Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 43

Thread: Here's a preview...

  1. #11
    129260
    Guest

    Lightbulb if i understand correctaly....

    this feature is now included in spybot, so spybot does scan for rootkits now correct? So therfore, there is no need to download this app correct? I was thinking about putting it on a jump drive to help me clean other people's infected machines. But i won't do it if its already included within spybot. thanks!

  2. #12
    Junior Member
    Join Date
    Mar 2008
    Posts
    1

    Default Mebroot

    Greetings,

    Just wondering if Rootalyzer will be looking for Mebroot at some point?
    Last edited by bobisbob; 2008-03-21 at 20:53.

  3. #13
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    @robo: while I did expect only one line of text to show up next to each icon, no icons at all shouldn't be. I'll look at it, planing a new release regarding the post by Coronamaker this weekend.

    Regarding the broken ACL thing, that's probably not exactly a rootkit method (unless it would give itself temporary access rights while reading/writing only, and withdraw it again immediately afterwards... interesting thought...), but I'll see if I can "corrupt" an ACL in a way I could expect in the way described above, and how to report it.

    @129260: Spybot-S&D always had some basic rootkit detection mechanisms, but the latest updates improved on three important fronts there.

    Spybot-S&D usually detects threats in our database only; RootAlyzer just shows any things it identified as hidden, without relating them to known malware. So you could use RootAlyzer to detect even rootkits that are not known yet; but one of the new plugins for Spybot-S&D includes kind of a rootkit heuristics (which is not as generic though).

    In summary: use RootAlyzer if Spybot-S&D hasn't found the culprit and you're suspecting an unlisted malware.

    @bobisbob: I'll ask our samples juggler whether he has some samples of it, would have to take a look to say.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  4. #14
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Updated the link in the first post; now points to version 0.1.2 instead of 0.1.1. Most important change is that it will no longer show entries identified through MaxSubKeyLen only (since the Win32 registry API can deal with that, it cannot really be used as a rootkit exploit anyway).
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #15
    Guest
    Join Date
    Nov 2007
    Posts
    1

    Default

    Microsoft has a tool called Rootkit Revealer that seems pretty solid.

    Any differences in their program vs yours?

    I'll say that yours LOOKS nicer, at least in a few of the screens

  6. #16
    Junior Member
    Join Date
    Mar 2008
    Location
    AZ, USA
    Posts
    3

    Default

    (Minor bug) I've noticed that the deep scan automatically selects C:, but I have the OS installed to D:, so it would be nice if it could automatically detect which drive and select that appropriately.

    Also, in the registry scan, there's a column labeled "Details," but on W2k I don't see anything in there. I've noticed that on the main "quick scan" page, my results don't exactly match your screenshot; the "x files were tested" and "no hidden entries detected" don't show up at all.

    In addition to that, there seems to be some odd graphics on the right hand side of the program, see the attached screenshot, which brings me to another point. For some reason, the registry scan has flagged "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® audio software" and "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter". I suspect the ® symbol is what's causing it to be mistakenly flagged. (A right-click > "Copy to clipboard" option would be helpful). The other 9 detected items in that screenshot also seem to be false positives; they show up in regedit just fine. (See regedit.jpg and regedit2.jpg)

    (Since the file is too big to attach, I've uploaded screenshots.zip to http://members.cox.net/sxzhu/screenshots.zip)

  7. #17
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    @ddcc_7: could you try the newer 0.1.2 link? The entries your screenshot shows look like... well, I'm not sure if it's a false positive, but it's not a rootkit
    0.1.1 was quite harsh in testing for buffer overflow possibilities (buffer overflows are responsible for many of todays security holes). It does so by checking the maximum length the registry says a subkey might have against the lengths of all subkeys. Most systems come up clear, but after it has first been reported I've checked all our virtual machines I could get hold of and found a clean one that showed the same symptons.
    Since it was just a theoretical concept and the chance of applications failing here and that an exploit for such failing could exist, that thing has been removed from 0.1.2 until we've learned more about the background.
    I'll make sure the next version shows more in the "Details" column! (and maybe add the expected length to the popup window that contains more details)

    As for W2k and the quick scan page, that's a limitation of Windows; the "tile view" mode with multiple columns per icon is a feature of the common controls library 6.0 or later, shipped since XP. W2k has a 5.x version of it that is not capable of that. Sure, modern GUIs would allow anything, but I prefer using standard controls because that allows for better accessibility support usually.

