Hosting Provided By

RE : Finding root-kits on Windows

From: Emmanuel Marchand <marchand.emmanuel(at)libertysurf.fr>
Date: Tue May 06 2003 - 11:49:15 EDT

I've seen this kind of stuff on a compromised NT machine a few weeks ago, and the rootkit installed was an hacked version of Hacker Defender 0.73 (http://rootkit.host.sk).

I've just done an md5sum of the binary (the standard one downloaded from the net, not the hacked I found on the machine), guess what ?

HxDef073.exe -> 39a9e5c05ffbda925da0d2ec9b4f512a Drop.exe -> 39a9e5c05ffbda925da0d2ec9b4f512a

I think we've found it :)

In order to see all the stuff idem on the live system, I had to connect using the builtin backdoor (check the passwd in your drop.ini file). This one works with every open port on the hacked system, with a client software packaged with HxDef073. You can also, if you can modify the compromised machine, rename the drop.ini file to another name. Upon reboot, the rootkit won't run. You will then see all the hidden files and directories, and the hidden registry keys which launch the rookit on reboot.

Hope this helps

E.Marchand

> -----Message d'origine-----

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu May 8 17:52:51 2003

Do you need help?

This message: [ Message body ]
Next message: Kurt Seifried: "Re: Computer Forensics"
Previous message: Honeynet Scan28 SotM: "Announcing SotM Challenge for May"
In reply to Amarante, Rodrigo P.: "RE: Finding root-kits on Windows"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT