Anti Rootkit Blog

We are often asked what Anti Rootkit Scanners are available for Windows Vista. There are currently only 7, out of the 20 or so scanners available, that will work with Vista. These scanners will also only work with 32 Bit versions of Vista.

Here is a list of the 7 in alphabetical order. Please click on the scanner name or screenshot to bring you to a more detailed page where you can download the software.

F-Secure Blacklight

GMER

Icesword

Rootkit Hook Analyser

Rootkit Revealer

Rootkit Unhooker

Unhackme

Keep Safe,

Steo - www.antirootkit.com

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo - www.antirootkit.com

There is an interesting article over at Astalavista about how new Intel based machines will have rootkit functionality “available” to the user. This will surely turn out to be another avenue to be utilised by malware writers.

From the article…
“Essentially, all new Intel machines (and a number of current Intel servers)
come with free hardware rootkit functionality, which is operational and
accessible when the machine is powered off, and in the case of laptops, even
when they are unplugged and powered off.

There is the mention of code signing, TLS and PKI magic to allay your security
concerns however…”

Read the full article here…

Keep Safe,

regards

Steo

When Windows Vista  came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista. 

Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.

From Microsoft:

“The Microsoft® Windows Vista™ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”

and

“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”

So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.

Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.

From Alex’s Blog:

“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”

“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”

“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”

Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.

Keep Safe,
regards

Steo
www.antirootkit.com

References:

Why Protected Processes Are A Bad Idea

Introducting D-Pin Purr v1.0 - 32bit Edition

Microsoft Protected Process Whitepaper

On the 28th March details of a Windows Vulnerability involving ANI files were posted on the Internet. This vulnerability started out as just another vulnerability but it wasnt long before it was obvious that it was different, public exploit code had already been published and the hole was being attacked.

There was a lot of activity from Internet Security companies who had found that the vulnerability was being exploited on web sites dotted around the world but mainly in China. A specially crafted ANI file ( An Animated Cursor File ) could be embedded within a hacked or dubvious website and when a user visited the page their PC would become infected without them knowing anything. You might say well I dont visit dodgy websites so I’m ok but tell that to the surfers who recently got infected via the Superbowl Site by a Keylogger / Backdoor.

As of the 3rd of April Websense were tracking 450 Unique websites that are serving out the code to unsuspecting users. The bogus code was found on every webpage within these sites.

When a user visits one of these sites the bogus Animated Cursor file is loaded which in turn can run any program it wants. Currently there are various payloads being sent out via the exploit. The payloads include Keyloggers for stealing Credit Card details from users, Botnet host software which makes the users PC part of a Botnet ( a centrally controlled network of computers) which are probably sending out Spam, more dodgy Animated Cursors or being used in DDoS attacks.

Since the vulnerability became public hackers are are trying to come up with new ways of fooling people into downloading a malicious ANI file and recently spam emails with subject lines like “Hot pictures of Britiney Speers” have been sent out hoping to fool users into clicking on a link in the email that would bring the user to a hacked PHP site which would serve up the malicious code. Explabs have also reported that along with the malicious payload a rootkit is also being used to hide any trace of infection from the user. The Rustock Rootkit is an example of a rootkit being used.

The following Video shows how a specially created toolkit creates a malicious ANI file and runs the dir command using the file.

Public PoC ( Proof Of Concept ) Code has been released by jamikazu which will allow Calc.exe to run. Again, calc.exe could easily be replaced by a malicious piece of code.

All Microsoft users should go to Microsoft Windows Update and get this dangerous hole patched quickly. If you have Automatic Update enabled then you more than likely had your system updated on Tuesday 3rd April.

This vulnerability also affects Windows Vista. Determina have put together a nice viseo that shows how an attacker might take over a Windows Vista PC using the ANI file vulnerability.

http://www.determina.com/security.research/flash/ani.html

If you have recently received an email enticing you to click on a link and see new photos of Britney Spears and you ”mistakingly” clicked on the link then I think you should download one of the FREE Antirootkit scanners from http://www.antirootkit.com/software/index.htm and check your system for the presence of a Rootkit.

Keep Safe

regards

Steo
http://www.antirootkit.com/

References:

Microsoft Security Advisory (935423) - Vulnerability in Windows Animated Cursor Handling

Download the ANI File patch from Microsoft

Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

Public PoC Code Disclosure (Code Execution - Calc.exe)

Large scale compromise with ANI exploit code

Security company Authentium has revealed that it has cracked the Vista Kernel Protection called PatchGuard. Microsoft in their recently released half yearly security report said that PatchGuard was created to stop malware like rootkit’s from getting into the kernel where they can hide almost anything on the computer especially Keyloggers and Spyware.

“Kernel Patch Protection for x64 Windows: Kernel Patch Protection improves security and makes it more difficult for hackers to hide malware, such as rootkit’s, deep in the OS where antimalware technologies may have a more difficult time removing it. ”
Source: Microsoft Security Intelligence Report - January - June 2006

Helmuth Feericks, chief technology officer of Authentium told Reuters recently that his company had found a way to turn off Patchguard, install software and turn it back on again. Although no specific details have been given as to how they were able to turn off Patchguard, it does seem that other people like crafty hackers will soon find their own way and publish it.
The Authentium Blog shows an entry where PatchGuard Kernel Protection is described as “not very useable or useful”. The entry does not go into much detail because of a gag-order from Microsoft. It goes to show that if big Security companies see it as useless then we all will be targets of it’s uselessness.

It is ironic how Microsoft is currently only using PatchGuard on 64 bit Vista as an added security attraction for businesses who are the most likely users of this version of Vista. Ordinary everyday users of the 32 bit version will not have Patchguard protecting them and they could be lucky as this would have given them a false sense of security.

In recent weeks we have seen security companies like McAffee asking Microsoft for access to the Vista kernel so that they can provide HIPS ( Host Intrusion Prevention System ) applications to their 64 bit Vista customers.

Vista Kernel Protection is cracked and it will not be long then until we see Rootkit’s for 64 bit Vista.

Keep Safe

regards
Steo
www.antirootkit.com