RKDetect - behaviour based rootkit detection utility

From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 05/12/04

  • Next message: Nicolas RUFF (lists): "Re: Relative Security Provided by Cached Domain Credentials?" 
    Date: Wed, 12 May 2004 15:00:12 +0400
To: <focus-ms@securityfocus.com>

    http://www.security.nnov.ru/search/document.asp?docid=6198

    Rkdetect is a little anomaly detection tool which can find services
    hidden by generic Windows rootkits like Hacker Defender.

    Tool very simply. It enumerates services on remote computer through WMI
    (user level) and Services Control Manager (kernel level), compare result
    and display difference. In this way we can find hidden services which
    usual
    used to start rootkit.
    Similar approach can be used to enumerate processes, files, registry
    keys and anything that rootkits can to hide.

    Rkdetect available here:

    http://www.security.nnov.ru/files/rkdetect.zip

    Tool consists from VBScript file rkdetect.vbs and sc.exe utility.
    Sc.exe it's standard Windows tool to work with SCM which you can find on
    any Windows Box with W2K3.

    Usage:
    1. Unzip archive.
    2. If you don't trust me (I hope you
    don't :-), copy sc.exe
    (c:\WINDOWS\system32\sc.exe in my case) from
    Windows folder to the rkdetect folder.
    3. Change dir to rkdetect folder.
    4. Start it:

    cscript rkdetect.vbs <machine_name/ip>

    Example:

    C:\detector>cscript rkdetect.vbs 200.4.4.4
    Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001.
    All rights reserved.

    Query services by WMI...
    Detected 79 services
    Query services by SC...
    Detected 80 services
    Finding hidden services...

    Possible rootkit found: HXD Service 100
    Done

    C:\detector>

    Thanks to 3APA3A for testing and hosting.

    Thanks for your attention and sorry for my English.

    GL,
    Sergey V. Gordeychik, gordey@infosec.ru

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Nicolas RUFF (lists): "Re: Relative Security Provided by Cached Domain Credentials?"

    Relevant Pages

    • [Full-Disclosure] RKDetect - behaviour based rootkit detection utility
      ... Rkdetect is a little anomaly detection tool which can find services hidden by generic Windows rootkits like Hacker Defender. ...
      (Full-Disclosure)
    • Re: hardware detection and the registry (complicated)
      ... > Troubleshooting Windows XP ... >> installing a device that it usually DOES give the reboot prompt. ... but it does prompt you after installing a floppy disk controller. ... >> the hardware detection and BEFORE the reboot prompt has a chance to rear ...
      (microsoft.public.windowsxp.general)
    • Re: hardware detection and the registry (complicated)
      ... Troubleshooting Windows XP ... > installing a device that it usually DOES give the reboot prompt. ... > it does prompt you after installing a floppy disk controller. ... > the hardware detection and BEFORE the reboot prompt has a chance to rear ...
      (microsoft.public.windowsxp.general)
    • Re: WinDefend
      ... non-administrative accounts under Windows NT/2000 and XP." ... Alert Type: Unknown ... Detection Type: ... The Microsoft link says: ...
      (microsoft.public.windowsxp.security_admin)
    • Re: No Defense Against Windows Rootkits?
      ... "Spyware bad guys started using rootkits ... the technology to defend a Windows system from these things is very poor. ... justification for "...emphasizing my point that open- or closed-source is ... in people running their accounts with local admin privs. ...
      (alt.computer.security)