|
|
|
|
| Author |
Message |
Lance Malish
Guest
|
 Posted: Sat Apr 24, 2004 7:55 pm Post subject: 45 rootkits listed on my system? Ouch!! |
 |
|
I downloaded and ran Vice, which is a piece of software that's supposed
to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
And, oh, what I found!!! Vice says I have 45 infected processes spread
out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.
Here's the following function names:
Ordinal 15
CMP_WaitNoPendingInstallEvents
CM_Reenumerate_DevNode
CM_Get_DevNode_Status
CM_Get_Parent
CM_Open_DevNote_Key_Ex
CM_DevNode_Registry_PropertyA
CM_Open_DevNode_Key
CM_Locate_DevNodeW
CM_Get_Device_ID_Size_Ex
CM_Get_Device_IDW
CM_Set_DevNode_Registry_PropertyW
CM_Get_DevNode_Status
Here's the .dlls they're affecting:
ACTIVEDS.dll
CFGMGR32.dll
comcntl32.dll
The rootkit paths are either one or the other of the following:
C:\windows\system32\comctl32.dll
c:\windows\system32\SETUPAPI.dll
Now is this possible? Is Vice a good piece of software, or could this
be a false positive?
And if all of this is legit, how do I go about cleaning my system -
short of reinstalling Windows? Thanks in advance for any help. |
|
| Back to top |
|
 |
Fix your Windows Problems - FAST.
FREE Safe Scan Registry Check. Locate & Fix Errors in Minutes!
|
|
Anon
Guest
|
| Posted: Sat Apr 24, 2004 8:11 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
"Lance Malish" <lancemalish@somewhereontheplanet.com> wrote in message
news:Rdvic.19809$_L6.1277440@attbi_s53...
| Quote: | I downloaded and ran Vice, which is a piece of software that's supposed
to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
And, oh, what I found!!! Vice says I have 45 infected processes spread
out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.
Here's the following function names:
|
What the heck is a rootkit? -Dave |
|
| Back to top |
|
|
Lance Malish
Guest
|
| Posted: Sat Apr 24, 2004 8:29 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Anon wrote:
| Quote: | "Lance Malish" <lancemalish@somewhereontheplanet.com> wrote in message
news:Rdvic.19809$_L6.1277440@attbi_s53...
I downloaded and ran Vice, which is a piece of software that's supposed
to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
And, oh, what I found!!! Vice says I have 45 infected processes spread
out through C:\windows\explorer.exe and C:\windows\system32\svchost.exe.
Here's the following function names:
What the heck is a rootkit? -Dave
A rootkit is a collection of programs that a hacker uses to mask |
intrusion and obtain administrator-level access to a computer or
computer network. The intruder installs a rootkit on a computer after
first obtaining user-level access, either by exploiting a known
vulnerability or cracking a password. The rootkit then collects user ids
and passwords to other machines on the network, thus giving the hacker
root or privileged access. |
|
| Back to top |
|
|
Yddap
Guest
|
| Posted: Sat Apr 24, 2004 8:34 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
In news:Rdvic.19809$_L6.1277440@attbi_s53,
Lance Malish <lancemalish@somewhereontheplanet.com> opined:
| Quote: | I downloaded and ran Vice, which is a piece of software that's
supposed
to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
And, oh, what I found!!! Vice says I have 45 infected processes
spread
out through C:\windows\explorer.exe and
C:\windows\system32\svchost.exe.
Here's the following function names:
Ordinal 15
CMP_WaitNoPendingInstallEvents
CM_Reenumerate_DevNode
CM_Get_DevNode_Status
CM_Get_Parent
CM_Open_DevNote_Key_Ex
CM_DevNode_Registry_PropertyA
CM_Open_DevNode_Key
CM_Locate_DevNodeW
CM_Get_Device_ID_Size_Ex
CM_Get_Device_IDW
CM_Set_DevNode_Registry_PropertyW
CM_Get_DevNode_Status
Here's the .dlls they're affecting:
ACTIVEDS.dll
CFGMGR32.dll
comcntl32.dll
The rootkit paths are either one or the other of the following:
C:\windows\system32\comctl32.dll
c:\windows\system32\SETUPAPI.dll
Now is this possible? Is Vice a good piece of software, or could
this
be a false positive?
And if all of this is legit, how do I go about cleaning my system -
short of reinstalling Windows? Thanks in advance for any help.
|
Where does this prog "Vice" come from ?. URL or reference please
yddap |
|
| Back to top |
|
|
Never anonymous Bud
Guest
|
| Posted: Sat Apr 24, 2004 9:22 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
While still snuggled in a 'spider hole', Lance Malish
<lancemalish@somewhereontheplanet.com> scribbled:
| Quote: | I downloaded and ran Vice, which is a piece of software that's supposed
to detect rootkits on a system.
|
Where did you get it?
To reply by email, remove the XYZ.
Lumber Cartel (tinlc) #2063. Spam this account at your own risk.
