I’m using Avast Profor quite a while now, but from time to time i wonder about things :
Does Avast protect against stealth infections from rootkits like “FU-rootkit” and “Hacker defender” & “Hey4hook” & “Vanquish” & “Klister” ?
I mean rootkits packed and or encrypted. So that a simply signature based scan is easely bypassed.
Does it have some kind of generic memory unpacking against these things ?
Can it handle rootkits packed with Armadillo or any other packer with encryption function ?
I could test these things out myself if i had the time for it :-\ But since i’m moving to a new house at the moment, pc stuff has a lower priority now.
Should be easy answered by VLK of Pavel etc…though.
It seems SSM did actualy blocked (only) a part of the injection.
The rest did ZA 4 Pro (but will NOT be detected by the freeware version because it offers no advanced process control to verify that no other process uses another to connect to the net).
But it seems Pest-Patrol and AVAST are both vurnable to these kind of attacks.
Should be easy answered by VLK of Pavel etc..though.
I will try it... ;)
…and I think, e.g. FU-rootkit & Vanquish (and other mentioned applications) are not viruses, but legal tools - if the user downloads them from web, it’s his own risk (and these are not really dangerous - just process hiding, …)
Can it handle rootkits packed with Armadillo or any other packer with encryption function ?
No and it's not really easy to support these packers - we support only the most popular winexec-packers: aspack/upx/... which make up the bulk of the trojans we detect.
Mmm, Isn’t a rootkit made to gain TOTAL control of the kernel and kernel mode services ?
Insn’t it true that rootkits are very small in size (approx 50kb) and could be easlely (just like a normal trojan like Optix, Bionet, Beast,) be stealthy downloaded and excecuted on the victims pc ?
Or do you say that trojans like Bionet and family posseses no danger also ?
Most of these rootkits go undetected by AV scanners anyway.
I tested with Avast, AVG, E-trust 7
(only Kasperky online detected (FU-rootkit) it in NORMAL zip format) > not crypted or packed with some excotic archive.
I believe, and so do others, that rootkits are the most dangerous malware around (some may be legit, but i strongly doubt that) They have total control over your box, go totaly invisible, and CAN’T be detected with conventional ways. They are almost impossibel to uninstall, and are not found in the registery.
copy & paste from the Vanquish website :
Vanquish is a DLL injection based rootkit that hides files, folders, registry entries and logs passwords.
What can a rootkit do :
Hide processes
Hide files or real contents
Hide registery keys or values Adds backdoor
Hide backdoor presence from admin & remote scanning R.A.T. activity !
sniff network
and much more :o
FU_Rootkit.zip Archive: ZIP
FU_Rootkit.zip/README Ok FU_Rootkit.zip/EXE/fu.exe Infected: Trojan.Win2K.Rootkit
FU_Rootkit.zip/EXE/i386/msdirectx.pdb Ok
