Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 050356.html (Request Expert securityfocus.com Support)

RE: Finding root-kits on Windows

From: Amarante, Rodrigo P. <RPAmarante(at)directvla.com>
Date: Wed May 07 2003 - 10:33:35 EDT


Ansering your questions:

1st Question -
The best resource for "known" rootkits (yes, Greg's is not the only one) is Greg's Website and BBS www.rootkit.com In his FTP server (you must register with th BBS in order to have access) you can find his NTRootkit, along with HE4Hook, NuLl, Hacker Defense and some "test" projects (basic) that the users of the BBS/Newsgroup are submitting...(For some reason Hacker Defense is missing files in www.rootkit.com, but you can get it from the coders themselves at www.rootkit.host.sk)

Note...this is old times BBS stuff, so download speed is just not there. Be prepared to start a 1.5MB download and wait a while for it to finish

2nd Question
>From the ones I've played with (NTRootKit, Hacker Defense) What I said
is true: a remote network connection won't be filtered by the rootkit driver.  

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com] Sent: Wednesday, May 07, 2003 9:04 AM
To: forensics@securityfocus.com

Please bear with me, as I'd like to address the three posts I see in this thread all in one email...

First from the OP (shrink-wrap):

> but on the compromised machine it is impossible* to view these files

Do you need help?X

Can you elaborate on what you mean by this? I know it may sound like a question w/ an obvious answer, but too many times I've run across folks who've examined Windows boxen and made statements like this without any sort of background info. What did you try? What worked/didn't work?

> After reading more and more on windows rootkits- one of the common

> the files and the directory have the string "drop" as part of their
of
> the drive named "dropper" and it also "disappeared".

I am familiar with the technique to which you're referring...this was popularized by Greg Hoglund's rootkit techniques. However, until your post, Greg's proof-of-concept NTRootKit was the only one publicly available (to the best of my knowledge). You use plurals throughout your post...can you elaborate a little bit on other Windows rootkits you found?

> how can I find this root-kit that is hooked into my
kernel?

>From your reading, you should be looking for a device
driver file. If a listing from the running machine doesn't show any unusual or suspicious drivers, I'd suggest that you examine the image file for files named "drop*.sys" within the system32 directory.

Would it be possible to get a zipped archive of all of the files you listed in your post, as well as any other files associated with this, w/ the directory structure maintained? I'd greatly appreciate it.

Further, if the system is still up and running, could you document the following and include the output in a zipped archive?

  1. output of netstat -an
  2. output of fport
  3. results of a comprehensive port scan of the system
  4. output of pslist.exe, handle.exe, and listdlls.exe (all from SysInternals)
Do you need more help?X

Also, I'd be interested in examining a text dump of the Registry from the image file.

> BTW, it hasn't matched up with a well-known root-kit

You're right. Symantec defines slanret as a Trojan, though...and that bit of malware was detectable via a particular Registry key.

> *=except 'cd'ing, via command prompt only, into the

> *without* the "drop" name--possibly an error with
the
> root-kit?

Maybe in its architecture. Remember, you said yourself that your reading regarding rootkits mentioned the use of a particular string to "hide" the files. Therefore, it would seem obvious that if the file did NOT start w/ the target string ("drop", in this case) then the files would be viewable.


For Rodrigo:

You said:
"...most Windows rootkits hide themselves by hooking into to System APIs and "filtering" based on a keyword..."

Again, like S-W, you use the plural. Are you familiar w/ more than just Greg Hoglund's NTRootkit and slanret, that use this technique? If so, could you provide links or more detailed information?

Can we help you?X

> Another thing worth mentioning is that since it's
the
> local kernel that is "patched", a remote connection

This is interesting. Have you tested this? If so, can you document your testing procedure and results? I'm very interested, as I'm currently writing a book on Windows data forensics.


Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu May 8 18:08:47 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library