Archive for the ‘News’ Category

« Older Entries
Newer Entries »

GMER Anti Rootkit & People Power

Sunday, January 7th, 2007

Q. How do you know when you have written a really good piece of software that protects people from rootkits?

A. When the rootkit writers or users start to target your software.

This is exactly what is currently happening with GMER, a really good antirootkit rootkit scanner. GMER is written by a person who comes from Poland who goes by the name of gmer.

GMER has become a popular antirootkit scanner this year and has become known for finding hard to find rootkits, had a nice interface and was easy to use. GMER also updated the software on a regular basis and when Rustock came on the scene in 2006 GMER adapted to checking ADS streams, a known place that Rustock hid files.

GMER Screenshot

It was surprising though that in December 2006 the homepage for GMER www.gmer.net was unreachable. When a user tried to load the homepage a “page not found” type of error was shown. The hosting service for GMER had to make the site unreachable because of a DDoS ( a Distributed Denial of Service ) attack. A DDoS attack is basically where someone or gang has setup a botnet (computers taken over by hackers for their own use) that continiously tries to load the page at www.gmer.net. This causes a lot of stress on the hosting service and hence the site had to be taken offline. 

All is not lost though. With the help of a lot of people around the internet the name of GMER is getting more popular than ever before and the attacks on the GMER site have highlighted GMER as a threat to rootkit writers and users.

With the GMER site down other sites have provided a mirror of the original GMER site so people can still download and read about GMER.

A list of current sites as of the 7th Jan 2006 @ 23:55 GMT is as follows:

http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/
http://www.pperry.f2s.com/mirror/gmer/gmer.htm
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.spywarefix.org/
http://gmer.it-mate.co.uk/gmer.htm
http://www.majorgeeks.com/GMER_d5198.html

The GMER software can also be downloaded from http://pcalsicuro.phpsoft.it/gmer.zip

Even as I transpose my list it looks as 2 more have been taken down.

People Power will help GMER survive these attacks only strengthen it’s reputation as a very good rootkit scanner.

Keep Safe,
regards,
Steo
www.antirootkit.com

Posted in Debate, GMER, News, Rootkit Scanners | 12 Comments »

Panda Software releases Panda Anti-Rootkit – Codename Tucan

Friday, January 5th, 2007

It was in the early hours of this morning that I wrote about McAfee releasing Rootkit Detective and lo and behold I got an email this afternoon informing me about Panda Software Anti-Rootkit codenamed Tucan a new Rootkit scanner from Panda Software.

It has just been released as a Public Beta.

Here is some info from Panda:

Panda AntiRootkit (Codename Tucan) shows hidden system resources, identifying known and unknown rootkits. Tucan analizes the following system components:

- Hidden drivers
- Hidden processes
- Hidden modules
- Hidden files
- Hidden registry entries
- SDT modifications
- EAT hooks
- Modification to the IDT
- Non standard INT2E
- Non standard SYSENTER
- IRP hooks
- And more… 

Panda Anti-Rootkit Frontend

The download file is a 219Kb rar file, quite small in comparison to McAfee’s Rootkit Detective.

It comes as a single file program and so there is no installation. Just unarchive the file and run it. When I first ran it, it came up with a suspected rootkit. It just gives a name but no details about whether it was a hidden process, hidden file, etc.. so it is hard to make a judgement on whether it is a false positive as so many rootkit scanners seem to come up with.

This product is still in Beta so I am sure the good people over at Panda Software will have it finely tuned before it is fully released. Download it and provide a bit of feedback to Panda about it.

More information can be found about the release from the Panda Software Research Team and there is some very good documentation on Panda Anti-Rootkit is available on the Panda Website.

Watch this space and we’ll see who is next to release a dedicated Rootkit scanner.

Keep Safe,
regards
Steo

www.antirootkit.com

Posted in News, Panda, Rootkit Scanners | No Comments »

McAfee release a new Rootkit Scanner -Rootkit Detective

Friday, January 5th, 2007

How many new Rootkit Scanners were released in 2006?
I make it at least 11 give or take a few.

