Anti Rootkit Blog

Grisoft has released AVG Anti-Rootkit Free to the general public. The company well known for leading the way in free Anti Virus and Spyware software has had a beta available for a few months and it looks like they have it ready for general release. The verdict is below, but first lets have a look at the program and look at what it failed at later.

I always wonder whether it is a good idea to give users a choice of scans. AVG Anti-Rootkit gives users a choice of “Search for Rootkits” or “Perform in-depth Search”. Surely if I think I have a rootkit then I would like to look everywhere for it.

Grisoft have made a few changes since the first beta like generating a random window name for the software when it is run.

The name it gives is not visible within the window but you can see it in the Taskbar.

It also creates a new instance of an executable with a different executable name from the original and runs this new executable.

Before:

After:

We can see here that the Program avgarkt.exe has created a new program called 87A.exe. Anything to protect itself from being noticed from Rootkits is always a good thing.

 The beta version had the name AVG Anti-Rootkit Beta as the window title and this could have led the way for rootkit writers to disallow the program from running.

One item missing from the first Beta version is the “Save results in Log” option. This should have been left in so users could use the log to find out more about the rootkit, where it possibly came from and what defences need to increased.

There is no support with AVG Anti-Rootkit Free so if something goes wrong you are not going to get any help from Grisoft. If you do have a problem you can ask a question in our AVG Anti-Rootkit Forum.

AVG Anti-Rootkit Free is only available in English.

Details about AVG Anti-Rootkit Free from Grisoft.

• Powerful cleaning due to advanced cleaning driver
• Easy to use interface
• Fast and efficient detection (even for NTFS-ADS objects)
• Special interface for visually impaired people

System Requirements:

The Verdict…….

I ran BadRKDemo from Cardmagic on an XP SP2 PC ( not a virtual machine ) and here we can see it sending output which can be viewed in DebugView. An entry can be seen ——-Rootkit is alive!——-

Then I ran AVG Anti-Rootkit Free after rebooting the PC and the scan showed up nothing. I say what else can it not find?

We also tried BadRKDemo with Rootkit Unhooker and Icesword among other from our software page which was able to “see” it.

Update: 22 April 2007
Some people say BadRKDemo is not a “real” Rootkit and that therefore AVG Antirootkit should not find it. I’d say that if a Program like Rootkit Unhooker can find a hidden driver called BadRKDemo.sys I would have more trust in it than one that doesn’t see it. Maybe this is a very simplistic way of looking at it but programs that find hidden things on computers should try and find all hidden things.

I am very short of time at the moment but I do owe it to the guys and gals over at AVG Antirootkit to give this a really good test and compare it to other anti rootkit programs. Check back soon.

Keep Safe
regards

Steo
www.antirootkit.com

On the 28th March details of a Windows Vulnerability involving ANI files were posted on the Internet. This vulnerability started out as just another vulnerability but it wasnt long before it was obvious that it was different, public exploit code had already been published and the hole was being attacked.

There was a lot of activity from Internet Security companies who had found that the vulnerability was being exploited on web sites dotted around the world but mainly in China. A specially crafted ANI file ( An Animated Cursor File ) could be embedded within a hacked or dubvious website and when a user visited the page their PC would become infected without them knowing anything. You might say well I dont visit dodgy websites so I’m ok but tell that to the surfers who recently got infected via the Superbowl Site by a Keylogger / Backdoor.

As of the 3rd of April Websense were tracking 450 Unique websites that are serving out the code to unsuspecting users. The bogus code was found on every webpage within these sites.

When a user visits one of these sites the bogus Animated Cursor file is loaded which in turn can run any program it wants. Currently there are various payloads being sent out via the exploit. The payloads include Keyloggers for stealing Credit Card details from users, Botnet host software which makes the users PC part of a Botnet ( a centrally controlled network of computers) which are probably sending out Spam, more dodgy Animated Cursors or being used in DDoS attacks.

Since the vulnerability became public hackers are are trying to come up with new ways of fooling people into downloading a malicious ANI file and recently spam emails with subject lines like “Hot pictures of Britiney Speers” have been sent out hoping to fool users into clicking on a link in the email that would bring the user to a hacked PHP site which would serve up the malicious code. Explabs have also reported that along with the malicious payload a rootkit is also being used to hide any trace of infection from the user. The Rustock Rootkit is an example of a rootkit being used.

The following Video shows how a specially created toolkit creates a malicious ANI file and runs the dir command using the file.

Public PoC ( Proof Of Concept ) Code has been released by jamikazu which will allow Calc.exe to run. Again, calc.exe could easily be replaced by a malicious piece of code.

All Microsoft users should go to Microsoft Windows Update and get this dangerous hole patched quickly. If you have Automatic Update enabled then you more than likely had your system updated on Tuesday 3rd April.

