee1d59c2b3d0ede028 droppkzip.exe 339456

7eec3f77f9cb19fda1d06403ec1472f1 droppm.exe

        5632

9c77ed16bcba7c61d620ec040788e7e8 dropport.exe 48640

ca0447d2feccc4a5ac3c9128d61debe7 droppwdump2.exe 32768

b7989bcb72225521c79163517cabe69a FarEng.hlf 72121

f7dddbdbbc5879bf16ac00cedcd20745 FarEng.lng

        16618

ab1f54a5fa3e653b6784c44407f113ac samdump.dll 36864

MD5 Values for files in

/mnt/evidence/WINNT/system32/drop/Plugins/FTP/

(images/win2kpart1.img)

8e15302b6d6e34f97d1a9729a8982f2e farftp.dll

        115232

c9c65b08d29378823d4f41bc7f96787f FtpEng.hlf

        6514

5473c2f0e88c2a6732bbbcf72e895523 FtpEng.lng

        2307

MD5 Values for files in

/mnt/evidence/WINNT/system32/drop/Plugins/Network/

(images/win2kpart1.img)

899618cc2b78249ae846aea0ae7a8e55 NetEng.hlf

        1033

e094baf947eddf5c5d744247ec75859e NetEng.lng 625

701c98c6799d450f458335b498806fa2 NETWORK.dll 45600

MD5 Values for files in

/mnt/evidence/WINNT/system32/drop/Plugins/ProcList/

(images/win2kpart1.img)

43ca7be3f1bb03d47b77ea836f996fba ProcEng.hlf 444

77fc621c42ea93a8a0ff9bd32331c350 ProcEng.lng 442

9691161c57d0cb6500af09df919b852f PROCLIST.dll 51232

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue May 6 10:00:44 2003