There is a big trend for the big Anti Virus companies to release dedicated rootkit scanners. In 2006 Sophos, AVG, Avira and Trend Micro were some of the big names who brought us dedicated rootkit scanners.

McAfee have now released their own rootkit scanner called Rootkit Detective and have made it freely available to from thier website. This is an interesting development as the page it can be downloaded from is the original Stinger page. It will make sure that McAfee get a lot of exposure as Stinger is one of the well known malware removers around.

Here is some info from the McAfee page on Rootkit Detective:

“McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.”

Features

Following are the features of this program that are designed to proactively detect and clean rootkits from the system. This program is not dependent on any signatures and can proactively detect most of the existing and upcoming rootkits and allow the user to clean them.

 

  • Designed to proactively detect the system objects like processes, files and registry that are hidden to the user.
  • Provides information about all running processes in the system.
  • Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks.
  • Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry.
  • Allows the user to terminate the malicious processes.
  • Users can submit samples using the submission feature present in the tool.
  • Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis.

 

Rootkit Detective log file contains details of the hidden files. The files once renamed after reboot will have a .REN extension.

McAfee Rootkit Detective Front End

 

 

 

 

 

 

 

 

 

 

 

Once again this shows how big a threat the big anti virus companies see rootkits. Panda Software Pandalabs recently said in a report that they see rootkits as a bigger threat in 2007.

Keep Safe
regards
Steo

www.antirootkit.com

Posted in McAfee, News, Rootkit Scanners | 2 Comments »

New Years Emails install Rootkits

Saturday, December 30th, 2006

A newly spammed email sending users New Year’s Greeting is being spammed out from over 160 servers worldwide at a rate of 5 per second from some servers. The email contains a greeting and an executable file which when run installs malware hidden via 2 rootkits on the users PC.

The email can arrive with the subject “Happy New Year!” or newly created versions have “Fun Filled New Year” or “Sender Happy 2007!” as the subject.

There is no text in the message only an attachment. The attachment names vary from “postcard.exe” to ”greeting card.exe”.

When the attachmnt is run it installs malicious code variants of Tibs, Nuwar, Banwarum, Mixor and Glowa onto users PC’s.

Two rootkit files are installed to prevent the malware from being discovered.

The malware then infects many files and searches the users hard drive for email addresses and sends itself out to these email addresses hoping again to infect more people.

Beware New Year Greetings even from friends as they could be infected and because your email address is on their computer it may seem like a legitimate email.

Keep Safe,
regards

Steo
www.antirootkit.com

Posted in New Rootkits, News | No Comments »

Big Yellow worm is coming to get you….

Sunday, December 17th, 2006

A worm alert has been issued by Eeye Research. Dubbed Big Yellow the worm targets a vulnerability in the following Symantec products..Symantec AntiVirus 10.0.x for Windows (all versions)
Symantec AntiVirus 10.1.x for Windows (all versions)
Symantec Client Security 3.0.x for Windows (all versions)
Symantec Client Security 3.1.x for Windows (all versions)

Quote:
Overview:
The eEye Research honeypot network has recently detected a new worm that is actively exploiting a remote Symantec vulnerability originally discovered by eEye Research on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first example of a worm leveraging this vulnerability for self-propagation. Generally, patch processes are not in place for non-Microsoft applications such as Symantec AntiVirus/Client Security, so many Symantec users may be at risk for this vulnerability throughout their networks. All enterprises running such software should assess their posture against this worm as soon as possible by validating that they have the latest version of Symantec AntiVirus/Client Security as well as blocking port tcp/2967 at the gateway to minimize attackable surface area.