This vulnerability also affects Windows Vista. Determina have put together a nice viseo that shows how an attacker might take over a Windows Vista PC using the ANI file vulnerability.

http://www.determina.com/security.research/flash/ani.html

If you have recently received an email enticing you to click on a link and see new photos of Britney Spears and you ”mistakingly” clicked on the link then I think you should download one of the FREE Antirootkit scanners from http://www.antirootkit.com/software/index.htm and check your system for the presence of a Rootkit.

Keep Safe

regards

Steo
http://www.antirootkit.com/

References:

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling

Download the ANI File patch from Microsoft

Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

Public PoC Code Disclosure (Code Execution - Calc.exe)

Large scale compromise with ANI exploit code

Panda Software, one of the world’s leading Internet Security companies has officially released it’s Anti Rootkit Product called Panda Antirootkit. It was released in Beta in December 2005 and has had over 20000 downloads to date.

“Panda AntiRootkit is a free utility that performs in-depth scans of your computer in search for hidden resources, identifying and disinfecting known and unknown rootkits. Unlike other rootkit utilities which merely “reveal” hidden objects, Panda AntiRootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.

In addition Panda AntiRootkit has an Exhaustive Scan Monitor (requires reboot) capable of monitoring drivers and processes loading at boot time. It’s unique technology does this at a lower level than any other AntiRootkit utility, therefore revealing all hiding techniques used by the latest generation rootkits.

Panda AntiRootkit discovers hidden files, registry entries, drivers, processes, modules, SDT modifications, EAT hooks, modifications to IDT, non-standard INT2E, non-standard SYSENTER, IRP hooks, and much more. Among many things we have added an extended .CSV report which can be exported for consulting detailed information of hidden objects found, and some interface process refinements.

Panda AntiRootkit runs on Windows 2000 SP4 and Windows XP and above. For a version that runs on servers please contact your local Panda Technical Support office. Keep in mind that Panda AntiRootkit is not an antivirus solution nor does it provide real-time protection. If Panda AntiRootkit has detected and disinfected a rootkit from your system, we still recommend that you run a complete AV scan afterwards to delete any malicious files that might be left over.”

Panda Antirootkit can also be run from a commandline with certain switches so that it can be run from Login Scripts across the corporate network.

Antirootkit.com - Panda Antirootkit
Panda Research Blog

regards
Steo
www.antirootkit.com

The Award winning Information Security company, MIEL e-Security Pvt Ltd, from India have relesed a new version of thier Anti Rootkit program HELIOS called HELIOS Lite:

From the Helios Blog: 

“We’re pleased to announce a new version of Helios called Helios Lite. After listening to feedback from the community and upgrading a lot of our detection technology, we are releasing Helios Lite.
 

Helios Lite is a rootkit detection product based on some of the components of the Helios rootkit detection technologies. It is an implementation of the idea of Cross View Detection for the detection of persistent and non-persistent rootkits. It successfully detects a large number of user mode and kernel mode rootkits including Hacker Defender, Vanquish, Fu, FuTo, phide_ex and Unreal.A. It searches for hidden processes, hidden files as well as hidden registry keys.

Helios Lite was designed to be quick and portable, it does not require installation and can be run off a USB drive. The only prerequisites are that it is run as a system administrator. This release of Helios does not require the .Net Framework and will work on any system with Windows XP SP2 system. For using all the features, an NTFS formatted system disk is recommended. The addition of the word ‘Lite’ to the name does not represent a lesser set of features, this version of Helios is even more powerful than the earlier release. We’ve called it ‘Lite’ simply because it has very minimal system requirements and does not need installation.”

Get yourself a free copy and try it out today.

References:
http://www.antirootkit.com/software/helios.htm
http://helios.miel-labs.com/

Stay Safe

Steo

Tobias Klein, a German developer has released a new Rootkit Scanner for Linux.

The new scanner called Rootkit Profiler LX or RKProfiler LX with work on the following platforms:

- SUSE Linux Enterprise Server 10 (x86, 32-bit)
- SUSE Linux Enterprise Desktop 10 (x86, 32-bit)
- Ubuntu 6.10 Edgy Eft (x86, 32-bit)
- openSUSE 10.2 (x86, 32-bit)

Features:

Detection: RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules

Tobias will also have a MacOS version available soon,

Click here for more information on Rootkit Profiler LX on trapkit.de

Keep Safe,

regards

Steo

The anti rootkit software author who goes by the name of EP_X0FF has released information recently about a new rootkit that he has created. EP_X0FF is the author of Rootkit Unhooker one of the best antirootkit scanners at the moment. The rootkit he has created is undetectable by all anti rootkit software. The new rootkit is to be called Unreal Test Rootkit.

Here is some information on the rootkit from the Rootkit Unhooker site:

We are introducing new generation of rootkit technology.
Unreal Test Rootkit v1.0Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems.

regards

Steo
www.antirootkit.com