    @SpeeDemon: RootkitRevealer mentions the #0 hiding trick which granted is not checked in RootAlyzer yet, but is on my immediate todo-list (we already cover that in Spybot-S&D).
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  8. #18
    Junior Member
    Join Date
    Mar 2008
    Location
    AZ, USA
    Posts
    3

    Default

    I've double checked; I was running the newer 0.1.2 version, since I just downloaded it this morning. I downloaded it again to double check; the same lines still show up. I can export the values/keys and get them to you, if you want.

    Edit:==
    I've just checked the log, here's what shows up:
    What strikes me are the ?'s in place of the ®'s, and the odd numbers of commas. On second thought, a space after the commas/colons would help make it easier to read, if that doesn't defeat the purpose.

    // info: Rootkit removal help file
    // copyright: (c) 2008 Safer Networking Ltd. All rights reserved.

    :: RootAlyzer Results
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{33D9A761-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo? audio software\",""
    RegyKey:"Hidden registry key","HKEY_LOCAL_MACHINE","\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo? video 5.10 Compression Filter\",""
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\SecurityProviders\SCHANNEL\","EventLogging"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Name"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Comment"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Capabilities"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","RpcId"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Version"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","TokenSize"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Time"
    RegyValue:"Hidden registry value","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet002\Control\Lsa\SspiCache\msapsspc.dll\","Type"

    ==

    I've noticed that the odd graphics "corruption" when I maximize the window seems to be because the window behind RootAlyzer is showing through. Screen resolution is 1280*1024 @ 32-bit @ 60Hz. Seems to be a pretty "odd" bug.

    Also the "Invisible Processes (from handles)" part of the Quick Scan seems to be a little bit slow; when I started up RootAlyzer again it detected a process with PID 640, with the details completely empty. The only program that might have caused this would have been WinZip; I closed WinZip right when RootAlyzer loaded.
    Last edited by ddcc_7; 2008-03-24 at 04:44.

  9. #19
    129260
    Guest

    Lightbulb ah ok kool.

    Quote Originally Posted by PepiMK View Post
    @129260: Spybot-S&D always had some basic rootkit detection mechanisms, but the latest updates improved on three important fronts there.

    Spybot-S&D usually detects threats in our database only; RootAlyzer just shows any things it identified as hidden, without relating them to known malware. So you could use RootAlyzer to detect even rootkits that are not known yet; but one of the new plugins for Spybot-S&D includes kind of a rootkit heuristics (which is not as generic though).

    In summary: use RootAlyzer if Spybot-S&D hasn't found the culprit and you're suspecting an unlisted malware.

    I gotcha

  10. #20
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Zero-char detection has been added to 0.1.3.

    Pre-selecting the system drive instead of always C: has been added to 0.1.3.

    The "Invisible processes from handles" is indeed a bit slow - reading the list of all system handles isn't a standard Windows operation and takes a few seconds, depending on the number of applications running. Unless we would check the process list for each handle while it is checked, which would not be performant at all, there's always the chance for a small out-of-sync effect.
    Maybe we should add a message box telling the user to not open or close any application until the results appear.

    As for the "odd commas" (if you refer to these between rootkey and keypath, and between keypath and value name), that's SBI format, and expected.

    An exported reg file might indeed help, please send to , using "RootAlyzer; for PepiMK, see forum" as subject
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •