Rootkit test 3

Publié le par Kareldjag

Rootkit technologies detection and prevention:

- with Rootkit Demo1.2: this russian demo uses is designed to hide its presence and to make speakers beeps.
RKDemo does not use particular hidding method, but take advantage of Windows functions (returs an "error control " to the system).
More over, this demo uses ZwLoadDriver instead of the usual NtLoadDriver, which is a well known method to bypass HIPS1.

Here's what it does:

Time    Message    Process    Thread    Delta Time    Relative Time
14:44:27,328127    Found module 0x400000 (C:Documents and SettingsKareldjag.POSTE2Mes documentsrk_demo_v12RKSTART.EXE). Version: N/A    RKSTTime    Message    Process    Thread    Delta Time    Relative Time
14:44:25,453000    Creating process 0x878 at 0x400000     (2168)    0x87C    0,000000    0,000000
14:44:27,328127    Found module 0x400000 (C:Documents and SettingsKareldjag.POSTE2Mes documentsrk_demo_v12RKSTART.EXE). Version: N/A    RKSTART (2168)    0x87C    1,875127    1,875127
14:44:27,336345    Found module 0x10000000 (C:WINDOWSsystem32sockspy.dll). Version: N/A    RKSTART (2168)    0x87C    0,008217    1,883345
14:44:27,350415    Found module 0x20000000 (C:WINDOWSsystem32odbcint.dll). Version: 3.525.1117.0    RKSTART (2168)    0x87C    0,014070    1,897415
14:44:27,359150    Found module 0x58B50000 (C:WINDOWSsystem32comctl32.dll). Version: 5.82.2900.2180    RKSTART (2168)    0x87C    0,008735    1,906151
14:44:27,367633    Found module 0x621F0000 (C:WINDOWSsystem32MAPI32.DLL). Version: 1.0.2536.0    RKSTART (2168)    0x87C    0,008482    1,914633
14:44:27,367678    Found module 0x65300000 (C:PROGRA~1TPLUSDBGSHARE.DLL). Version: 3.0.0.1000    RKSTART (2168)    0x87C    0,000045    1,914678
14:44:27,367709    Found module 0x65500000 (C:PROGRA~1TPLUSSQLLNK32.DLL). Version: 5.1.0.1    RKSTART (2168)    0x87C    0,000031    1,914710
14:44:27,367900    Found module 0x6FEE0000 (C:WINDOWSsystem32NETAPI32.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000190    1,914900
14:44:27,367951    Found module 0x719E0000 (C:WINDOWSsystem32WS2HELP.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000051    1,914951
14:44:27,367979    Found module 0x719F0000 (C:WINDOWSsystem32WS2_32.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000027    1,914979
14:44:27,368010    Found module 0x71A60000 (C:WINDOWSsystem32MPR.DLL). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000031    1,915010
14:44:27,368038    Found module 0x72F50000 (C:WINDOWSsystem32WINSPOOL.DRV). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000028    1,915038
14:44:27,368082    Found module 0x74730000 (C:WINDOWSsystem32ODBC32.DLL). Version: 3.525.1117.0    RKSTART (2168)    0x87C    0,000043    1,915082
14:44:27,383392    Found module 0x76340000 (C:WINDOWSsystem32comdlg32.dll). Version: 6.0.2900.2180    RKSTART (2168)    0x87C    0,015310    1,930392
14:44:27,386628    Found module 0x76AE0000 (C:WINDOWSsystem32WINMM.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,003236    1,933628
14:44:27,386680    Found module 0x76E30000 (C:WINDOWSsystem32rtutils.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000051    1,933680
14:44:27,386709    Found module 0x76E40000 (C:WINDOWSsystem32rasman.dll). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000029    1,933709
14:44:27,386738    Found module 0x76E60000 (C:WINDOWSsystem32TAPI32.DLL). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000029    1,933738
14:44:27,386773    Found module 0x76E90000 (C:WINDOWSsystem32RASAPI32.DLL). Version: 5.1.2600.2180    RKSTART (2168)    0x87C    0,000034    1,933773
14:44:27,386810    Found module 0x770E0000 (C:WINDOWSsystem32OLEAUT32.dll). Version: *    RKSTART (2168)    0x87C    0,000037    1,933810
