ROOTKIT TESTS B

Publié le par SSTA



B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits:


1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender):



a) detection: P1/P2



By ProcessWalker:




b) prevention: P1/P2


Servicedriver installation is detected.
But if we allow the "rootkit" to register its service and to load its driver, then we notice that the access to physical memory is not detected, and we can hide the rootkit with no kind of alert from Kav.

Here the access to physical memory attempt detected by NeovaGuard (free HIPS):



Here by System Safety Monitor on another machine:



In addition, this simple "process hider"  is not known from kav database (the same for most av editors).



2) Hacker Defender (revisited version):

a) detection: P1/P2












b) prevention: P1/P2


3) FuTo

a) detection: P1/P2 (we hide cmd.exe)







If we hide only internet explorer:





b) prevention: P1/P2







4) FU variant:

Like this one, many rootkits still undetected by antivirus labs:



In our example, babar.exe is the process we hide.









a) detection: P1/P2





b) prevention: P1/P2



5) BadRkDemo

a) detection: F1/F2


b) prevention: P1/P2





6) RkStart demo:

a) detection: P1/P2












If we try to move the hidden object into quarantine:






b) prevention P1/P2









7) Unreal demo (first release version):


This demo does not hide its registry keys but only its driver: that's why it bypasses most rootkit detectors.




By this way the service is registred and can easily be detected by system management tool:



But as shown above, we can't remove the service: an indication that "something unusual" happens...and if we user another kernel task, we can detect, stop and remove the driver easily:




This demo uses Alternate Data Streams for better hidding.

Detection with Helios lite:



ADS detection and removal via CMD Tools (Lads In particular):



Detection via forensic disk analysis:








UnHackMe detects also this demo, but it seems that Unreal authors (UG North) claims that this detection is "fake" (in fact was is done automatically by UnhackMe can be done with a simple comparison between the registry and driver laoded in memory).
In addition, the determined UG North team has released a new version of Unreal which bypasses again Rootkit detectors, Unhackme included: another funny cat and mouse game in the Disneyland Windows kernel...

In all cases: there's no need Antivirus or antirootkits (free or paid) to detect, prevent or remove rootkits: a boot CD (hidden registry key), Windows features (recovery console, bootlog, dos mode for instance), and a minimum of experience and knowledge is enough in most cases.

There is an evident marketing exploitation of the rootkit phenomena by the IT Industry in general and the antivirus industry in particular (see future articles in the "marketing anatomy" section of the SSTA blog)...


a) detection: F1/F2

The scan gives no result (even in DOS mode):




If we search the driver in the logs (data not found):



In addition the scanner does not integrate a specific engine for hidden ADS, but it seems that many antivirus editors plan this integration for future release.
An example with Nod32 ADS Revealer:





b) prevention: P1/P2





8) MSSync alias Trojan.Spy Win32.agent.kd (Kaspersky):

This test has been done "in live" via Yahoo Messenger: a classical scenario of sharing files with a social engineering attack:







a) detection: P1/P2






By IceSword






b) prevention: F1/P2











Kav prevents the malware from being permanent (block the run key), but it does not block the malware from hidding itself.
In addition, the terminate and quarantine option are not helpful to block the rootkit (see also part A) :



If we terminate and try to rollback the changes:






In fact, the files are still hidden :




The quarantine option does not make the "invisible" "visible": the rootkit is still active:




9) Backdoor Flux:








a) detection: F1/P2


b) prevention: P1/P2





10) Oddysee (old version):




a) detection: F1/P2

F1: the procative module does not report hidden object (driver as a file).

P2 (resident AV): the loaded driver is detected as Fuzen.c




b) Prevention: P1/P2









11) Phide_Exec demo:




a) detection: P1/P2





b) Prevention: P1/P2








12) Pe386/Rustock/SpamBot:



The next screenshots illustrate hidden objects detection (GMER and RKU) and connections (IceSword).















a) detection: P1/P2


b) prevention: P1/P2









13) Haxdoor.kg:




a) detection: P1/P2







With Processwalker:




And AVG anti-rootkit:


IceSowrd:




NB: this is here on an ideal environmenent.
If we allow the host to be deeply infected for several minutes , than the computer is "not ours anymore" : no possibility to run a rootkit detector even from external drives, no access to the control panel, documents etc...
And KAV spends its time to warn about hidden objects every minutes...perhaps a line of code designed under adulterated vodka influence...

Windows firewall alert: allow or block explorer.exe...what a bibilic dilemma...




Even the name of the admin. account is not displayed anymore...




In the future, malwares rootkits will include more and more antivirus and detectors evasions and self-protection methods (some Pe386 " in the wild creatures" already include this kind of features).


b) prevention: P1/P2











14) Hxdoor variant:


a) detection: P1/P2



b) prevention: P1/P2













15) Gromozom files:

















a) detection: F1/P2



b) prevention: P1/P2















16) Conga (trojan small.avb):





This file is a simple installer (MSI installer for instance), that makes its spread easier:





Detection with IceSword:



a) detection: P1/P2







But the termination function is here again ineffective ( "access denied" ):



b) prevention: P1/P2












ROOTKIT TEST B NEXT









Publié dans KASPERSKY 6 TEST

Commenter cet article