FU_Rootkit.zip/EXE/ListPrivileges.txt Ok
FU_Rootkit.zip/EXE/msdirectx.nms Ok FU_Rootkit.zip/EXE/msdirectx.sys Infected: Trojan.Win2K.Rootkit
FU_Rootkit.zip/fu/fu.bbs Ok
FU_Rootkit.zip/fu/fu.cpp Ok
FU_Rootkit.zip/fu/fu.dsp Ok
FU_Rootkit.zip/fu/fu.dsw Ok
FU_Rootkit.zip/fu/fu.h Ok
FU_Rootkit.zip/fu/fu.ncb Ok
FU_Rootkit.zip/fu/fu.opt Ok
FU_Rootkit.zip/fu/fu.plg Ok
FU_Rootkit.zip/fu/fu.sln Ok
FU_Rootkit.zip/fu/fu.suo Ok
FU_Rootkit.zip/fu/fu.vcproj Ok
FU_Rootkit.zip/fu/Instdrv.cpp Ok
FU_Rootkit.zip/fu/Instdrv.h Ok
FU_Rootkit.zip/Sys/ioctlcmd.h Ok
FU_Rootkit.zip/Sys/MAKEFILE Ok
FU_Rootkit.zip/Sys/ProcessName.c Ok
FU_Rootkit.zip/Sys/ProcessName.h Ok
FU_Rootkit.zip/Sys/Rootkit.c Ok
FU_Rootkit.zip/Sys/Rootkit.h Ok
FU_Rootkit.zip/Sys/SOURCES Ok
HE4HOOK rootkit
He4Hook215b6.zip Archive: ZIP
He4Hook215b6.zip/CommonClasses/Include/KNew.h Ok
He4Hook215b6.zip/CommonClasses/Include/KTypes.h Ok
He4Hook215b6.zip/CommonClasses/Include/NtoskrnlUndoc.h Ok
He4Hook215b6.zip/CommonClasses/KBinaryTree/KBinaryTree.cpp Ok
He4Hook215b6.zip/CommonClasses/KBinaryTree/KBinaryTree.h Ok
He4Hook215b6.zip/CommonClasses/KBinaryTree/KBinaryTreeNode.cpp Ok
He4Hook215b6.zip/CommonClasses/KBinaryTree/KBinaryTreeNode.h Ok
He4Hook215b6.zip/CommonClasses/KDLinkedList/KDLinkedList.cpp Ok
He4Hook215b6.zip/CommonClasses/KDLinkedList/KDLinkedList.h Ok
He4Hook215b6.zip/CommonClasses/KDLinkedList/KDLinkedListItem.cpp Ok
He4Hook215b6.zip/CommonClasses/KDLinkedList/KDLinkedListItem.h Ok
He4Hook215b6.zip/CommonClasses/KInterlockedCounter/KInterlockedCounter.cpp Ok
He4Hook215b6.zip/CommonClasses/KInterlockedCounter/KInterlockedCounter.h Ok
He4Hook215b6.zip/CommonClasses/KLocker/KLocker.cpp Ok
He4Hook215b6.zip/CommonClasses/KLocker/KLocker.h Ok
He4Hook215b6.zip/CommonClasses/KMemoryManager/KMemoryManager.cpp Ok
He4Hook215b6.zip/CommonClasses/KMemoryManager/KMemoryManager.h Ok
He4Hook215b6.zip/CommonClasses/KMutexSynchroObject/KMutexSynchroObject.cpp Ok
He4Hook215b6.zip/CommonClasses/KMutexSynchroObject/KMutexSynchroObject.h Ok
He4Hook215b6.zip/CommonClasses/KShieldDirectory/KShieldDirectory.cpp Ok
He4Hook215b6.zip/CommonClasses/KShieldDirectory/KShieldDirectory.h Ok
He4Hook215b6.zip/CommonClasses/KShieldDirectory/KShieldDirectoryTree.cpp Ok
He4Hook215b6.zip/CommonClasses/KShieldDirectory/KShieldDirectoryTree.h Ok
He4Hook215b6.zip/CommonClasses/KSpinSynchroObject/KSpinSynchroObject.cpp Ok
He4Hook215b6.zip/CommonClasses/KSpinSynchroObject/KSpinSynchroObject.h Ok
He4Hook215b6.zip/CommonClasses/KStdLib/krnlstdlib.cpp Ok
He4Hook215b6.zip/CommonClasses/KStdLib/krnlstdlib.h Ok
He4Hook215b6.zip/CommonClasses/KSynchroObject/KSynchroObject.cpp Ok
He4Hook215b6.zip/CommonClasses/KSynchroObject/KSynchroObject.h Ok
He4Hook215b6.zip/CommonClasses/KTdiInterface/KTdiInterface.cpp Ok
He4Hook215b6.zip/CommonClasses/KTdiInterface/KTdiInterface.h Ok
He4Hook215b6.zip/CommonClasses/KTdiInterface/smpletcp.h Ok
He4Hook215b6.zip/CommonClasses/KTdiStreamSocket/KTdiStreamSocket.cpp Ok
He4Hook215b6.zip/CommonClasses/KTdiStreamSocket/KTdiStreamSocket.h Ok