14:44:27,396715    Found module 0x77390000 (C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9comctl32.dll). Version: *    RKSTART (2168)    0x87C    0,009904    1,943715
14:44:27,404035    Found module 0x774A0000 (C:WINDOWSsystem32ole32.dll). Version: *    RKSTART (2168)    0x87C    0,007320    1,951035
14:44:27,414526    Found module 0x779E0000 (C:WINDOWSsystem32CRYPT32.dll). Version: *    RKSTART (2168)    0x87C    0,010491    1,961526
14:44:27,414597    Found module 0x77A80000 (C:WINDOWSsystem32MSASN1.dll). Version: *    RKSTART (2168)    0x87C    0,000071    1,961597
14:44:27,430317    Found module 0x77AA0000 (C:WINDOWSsystem32WININET.DLL). Version: *    RKSTART (2168)    0x87C    0,015720    1,977317
14:44:27,430395    Found module 0x77BE0000 (C:WINDOWSsystem32msvcrt.dll). Version: *    RKSTART (2168)    0x87C    0,000078    1,977395
14:44:27,446474    Found module 0x77D10000 (C:WINDOWSsystem32USER32.dll). Version: *    RKSTART (2168)    0x87C    0,016079    1,993474
14:44:27,453386    Found module 0x77DA0000 (C:WINDOWSsystem32ADVAPI32.dll). Version: *    RKSTART (2168)    0x87C    0,006911    2,000386
14:44:27,453463    Found module 0x77E50000 (C:WINDOWSsystem32RPCRT4.dll). Version: *    RKSTART (2168)    0x87C    0,000077    2,000463
14:44:27,453522    Found module 0x77EF0000 (C:WINDOWSsystem32GDI32.dll). Version: *    RKSTART (2168)    0x87C    0,000058    2,000522
14:44:27,468206    Found module 0x77F40000 (C:WINDOWSsystem32SHLWAPI.dll). Version: *    RKSTART (2168)    0x87C    0,014684    2,015206
14:44:27,487100    Found module 0x7C800000 (C:WINDOWSsystem32kernel32.dll). Version: *    RKSTART (2168)    0x87C    0,018894    2,034100
14:44:27,495832    Found module 0x7C910000 (C:WINDOWSsystem32ntdll.dll). Version: *    RKSTART (2168)    0x87C    0,008732    2,042832
14:44:27,504538    Found module 0x7C9D0000 (C:WINDOWSsystem32SHELL32.DLL). Version: *    RKSTART (2168)    0x87C    0,008705    2,051538
14:44:27,927518    Rootkit started    RKSTART (2168)    0x87C    0,422979    2,474518
14:44:27,981223    Searching handles...    RKSTART (2168)    0x87C    0,053705    2,528223
14:44:27,985131    Process finded    RKSTART (2168)    0x87C    0,003907    2,532131
14:44:27,989034    Thread finded    RKSTART (2168)    0x87C    0,003903    2,536034
14:44:27,992940    Handle closed!    RKSTART (2168)    0x87C    0,003906    2,539940
14:44:27,996845    Handle closed!    RKSTART (2168)    0x87C    0,003904    2,543845
14:44:28,000752    Handle closed!    RKSTART (2168)    0x87C    0,003908    2,547753
14:44:28,004658    Handle closed!    RKSTART (2168)    0x87C    0,003906    2,551658
14:44:28,008560    Handle closed!    RKSTART (2168)    0x87C    0,003902    2,555561
14:44:28,012468    Handle closed!    RKSTART (2168)    0x87C    0,003907    2,559468
14:44:28,016391    Handle closed!    RKSTART (2168)    0x87C    0,003923    2,563391
14:44:28,031000    An exception occurred at address 0x7C91EB74. The type of exception is ''.    RKSTART (2168)    0x87C    0,014608    2,578000
14:44:37,528021    Loading driver >>    RKSTART (2168)    0x87C    9,497021    12,075021
14:44:37,745123    ZwLoadDriver returned: 0x00000000    RKSTART (2168)    0x87C    0,217102    12,292123
14:44:37,765000    An exception occurred at address 0x77D2EE07. The type of exception is 'EXCEPTION_ACCESS_VIOLATION'.     (4)    0x87C    0,000000    12,312000ART (2168)    0x87C    1,875127    1,875127










- hidding data in NTFS

a. basic method: here we just use a classical and well known method to hide data:

calc.exe is used for svchost.exe and ngSniff.exe:



Here's the result with NTFS tools:







b. MySync

The hidden processes displayed by DarkSpy, Gmer, F-Secure Blacklight and Rootkit Unhooker :















c) Backdoor Flux

d) Pe386

e) Rs

d) Oddysee









Publié dans METHODOLOGY

Commenter cet article