Sunday, January 28, 2007

What's in a name?

The makers of the excellent program RootkitUnhooker recently
released an anti-rootkit test file. Apparently, it will bypass most
modern anti-rootkiters, showing how "useless/helpless/out-of-dated
antirootkit software" [is] - It even eludes their own anti-rootkit
software
.

Partial description of Unreal.A:
"1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword
automatically)

2. ADS attach to root directory of disk C: (that automatically
bypass GMER, RootkitRevealer)

3. driver set up itself as File System Filter and filters some IRP's
like IRP_MJ_READ, IRP_MJ_QUERY_INFORMATION etc. Thats
bypasses all other antirootkit thats using RAW reading (BlackLight,
Rootkit Unhooker etc).

Unreal.A contains specific code for AVG Antirootkit and AVZ
Antirootkit Module. Specific code was done because both of these
products using monitoring dirty-tricks based on Notify Routines
which are not a detection at all. Unreal.A do search for antirootkit
device (using DeviceObjects lists) and when it's found rootkit do
IoDeleteDevice, so antirootkit can't anymore communicate with
kernel part. Unfortunately as shows some tests of independent
people this part of Unreal.A are little buggy, sometimes AVG/AVZ
can show (with help of Notify of course) hidden driver."

As I said before idea is not new, but we do not found any others
ready for use rootkits, so we decide to create this special demo to
show how in reality useless/helpless/out-of-dated antirootkit
software and of course for our internal testings."
From: http://rootkit.com/newsread.php?newsid=647

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Download the demo off their site if you'd like to test it.

No comments: