Date: 16 May 2004 16:40:43 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [TOOL] RKDetect - Behaviour Based Rootkit Detection Utility
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RKDetect - Behaviour Based Rootkit Detection Utility
------------------------------------------------------------------------
SUMMARY
DETAILS
RKDetect is a little anomaly detection tool that can find services hidden
by generic Windows rootkits like Hacker Defender. The tool enumerates the
services on a remote computer via WMI (user level) and Services Control
Manager (kernel level), the result is then compared and any difference is
displayed. In this way we can find hidden services that are usually used
to start rootkits. Similar approach can be used to enumerate processes,
files, registry keys and anything that rootkits usually hides.
Source Code:
The tool is a VB script which requires the sc.exe application that can be
found in %WINDIR%\system32\sc.exe or can be downloaded along with the
source code below at: <http://www.security.nnov.ru/files/rkdetect.zip>;
http://www.security.nnov.ru/files/rkdetect.zip
' rkdetect.vbs
'
' Windows rootkits detector
' (c)oded by [email protected] 2003
' (c) Sergey Gordeychik [email protected] 2003
' usage:
' cscript rkdetect.vbs <machine_name/ip>
'
on error resume next
Set Args = WScript.Arguments
strComputer = Args(0)
scFile = "sc.txt"
Dim srvWMI()
Dim srvSC()
Dim k, i, j
Wscript.echo("Query services by WMI...")
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery _
("SELECT DisplayName,PathName FROM Win32_Service")
i = colServices.Count
ReDim srvWMI(i)
i = 0
For Each objService in colServices
srvWMI(i) = objService.DisplayName
i = i + 1
Next
Wscript.echo("Detected "& i & " services")
Set fso = CreateObject("Scripting.FileSystemObject")
if fso.FileExists(scFile) Then fso.DeleteFile(scFile)
Wscript.echo("Query services by SC...")
set WshShell = WScript.CreateObject("WScript.Shell")
set scriptState = WshShell.Exec("%comspec% /c sc.exe \\" & strComputer & "
query state= all> "& scFile)
While (scriptState.Status = 0)
WScript.Sleep(100)
Wend
Set f = fso.OpenTextFile(scFile, 1, False)
j = 0
ReDim srvSC(i*2)
While Not f.atEndOfStream
s = f.ReadLine
k = InStr(s, "DISPLAY_NAME:")
If k > 0 Then
srvSC(j)=Mid(s, 15, 255)
j = j + 1
End If
Wend
f.Close
Wscript.echo("Detected "& j & " services")
Wscript.echo("Finding hidden services...")
Wscript.echo("")
For j1 = 0 to j-1
k = 0
For i1 = 0 to i-1
If (srvSC(j1)<>srvWMI(i1)) Then k=k+1
Next
if k<>i-1 Then WScript.Echo("Possible rootkit found: " & srvSC(j1))
Next
Wscript.Echo "Done"
If Err<>0 Then
Wscript.Echo "Windows rootkits detector"
Wscript.Echo "(c)oded by [email protected] 2003"
Wscript.Echo "(c) Sergey V. Gordeychik [email protected] 2003"
Wscript.Echo ""
Wscript.Echo "An error occurred. Check machine availability and your
access level (must be an administrator)."
Wscript.Echo ""
Wscript.Echo "Usage:"
Wscript.Echo "cscript rkdetect.vbs <machine_name/ip>"
Wscript.Echo ""
Wscript.Echo ""
End If
ADDITIONAL INFORMATION
The tool's homepage can be found at:
<http://www.security.nnov.ru/search/document.asp?docid=6198>;
http://www.security.nnov.ru/search/document.asp?docid=6198
The information has been provided by <mailto:[email protected]> offtopic.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