He4Hook215b6.zip/CommonClasses/Misc/Misc.cpp Ok
He4Hook215b6.zip/CommonClasses/Misc/Misc.h Ok
He4Hook215b6.zip/CommonClasses/PeFile/Pefile.cpp Ok
He4Hook215b6.zip/CommonClasses/PeFile/Pefile.h Ok
He4Hook215b6.zip/CommonClasses/PeFile/PeHeader.h Ok
He4Hook215b6.zip/He4HookInv/do.h Ok
He4Hook215b6.zip/He4HookInv/DriverObjectHook.cpp Ok
He4Hook215b6.zip/He4HookInv/DriverObjectHook.h Ok
He4Hook215b6.zip/He4HookInv/FileSystemHook.cpp Ok
He4Hook215b6.zip/He4HookInv/FileSystemHook.h Ok
He4Hook215b6.zip/He4HookInv/He4Command.h Ok
He4Hook215b6.zip/He4HookInv/He4HookInv.cpp Ok
He4Hook215b6.zip/He4HookInv/He4HookInv.h Ok
He4Hook215b6.zip/He4HookInv/SaveObjectsList.cpp Ok
He4Hook215b6.zip/He4HookInv/SaveObjectsList.h Ok
He4Hook215b6.zip/He4HookInv/UnlockClientsList.cpp Ok
He4Hook215b6.zip/He4HookInv/UnlockClientsList.h Ok
He4Hook215b6.zip/He4HookInv/DevStudio/bin/win2k/i386/Free/He4HookInv.sys Ok
He4Hook215b6.zip/He4HookInv/DevStudio/win2k/He4HookInv.dsp Ok
He4Hook215b6.zip/He4HookInv/DevStudio/win2k/He4HookInv.dsw Ok
He4Hook215b6.zip/He4HookInv/DevStudio/winnt/He4HookInv.dsp Ok
He4Hook215b6.zip/He4HookInv/DevStudio/winnt/He4HookInv.dsw Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4Boot.cpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4Boot.dsp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4Boot.dsw Ok
He4Hook215b6.zip/He4HookInv/He4Boot/ntdll.h Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4HookBootDriverHide/He4HookBootDriverHide.cpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4HookBootDriverHide/He4HookBootDriverHide.hpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4NDISBootDriver/He4NDISBootDriver.cpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/He4NDISBootDriver/He4NDISBootDriver.hpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/NtBootDriverControlHide/NtBootDriverControlHide.cpp Ok
He4Hook215b6.zip/He4HookInv/He4Boot/NtBootDriverControlHide/NtBootDriverControlHide.hpp Ok
He4Hook215b6.zip/He4HookInv/He4HookDriverHide/He4HookDriverHide.cpp Ok
He4Hook215b6.zip/He4HookInv/He4HookDriverHide/He4HookDriverHide.hpp Ok
He4Hook215b6.zip/He4HookInv/NtDriverControlHide/NtDriverControlHide.cpp Ok
He4Hook215b6.zip/He4HookInv/NtDriverControlHide/NtDriverControlHide.hpp Ok
He4Hook215b6.zip/He4HookInv/Win32/He4HookControl/He4HookControl.dsp Ok
He4Hook215b6.zip/He4HookInv/Win32/He4HookControl/He4HookControl.dsw Ok
He4Hook215b6.zip/He4HookInv/Win32/He4HookControl/main.cpp Ok
He4Hook215b6.zip/He4HookInv/Win32/He4HookControl/Release/He4HookControl.exe Ok
He4Hook215b6.zip/NtDllTest/NtProcessList.cpp Ok
He4Hook215b6.zip/NtDllTest/NtProcessList.h Ok
He4Hook215b6.zip/He4HookInv/DevStudio/bin/winnt/i386/Free/He4HookInv.sys Ok
He4Hook215b6.zip/COPYING Ok
Vanquish rootkit
vanquish-0.1-b9.zip Archive: ZIP
vanquish-0.1-b9.zip/ReadMe.txt Ok
vanquish-0.1-b9.zip/setup.cmd Ok
vanquish-0.1-b9.zip/vanquish.dll Ok
vanquish-0.1-b9.zip/vanquish.exe Ok
I know that rootkits aren’t detected by most of the AV’s…
WHY ?
Wouldn’t it be easy to add a simply signature to detect the .exe’s that launches these kits ?
I know this is no way to stop them if there modified & hex-edited & packed & encrypted, but it could atleast stop those “ignorant simply users” to download them from the internet. (orginal versions)
There are only a few rootkits around for Windows (not more that 6 or 7).
And ALL of them are quite easy to find just searching Google.
If you want i can sent you the samples asap.
Btw : I hope the Linux version of AVAST detects these monsters, as Linux rootkits are VERY common these days.
Please comment on this post. I consider this a serious mather.
I think what Pk is trying to convey to you is that “rootkits” are user “injected” meaning that the user must first consciously download them.
I don’t know of any occurrence when such a file was used by a hacker to gain control of a computer.
Since they are not truly “viruses” (and they aren’t…more worms), most AVs do not deter their download.
Also, since “rootkits” can have so many different names, it would be very tedious to add the “respective exe” to the Blocker list.
The whole matte lies best with a good firewall that will block unauthorized access to the internet.
As you saw, ZA Pro detected the access attempt.
True, the freeware version did not, but the old saying goes “You get what you pay for”.
It is possibel to auto-excecute the rootkit in the same stealthy and creapy manner that trojans do these days. There are daily hundreds (maybe thousands) downloads of these malware’s (trojans & rootkits) and the same amount of abuse with it. You don’t have to be a genius to bind it to another file. The numbers don’t lie
Infection & injection can come via many channels. For example, it can be binded with a simply .mp3 or .Jpeg file. You know that.
It seems Symantec & Macafee are becoming aware of this threat according to the following review :
Hi Waldo,
please enlighten me…
how can opening a simple Mp3 or Jpeg-file
lead to the execution of the trojan/Rootkit ?
I know jpeg files can be “infected” (code can be spread from one jpg to the next), but imho only on system that is already infected with a host application/trojan
??? ???
Edit: or do you mean double extensions like jpg.exe where the exe-extension is not shown in WIN’s default config ??
It’s childs play to find a util that can do this, there all over Google
And ALSO binders that can make .exe look like anything else (quote from the website) :
exe2html: converts .exes into an html file. can be used to silently download exes through an exploit in internet explorer.similar method to godwill and godmessage
exe2vbs: converts .exe files into visual basic script.if you know how to script you can have your .exe then do different things… i.e. outlook spread, etc.
godwill: kick ass tool made by my friend kid arcade. this tool allows you to create an html file containing your trojan encoded in it. also allows you to create an email attachment or make a html page that opens shares and ftp on lans.after veiwing any of these the trojan will stay in the start up folder until comp is restart which then executes the trojan
mini incommand: very small uploader trojan. very easy to make undetected by adding null bytes to it.use for embedding in html pages etc. cuz of its small size.
zyon: *easy-to-use gui. *drag and drop file capability *add as many files as you list with any extentions… (.exe, .bmp) and run them. ----options---------- +compression -4 levels of lzh1 algarythms +security -misty1(c) encryption algarythm -password archive feature +notification -send icq pager message *note resolves icq.com’s pager address automatically +windows environment -create a message box on execution of the archive
And much more are availble found in seconds ! They all can be used to hide your rootkit from being detected :o scary heh ?
For security reasons i WON’T post a link or download on this forum.
I sended (just for the fun and testing) these rootkits to CA (E-trust) : Vanquisch, He4hook and FU. I have more rootkits than these 3 and i will send them one of days to (if i find the time).
They added detection for them asap.
I got almost 10 emails from there automated responce mailer about every signature they included, lol It seems they inluded the EXE’s to there updates.
I’m willing to send them to AVAST also, but they don’t seem to be really intrested looking at the reply’s on this thread. These rootkits are VERY easy to find anyway…so…
Here’s a little copy & paste from my Hotmail inbox :
Dear Waldo Van Laeken,
This is to notify you of the results of your submission, issue number
274911.
With regards to the file “vanquish.exe” submitted by you on 26 Jan
21:33:18 (Australian Eastern Standard Time), we have added cure
instructions for Win32.Vanquish.01 to the signature files for the VET
engine.
The Windows Portable Executable file “vanquish.exe” has been determined
to be malicious. Our researchers have analysed the file and confirmed
the result.
Waldo,
The files you have sent us have been confirmed to contain various new
infections. Detection for the infected files will be provided in a future
signature update. We will email you again when the updates files are ready.
Regards,
eTrust AV Research and Response Group
Computer Associates International, Inc.
I think we need AVAST to detect these rootkit files, because they are seeking a wider theater because they are to be used in the latest internet threat and that is SPYWARE (CWS-variants). AVAST probably finds them in the cloaking routine, but if the stealth driver install is implemented, they can manipulate through API-hooking. Use of classics like TCPview, FPort and Inzider and Vision helps, but Inzider for instance is considered by AVAST as a virus tool (some cgi-scanners also for that matter CGI-4 for instance). You can still check your registry for rootkit configuration files (look in /dev) By renaming regedit.exe to _root_regedit.exe (the rootkit cannot evade that truely, because root ye know) and you can rename taskmanager in that same manner (root etc) Furthermore you can spot them from an uncompromised machine in the net (the hacker must see it) A trick is to use winmsd.exe from the toolbox, bash, netstat, last, w, ifconfig, stat, find, grep, md5sum, mount, lsmod, rmod from a prepared CD. It is dificult to hide evrything from them all.
Sysinternals rootkit revealer is a start but how to bind it with an av scanner (it would be 100 times better) because of the file packagers and the crypters, whereas the scanner cannot see what to delete. Slanret en krei like things will be the pain in the neck of many a security official, and now it is revealed that hackers silently used these techniques for years. It now is quicly becoming a threat as it lands in the hands of the malware guys, which are not that bright and use the same tricks over and over again (e.g. java ByteVerify exploit).
As hackers have used these rootkits also against windows, and this is getting more into the open, there are popping up rootkit detectors, when this becomes a wider threat to window users. One such a tool is RkDetect, a small script and program written in Visual C++ 7.0 47104 bytes version 5.2.3790.0 CRC-32 38203ESA run sc.exe in Dos import table lib.4 imports kernel32.dll 20 msvcrt.dll 25 ADVAPI32.dll 28 ntdll.dll 2 imports You need ADVAPI32.DLL on your system, it list all hidden processes. Fine Russian program, but again it is a two-edged sword, because you can add hidden services too with this one. API-Spy is also helpfull. But the best evaluation method is interpretation from a CD with uncompromised files to evaluate.
If you have any suspicious files that are not detected by the latest version of our antivirus programs, you can send them to virus@avast.com. An ideal way to send such files is to compressed them as ZIP with the password ‘virus’ (so that the attachment is not deleted by some other antivirus on the way).
The anti-rootkit discussion will be taken onwards, I presume. I think it will be an evolving threat in the future. I totally agree that a lot of malware, and programs with virus- or trojanlike activities are wittingly or unwittingly downloaded onto a machine. That means great pity for the uneducated. That is why we have to advice people strongly against clicking on anything they see or that which seems interesting. Idle promises are more likely than not meant to be just that. So an extra line of defense goes according to these lines, imho: be responsible on the net. Know your system in so far as necessary. So use a checksum program, check on unknown program files, keep files from hiding on your system. Use small helpful utilities like FileAlyzer, a Binairy Text Scan program, a hex viewer to look for abnormalities that else won’t show. These are things you should use whenever you smell there is something fishy going on on/in your system, a xxx.dll or cpl that does not seem familiar at first hand, a file that is found in another path than normally routine, etc. etc. There will be new handy dandy tools coming up for this purpose, and screening your OS from an uncompromised OS can be helpful too.
Do you have a problem or complaint that you would like to raise?
I can’t see the relevance of the content of your post and the thread Subject/Topic ’ Avast & windows Rootkits ?’
So if there is something you would like to ask, raise it in a New Topic/thread (or use the search function to see if the topic is being or has been covered and raise it there), it should be in the relevant Forum for that topic. Click the New Topic button to create a new topic in the relevant forum.
not even SSM.
just curious & investigating.