[TOOL] RKDetect - Behaviour Based Rootkit Detection Utility

From: SecuriTeam (support_at_securiteam.com)
Date: 05/16/04

  • Next message: SecuriTeam: "[UNIX] P4DB Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 16 May 2004 16:40:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      RKDetect - Behaviour Based Rootkit Detection Utility
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    RKDetect is a little anomaly detection tool that can find services hidden
    by generic Windows rootkits like Hacker Defender. The tool enumerates the
    services on a remote computer via WMI (user level) and Services Control
    Manager (kernel level), the result is then compared and any difference is
    displayed. In this way we can find hidden services that are usually used
    to start rootkits. Similar approach can be used to enumerate processes,
    files, registry keys and anything that rootkits usually hides.

    Source Code:
    The tool is a VB script which requires the sc.exe application that can be
    found in %WINDIR%\system32\sc.exe or can be downloaded along with the
    source code below at: <http://www.security.nnov.ru/files/rkdetect.zip>
    http://www.security.nnov.ru/files/rkdetect.zip

    ' rkdetect.vbs
    '
    ' Windows rootkits detector
    ' (c)oded by offtopic@mail.ru 2003
    ' (c) Sergey Gordeychik gordey@infosec.ru 2003
    ' usage:
    ' cscript rkdetect.vbs <machine_name/ip>
    '

    on error resume next

    Set Args = WScript.Arguments

    strComputer = Args(0)

    scFile = "sc.txt"
    Dim srvWMI()
    Dim srvSC()
    Dim k, i, j

    Wscript.echo("Query services by WMI...")

    Set objWMIService = GetObject("winmgmts:" & _
    "{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")

    Set colServices = objWMIService.ExecQuery _
    ("SELECT DisplayName,PathName FROM Win32_Service")

    i = colServices.Count
    ReDim srvWMI(i)

    i = 0
    For Each objService in colServices
     srvWMI(i) = objService.DisplayName
     i = i + 1
    Next

    Wscript.echo("Detected "& i & " services")

    Set fso = CreateObject("Scripting.FileSystemObject")
    if fso.FileExists(scFile) Then fso.DeleteFile(scFile)

    Wscript.echo("Query services by SC...")

    set WshShell = WScript.CreateObject("WScript.Shell")
    set scriptState = WshShell.Exec("%comspec% /c sc.exe \\" & strComputer & "
    query state= all> "& scFile)

    While (scriptState.Status = 0)
     WScript.Sleep(100)
    Wend

    Set f = fso.OpenTextFile(scFile, 1, False)
    j = 0
    ReDim srvSC(i*2)

    While Not f.atEndOfStream
     s = f.ReadLine
     k = InStr(s, "DISPLAY_NAME:")
     If k > 0 Then
      srvSC(j)=Mid(s, 15, 255)
      j = j + 1
     End If
    Wend
    f.Close
    Wscript.echo("Detected "& j & " services")
    Wscript.echo("Finding hidden services...")
    Wscript.echo("")

    For j1 = 0 to j-1
     k = 0
     For i1 = 0 to i-1
      If (srvSC(j1)<>srvWMI(i1)) Then k=k+1
     Next
     if k<>i-1 Then WScript.Echo("Possible rootkit found: " & srvSC(j1))
    Next
    Wscript.Echo "Done"

    If Err<>0 Then
     Wscript.Echo "Windows rootkits detector"
     Wscript.Echo "(c)oded by offtopic@mail.ru 2003"
     Wscript.Echo "(c) Sergey V. Gordeychik gordey@infosec.ru 2003"
     Wscript.Echo ""
     Wscript.Echo "An error occurred. Check machine availability and your
    access level (must be an administrator)."
     Wscript.Echo ""
     Wscript.Echo "Usage:"
     Wscript.Echo "cscript rkdetect.vbs <machine_name/ip>"
     Wscript.Echo ""
     Wscript.Echo ""
    End If

    ADDITIONAL INFORMATION

    The tool's homepage can be found at:
    <http://www.security.nnov.ru/search/document.asp?docid=6198>
    http://www.security.nnov.ru/search/document.asp?docid=6198

    The information has been provided by <mailto:offtopic@mail.ru> offtopic.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] P4DB Multiple Vulnerabilities"