SW, Like you mentioned, most Windows rootkits hide themselves by hooking into to System APIs and "filtering" based on a keyword that is normally used as a prefix for files and directories. That unfurtunetly, for the hacker himself, is a double-edged sword...since his programs must contain the prefix to be hidden and cannot be a victim of it's own poison (can't see itself or other programs) it must exclude the files that have the prefix from being "tricked" by the API filtering...therefore if you rename tools like taskmgr.exe to (in your case) droptaskmgr.exe, you should be able to run task manager without the filtering so you can list the "bad process". Or RegEdit to see the hidden registry keys. In fact this should work for any program. Again, most windows rootkits are written as Kernel Drivers as as such should be listed by drivers.exe from the Resource Kit package, or Winmsd.exe. Another thing worth mentioning is that since it's the local kernel that is "patched", a remote connection (like mapping a network drive to the volume in the compromised machine) should be clear of any filtering... Hope this helps. Regards, Rodrigo Amarante -----Original Message----- From: shrink-wrapat_private [mailto:shrink-wrapat_private] Sent: Monday, May 05, 2003 10:53 PM To: forensicsat_private If someone could help me I would appreciate it- my current situation is: On a compromised Windows 2k Pro box I have a directory with suspect binaries (which I discovered from a disk image via autopsy/sleuthkit- awesome stuff) but on the compromised machine it is impossible* to view these files or the directory. A listing of the files and the directory is attached at the end of the e-mail. After reading more and more on windows rootkits- one of the common ways to use them is to pick a common string to hide and in my case all the files and the directory have the string "drop" as part of their name. As a test I created a directory in the root of the drive named "dropper" and it also "disappeared". So my question is, how can I find this root-kit that is hooked into my kernel? I am looking at my sysinfo for the box but while there are a number of drivers running- how would I further investigate what they are doing? BTW, it hasn't matched up with a well-known root-kit yet (like slanret). Thanks S-W *=except 'cd'ing, via command prompt only, into the suspect (drop) directory and 'dir' listing all files *without* the "drop" name--possibly an error with the root-kit? File and directory listing: (md5 hash / file name / size) MD5 Values for files in /mnt/evidence/WINNT/system32/ (images/win2kpart1.img) 39a9e5c05ffbda925da0d2ec9b4f512a drop.exe 50688 c647b4225e022096fb125f6bc49c5c91 drop.ini 383 da0bae77d169430f23134c1bea850c10 droper.exe 1364009 d66183219dcc4df876b94507c517decd dropz.dat 244 623dfe4b51bc457a93b6cbbdeb62f3aa dropz.exe 196922 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/ (images/win2kpart1.img) f52d332ff50cb543c6d47d9aa4a0f608 dropclient.exe 30208 084badcff1da96797dddfd29b5038273 dropcmdsrv.exe 32768 a109f9c51681ec708342db2af6c4bebb dropFar.exe 416800 26c1a98812d114c7ad2bc8e8d7119315 dropisql.exe 98304 e0fb946c00b140693e3cf5de258c22a1 dropnc.exe 59392 b5f519b3844c4d3c5451d90f70c59737 dropNTUSER.EXE 114176 998c2626a275c4ee1d59c2b3d0ede028 droppkzip.exe 339456 7eec3f77f9cb19fda1d06403ec1472f1 droppm.exe 5632 9c77ed16bcba7c61d620ec040788e7e8 dropport.exe 48640 ca0447d2feccc4a5ac3c9128d61debe7 droppwdump2.exe 32768 b7989bcb72225521c79163517cabe69a FarEng.hlf 72121 f7dddbdbbc5879bf16ac00cedcd20745 FarEng.lng 16618 ab1f54a5fa3e653b6784c44407f113ac samdump.dll 36864 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/FTP/ (images/win2kpart1.img) 8e15302b6d6e34f97d1a9729a8982f2e farftp.dll 115232 c9c65b08d29378823d4f41bc7f96787f FtpEng.hlf 6514 5473c2f0e88c2a6732bbbcf72e895523 FtpEng.lng 2307 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/Network/ (images/win2kpart1.img) 899618cc2b78249ae846aea0ae7a8e55 NetEng.hlf 1033 e094baf947eddf5c5d744247ec75859e NetEng.lng 625 701c98c6799d450f458335b498806fa2 NETWORK.dll 45600 MD5 Values for files in /mnt/evidence/WINNT/system32/drop/Plugins/ProcList/ (images/win2kpart1.img) 43ca7be3f1bb03d47b77ea836f996fba ProcEng.hlf 444 77fc621c42ea93a8a0ff9bd32331c350 ProcEng.lng 442 9691161c57d0cb6500af09df919b852f PROCLIST.dll 51232 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 07:00:53 PDT