Re: Download freeware RKR scanning software (detect Sony rootkit & others)

pamelafiischer_at_yahoo.com
Date: 11/20/05


Date: 20 Nov 2005 11:01:22 -0800

karl levinson, mvp wrote:
> For a second opinion, try RKDetect http://www.security.nnov.ru/soft/rkdetect

Hi Karl,

You provided useful information for all of us which I'm sure many
others like I will follow. So I don't feel so badly about asking a bit
deeper since the answer will help all the other mothers out there too
follow verbatim in our footsteps.

1. Logged in as "administrator", I downloaded the RK Detect
second-opinion utility from:
http://www.security.nnov.ru/files/rkdetect.zip

2. As "administrator", I unzipped RKDetect into c:\proggies\util\RKD to
see the 4 files:
- readme.txt 09/08/2004 10:43 AM 1,636 bytes
- rkdetect.vbs 09/08/2004 10:37 AM 2,336 bytes
- sc.exe 03/25/2003 04:00 PM 47,104 bytes
- wmisc.vbs 09/08/2004 09:24 AM 474 bytes

3. I read the readme to learn:
- RKDetect finds hidden services that are usually used to start
rootkits.
- RKDetect enumerates the services on a remote computer.
- The result is then compared and any difference is displayed.
- RKDetect uses "sc.exe" found in %WINDIR%\system32\sc.exe or locally

4. Only one example command is in the readme:
C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4

5. A quick http://www.dnsstuff.com Reverse DNS on that suggested IP
address reports:
200.4.4.4 PTR record: disp183.iie.org.mx. [TTL 86400s] [A=200.4.4.4]

6. As Administrator, I run the example by pointing to the suggested
server:
Start -> Run -> cmd
C:\> cd c:\proggies\util\RKD
RKD:\> cscript rkdetect.vbs 200.4.4.4

Up pops a Sygate Personal Firewall warning:
Microsoft (r) Console Based Script Host (cscript.exe) is trying to send
a packet.
Do you want to allow this program to access the network?

When I say "yes" to the firewall request, RKDetect proceeds to report:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 0 services
Query services by SC...
Detected 0 services
Finding hidden services...
Done
Windows rootkits detector
(c)oded by offtopic@mail.ru 2003
(c) Sergey V. Gordeychik gordey@infosec.ru 2003

An error occurred. Check machine availability and your access level
(must be an
administrator).

Usage:
cscript rkdetect.vbs <machine_name/ip>

7. I am tantalizingly close to obtaining useful information but I
failed.

8. Do you know what I should do next to obtain an RKDetect report to
completion?

Frustrated,
Pamela



Relevant Pages