More on this interesting development along with an indepth analysis of the worm code can be found on the Eeye Research Site http://research.eeye.com/html/alerts/AL20061215.html

Eeye provide a free copy of Blink Personal Edition to home users…

Blink® Personal EditioneEye Digital Security’s Blink® Personal Edition combines intrusion prevention, application and network firewall, identity theft protection, and vulnerability assessment into a single, unified client security solution. With Blink, you are ensured both proactive and reactive protection against the broad methods of attack and compromise used by hackers to gain access to your system and personal data.

Keep Safe,

regards
Steo

www.antirootkit.com

Posted in News, Other Malware | No Comments »

Rootkits in Corporate Espionage

Thursday, November 30th, 2006

JSharp in a blog entry recently, highlighted the potential of ID-triggered Rootkits, Rootkits that activate when they have reached a “Target” victim. This high profile victim could be a large company with a lot of Intellectual Property and a lot less security.
This does seem far-fetched to the average person but it has happened in the past and it will become more prevalent in the future.

Companies who are in a very competitive environment can only survive if they have the edge over their competitors. This edge can take many forms but information is the key. Information about competitor’s products, techniques, processes and sales are extremely valuable when making decisions about the future.

There would be no problem for an attacker to offer a low paid programmer a lot of money to write a rootkit that is undetectable by any of the current rootkit scanners.  Earlier this year rootkit maker of HackerDefender, an extremely powerful rootkit, had a service whereby an undetectable version of Hacker Defender was made for a price. This super stealth service is now unavailable.

The Attacker could then purchase a zero day exploit, and unknown program vulnerability, from one the many sites offering them.  There is a lot of money to be made from finding holes in software and selling the information or ready to go code for thousands of dollars. 
 
One form of rootkit delivery is via a compromised website. A malware creation kit called Webattacker contains scripts that could check out the version of the visiting user’s browser and send down a rootkit and its payload.  This payload could be a keylogger, perfect for capturing usernames and passwords for later attacks. It could also include file capturing software that could gather up Word documents, Spreadsheets or any other file type that could hold valuable information ready to be sent back via the same route it came in.

Another form of delivery is via email.  Craftily created emails could be sent to employees enticing them to open safe looking attachments and then to release the rootkit and it’s payload.  This happened in May of this year. A large, high profile, unnamed, company in Asia was targeted by an alleged criminal gang.  An email was sent to certain employees in the unnamed company.  The email contained a Word Document that in some way related to the employees area of work.  The Word Document contained exploit code that was unknown to everyone in the world except for the attacker.  The exploit code was then able to give the attack complete control over the employees PC.  This hole in Microsoft Word was patched by Microsoft some months later.  I am sure though that there are many companies out there that are still vulnerable because they have not patched or updated their Office Software.

“Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn’t completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn’t their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.” http://isc.sans.org/diary.php?storyid=1345
 
Arrests were made earlier this year in London and Israel after a company found it had rogue software or malware on their PC’s.  It turned out a married couple in London had written software that collected files that were then sent to a rival competitor. This software was used by “Private Investigators” to retrieve information from the competitors companies.

“Companies probed by the Israeli authorities in connection with the case include mobile phone operators, Cellcom and Pelephone, and satellite television provider YES. All firms have denied any wrong doing. The Trojan horse is said to have spied upon the Rani Rahav PR agency (whose clients include Israel’s second biggest mobile phone operator, Partner Communications), and the HOT cable television group. Mayer, a company which imports Volvo and Honda cars to Israel is suspected of having spied on rival Champion Motors, who import vehicles made by Audi and Volkswagen.” http://www.sophos.com/pressoffice/news/articles/2006/01/israeliesp.html

So there you have it. All an attacker bent on Industrial Espionage for gain has to do is get an undetectable rootkit. Package it with a file gathering payload. Deliver it via an unknown exploit to the target company and wait for all the companies’ information to flowing in.

This is why it is important for companies to have software installed on each machine that will stop software getting on to the machine in the first place.

Keep Safe,

regards
Steo
www.antirootkit.com

Posted in Corporate, Debate, News | 5 Comments »

« Older Entries
Newer Entries »