This sig censored by the Office of Home and Land Insecurity.... |
|
| Back to top |
|
|
|
|
Boomer
Guest
|
| Posted: Sat Apr 24, 2004 9:27 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Lance Malish <lancemalish@somewhereontheplanet.com> wrote in
news:Rdvic.19809$_L6.1277440@attbi_s53:
| Quote: | I downloaded and ran Vice, which is a piece of software that's
supposed to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
And, oh, what I found!!! Vice says I have 45 infected processes
spread out through C:\windows\explorer.exe and
C:\windows\system32\svchost.exe.
Here's the following function names:
Ordinal 15
CMP_WaitNoPendingInstallEvents
CM_Reenumerate_DevNode
CM_Get_DevNode_Status
CM_Get_Parent
CM_Open_DevNote_Key_Ex
CM_DevNode_Registry_PropertyA
CM_Open_DevNode_Key
CM_Locate_DevNodeW
CM_Get_Device_ID_Size_Ex
CM_Get_Device_IDW
CM_Set_DevNode_Registry_PropertyW
CM_Get_DevNode_Status
Here's the .dlls they're affecting:
ACTIVEDS.dll
CFGMGR32.dll
comcntl32.dll
The rootkit paths are either one or the other of the following:
C:\windows\system32\comctl32.dll
c:\windows\system32\SETUPAPI.dll
Now is this possible? Is Vice a good piece of software, or could
this be a false positive?
|
"Known User API False Positives"
http://www.rootkit.com/
| Quote: |
And if all of this is legit, how do I go about cleaning my system
- short of reinstalling Windows? Thanks in advance for any help.
|
|
|
| Back to top |
|
|
slumpy
Guest
|
| Posted: Sat Apr 24, 2004 10:27 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
....and with no more than a cursory glance at the dead camel Boomer decided
it was time to put the World to rights with this little gem:
| Quote: | I downloaded and ran Vice, which is a piece of software that's
supposed to detect rootkits on a system.
Now is this possible? Is Vice a good piece of software, or could
this be a false positive?
"Known User API False Positives"
http://www.rootkit.com/
|
In other words, RTFM !! ;-)
--
slumpy
no more
no less
just me
(well what the *** did you expect ?) |
|
| Back to top |
|
|
Rod Smith
Guest
|
| Posted: Sun Apr 25, 2004 12:04 am Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
In article <cJvic.19423$w96.1511161@attbi_s54>,
Lance Malish <lancemalish@somewhereontheplanet.com> writes:
| Quote: |
Anon wrote:
What the heck is a rootkit? -Dave
A rootkit is a collection of programs that a hacker uses to mask
intrusion and obtain administrator-level access to a computer or
computer network.
|
I suspect, but am not positive, that the name derives from the name of
the administrative user (and associated administrative privileges) on
Unix systems: root. I generally hear the word "rootkit" applied to
exploits for Unix (or related OSs, like Linux). My impression is that
worms and viruses are far more common on Windows. In some sense, they're
just specialized types of rootkits with some ability to replicate
automatically. I don't know whether the OP's scanner has detected worms,
viruses, manually applied rootkits, or something else.
--
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking |
|
| Back to top |
|
|
Mr. Grinch
Guest
|
| Posted: Sun Apr 25, 2004 1:26 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Lance Malish <lancemalish@somewhereontheplanet.com> wrote in
news:Rdvic.19809$_L6.1277440@attbi_s53:
| Quote: | I downloaded and ran Vice, which is a piece of software that's supposed
to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other day.
|
I think there are a lot of false positives. I'm running Server 2003 and it
reported several files as infected. I went and did some binary file
comparisons with the originals off the CD and they are identical. These
files are not listed under the "known false positives" yet but they haven't
tested on 2003 yet.
I also have a ghost image of my system, created after a fresh install, with
NO network connection. I restored this and checked it out with VICE,
again, it reports several rootkits / infected files. This is from a fresh
install of Server 2003 from Microsoft.
For me, something that generates so many false positives is a waste of
time. I'm sticking with Trend Server Protect real-time antivirus for now,
along with the a manual scan using other other products. |
|
| Back to top |
|
|
mhicaoidh
Guest
|
| Posted: Tue Apr 27, 2004 9:12 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Taking a moment's reflection, Lance Malish mused:
|
| Now is this possible? Is Vice a good piece of software, or could this
| be a false positive?
They have support forums on the website you should probably post these
in. Though, from the Rootkit website:
"Warning
This software is brand new and is known to throw some false postives,
especially with the user-mode rootkit detection. If you scan your system and
it informs you that you have a rootkit infection, you may not have a rootkit
infection, but instead a false positive - so relax - it would be helpful if
you post the results that you obtain so the authors can improve the
detection algorithm. Most important is the address of the hook, and the name
of the DLL that is performing the hook.
Known User API False Positives
shim.dll
setupapi.dll
comctl32.dll (Usually seen with Outlook running)
sfc_os.dll and sfc.dll (Used for Microsoft Windows File Protection)
adsldpc.dll
Known Kernel False Positives
1. IRP's hooked by a file in the sytem root directory named ntoskrnl.exe
2. Functions hooked by vsdataant.sys (Only if you have Zone Alarm)"
| And if all of this is legit, how do I go about cleaning my system -
| short of reinstalling Windows? Thanks in advance for any help.
Well, I watched the segment on the TechTV website, and they recommended
you mount your drive as a slave in another system, and delete the rootkits
you know are not false positives. |
|
| Back to top |
|
|
|
|
Mr. Grinch
Guest
|
| Posted: Tue Apr 27, 2004 10:44 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
"mhicaoidh" <®êmõvé_mhic_aoidh@hotÑîXmailŠPäM.com> wrote in
news:_Dvjc.51377$aQ6.3907133@attbi_s51:
| Quote: | Taking a moment's reflection, Lance Malish mused:
|
| Now is this possible? Is Vice a good piece of software, or could
| this be a false positive?
They have support forums on the website you should probably post
these
in. Though, from the Rootkit website:
|
The website seems to list very few false positives. They don't seem to be
updating it after people email them new ones. No doubt, it takes them time
to confirm and test these things first. But they don't appear to be in a
hurry to confirm new falses. I noticed they haven't bothered to test under
Server 2003, where I've found several falses. I don't really expect a
response but hope they do look into it.
The "scan" progress indicator is broken too. It goes straight to the last
bar and sits there forever. OK, they've learned how to create a fancy
progress bar, but can't be bothered to make it mean something. Why bother
coding it in the first place if you're not going to make it work? Same
goes for OS version check. If you're going to check the OS version, why
not let the user know it's untested for their version, instead of
proceeding to give warnings on a system you know nothing about? I guess
people have different expectations, especially when it comes to coding
security software.
| Quote: | | And if all of this is legit, how do I go about cleaning my system -
| short of reinstalling Windows? Thanks in advance for any help.
Well, I watched the segment on the TechTV website, and they
recommended
you mount your drive as a slave in another system, and delete the
rootkits you know are not false positives.
|
I wonder how many people are going to delete critical files or rebuild
their system only to find the same false positives afterwards. Does the
web site give a lot of info on how to confirm false positives? Not the
last time I checked. I keep Ghost images, so I was able to test out a
vanilla base build to confirm the false positives. Most people aren't so
lucky.
If they want people to beta test their app for them, it would go a long way
if they figured out how to dump logs so users could esily email them the
info required to confirm positives / false positives. Personally, I'd be
ashamed to send something like this out and ask people to use it. But
then, I'll never have my ugly mug shown on Tech TV either, which is
probably a good thing. |
|
| Back to top |
|
|
Bucky Breeder
Guest
|
| Posted: Wed Apr 28, 2004 12:34 am Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Lance Malish <lancemalish@somewhereontheplanet.com> wrote in
news:Rdvic.19809$_L6.1277440@attbi_s53:
| Quote: | I downloaded and ran Vice, which is a piece of software
that's supposed to detect rootkits on a system.
It was featured on TechTV's The Screen Savers show the other
day.
And, oh, what I found!!! Vice says I have 45 infected
processes spread out through C:\windows\explorer.exe and
C:\windows\system32\svchost.exe.
Here's the following function names:
Ordinal 15
CMP_WaitNoPendingInstallEvents
CM_Reenumerate_DevNode
CM_Get_DevNode_Status
CM_Get_Parent
CM_Open_DevNote_Key_Ex
CM_DevNode_Registry_PropertyA
CM_Open_DevNode_Key
CM_Locate_DevNodeW
CM_Get_Device_ID_Size_Ex
CM_Get_Device_IDW
CM_Set_DevNode_Registry_PropertyW
CM_Get_DevNode_Status
Here's the .dlls they're affecting:
ACTIVEDS.dll
CFGMGR32.dll
comcntl32.dll
The rootkit paths are either one or the other of the
following:
C:\windows\system32\comctl32.dll
c:\windows\system32\SETUPAPI.dll
Now is this possible? Is Vice a good piece of software, or
could this be a false positive?
And if all of this is legit, how do I go about cleaning my
system - short of reinstalling Windows? Thanks in advance
for any help.
|
It *could* be a false positive... There's something funky about
that whole "root kit" deal!
http://rootkit.com/
When I went to their site after the Screen Savers telecast, signed
up, and during the download, my system froze out on the first try.
Nothing's getting in here without a request coming from here, and
then it's going to a sandbox...
I shut down my network, scanned = nada. Rebooted, went back,
downloaded "Vice", scanned it of course, put it in my C
directory, ran it, and pulled up about 4 dozen hits...
Went through and traced a good many of them down, pulled up
Properties on the files - geezus - most of them are M$ sys files,
a couple were ZA files having to do with vsmon dependincies and
the like... Some PestPatrol dependincies...
I've been patrolling the forums, but it doesn't seem very
responsive to the issues being posted.
Here's where I've resolved it: If Steve Gibson hasn't thrown out a
flurry of red-flags, and my other scans are coming up clean, I'm
blowing them off as some kind of hoax or probe until there's some
reliable feedback going on.
Am I the only one?
Thanks to your post, I think probably not! (o;
Thanks for the post and good luck! |
|
| Back to top |
|
|
Gary G. Taylor
Guest
|
| