Rootkit: malware or not?

My Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System
is always with Access Denied and with sysinternals rootkit is detected as having

Key name contains embedded nulls.
The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit.

Is this normal?

Hi Tech,

Exactly, this is the working of Rootkit Revealer comparing the highest level of the Windows API to the lowest level in the raw contents or Registry hive, that is the Registry’s on-disk storage format. So Windows APi information compared to FAT or NTFS volume files structure information. Discrepancies show up.
Another way to do this is calling these structures, the returned calls show discrepancies too between the system and the rootkitted system structure.
What is happening at the moment goes even further than Windows API hooking, but is done in a similar way with similar undocumented functions of the kernel itself. The malcreant is trying to stray one step ahead of the AV analyst. It is like an endless chess game,

greets,

polonus

Polonus, ok this is the Rootkit Revealer behavior but, in your computer, do you see the same rootkit in the results?
How can I be sure it is legit or not?

I have run RootKit Revealer on a number of times and it hasn’t found anything on any of them.

I’m not too sure exactly what would happen if RR did detect anything, mine always end with no discrepancies found. Nothing like yours.

One of the things that will put a spanner in the rootkit’s works is DropMyRights as the rootkit malware doesn’t have the administrator privileges to do its work and install.

Hi Tech,

A more founded answer here about the security implications. It would not mean a heap of beans. The only thing is if a program assumes that the strings in the registry are ALWAYS null-terminated, you could be tricked into a buffer overflow, this depending on the design of the registry. (You could get an ERROR_MORE_DATA_BACK). Null terminated strings on the other hand are ONLY used at initializations, where they are converted to counted strings (what we have here). As it is always with Windows, my dear friend, “lots of cooks in the kitchen means lot of fingers in the code”. Apparently nothing wrong here. By the way null terminated versus counted strings is only one of the possible oppositions/variations, there are many more.
For checking on embedded nulls read: http://www.sysinternals.com/Forum/forum_posts.asp?TID=862&KW=Key+name+contains+embedded+nulls A tool for taking these out is given there too.

greets,

polonus

Thanks Polonus 8)

Nice link Polonus, I’ve just downloaded the smitRem.exe tool that removes embedded nulls. From some of the comments about it use to enable removal of PSGuard and ShudderLTD reg keys.

I’m wondering if it may help me get rid of the ProcGuard reg keys that remain and can’t be deleted (taken possession of the keys, etc.) even though ProcGuard was uninstalled ages ago.

Does it work for any embedded null or just for the PSGuard trash registry keys left behind?

Hi Tech,

Here is the tool to a generic tool to do this:
http://www.thecodeproject.com/csharp/JSCompress.asp
Hopefully it can help you there.

greets,

polonus

“Code is as good as the one that compiles it”

I don’t think so just PSGuard reg keys, ran it and no changes.

Hi Tech and DavidR,

Before using smitRem tool, you should get informed what files this tool targets. Here is the list for you: http://noahdfear.geekstogo.com/smitRem_filelist.htm.
All these tools cannot be used randomly, but in the hands of informed malware removers, which I consider you to be. Then moreover the tools of to-day are not the tools of to-morrow, and tools can have a limited working. First evaluate what it does, then see whether it is applicable in your specific situation. Sometimes if these tools do not work, you have to congratulate yourself, because apparently you missed this particular infection.
Remember, always look on the bright side of life, and fight the nitti gritty.

polonus

Yeah, I’ve noticed that and like you’ve wrote, I missed that particular infection 8)
But still could not find a final answer to my trouble:
My Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System
is always with Access Denied and with sysinternals rootkit is detected
:cry:

Hi Tech,

OK, OK, we go after this one. Read this and tell in what direction your speculations take you. After that I will give my vision.
Read: http://www-tus.csx.cam.ac.uk/pc_support/security/unknownworm.html

And read here about the first 20 benign findings: http://www.pcworld.com/resource/article/0,aid,119814,pg,1,RSS,RSS,00.asp

These programs cannot remove or quarantine rootkits if found, and cannot definitely tell it is in fact part of one, if it cannot be removed it must be “repaved”.

polonus

Evaluation,

This is one of the so-called benign findings. Conclusion rootkit revealer is nothing more than a tool of indication. It stresses the fact even more, that definite and final SOLUTION to rootkits is still not here. Therefore we have to rely for the moment on Intrusion Detection Programs, that have the capability to prevent rootkits from nesting on our system. It definitely is a backdoor type the AV industry of to-day is not ready to combat fully. It stays part of the vulnerability gap, and recent postings on this forum confirm this.
Tech in your case, you have nothing to worry about. It is a normal finding of rootkit revealer, as it cannot definitely tell, but report only its findings. I assume it is to be seen as false positive, benign finding.

polonus

Very interesting articles Polonus so as usual prevention is much better/easier than cure.

I keep banging on about it but MS DropMyRights will lower the user rights for your browser, email or any other software that you connect to the internet so it doesn’t automatically have the same rights of the user account that logged on with (typically one with administrator rights).

Security Tips & Tricks - DropMyRights

Yes DavidR,

You are right about bringing this home every time.
One ounce of prevention counts more than one pound of cure.
So what does that comes down to.?

Start with an non-compromised system and then try to keep it that way.

Never use an as-default system.
Use a multi-layered line of defense against various malicious ware, meaning having on board:

  • a good resident and non-resident AV solution,
  • a good Firewall solution,
  • a good ISD solution and System Monitoring System,
    -a Checksum Monitoring System,
  • Various good Anti-Malware (anti-adware & spyware) Solutions,
    -a Script Monitoring Solution,
  • In-Browser Safety (virus link-checker plugin, anti-script solution, ad-blocker),
  • a Mail-Monitoring Solution
  • and a good working brain.

This is your best multi-layered way of defense.

Shortly:
Security should be a daily ongoing concern;
Security should be systematic;
Security should be flexible;
Security should be easy to manage;

polonus

Hi DavidR,

There is a cat and mouse game going on between AV vendors with their rootkit detection programs and malcreants finding ways to circumvant these techniques urging programmers to rename executables or starting them with random names. It is an ongoing
game, also for the makers of RootkitRevealer. Read about it here:
http://www.eweek.com/article2/0,1895,1777898,00.asp

polonus

Yes rootkits are really starting to take hold, not long ago no one had heard of them, now they are here with a vengeance and no real solution for them.

There are many detection tools out there now but few that are able to remove them. There is also the problem with false positive detections of legitimate functions being detected as rootkits. The biggest problem is cutting through the information retrieved by these detectors to get to the true problem and then what to do to remove it manually.

I have been doing a lot of reading of late about this and there is no general step by step information on identification and removal of rootkits. I have started to try and cobble together some things from different sources but it is proving to be very difficult and may never be completed.

I wonder if anyone at Alwil has anything on this, as if they are to try and detect and remove rootkits using avast! (and we have no idea if this is correct) first you would need to know how to remove them manualy before you could automate the process. This would save reinventing the wheel and they could post it in the forums.

David, thanks for posting these useful informations.
Rootkits are becoming very dangerous…
Automatic removing is almost impossible…
I do hope Alwil is thinking about this, otherwise we need another security tool ::slight_smile:

Here, http://forum.avast.com/index.php?action=display;topic=16701.0), Frank post the detection rate of avast.
David, you’ve claimed it was better than AVG, can you post there?

I have already posted on the identical thread he created two days before. As far as trojans being missed/undetected by avast, no different from all the other AVs that missed it at Jotti as Frank mentions, that will always be the case as we play a game of catch up by using signature file detection.

Until we (avast and those AVs that only use signature detections) have a more proactive means of detecting unknown viruses/malware be that heuristics or suspicious activity detection we will be vulnerable to first day virus infection.

So after all that has been said, if anyone is still using a user account that has administrator privileges and browsers, collects email or otherwise connects to the internet without restricting the rights of the programs (see the DropMyRights link in my signature), then they should expect to have trouble. If you leave the keys to your house lying around in the street, don’t be surprised when you get robbed.

Most trojans/worms, etc. need to have registry entries to run, file/s in the system folders, etc. this requires a level of permission that is not available to limited user accounts or programs that have had their rights dropped using DropMyRights. This should limit the amount of damage and hopefully stop these things getting a toe hold and becoming established.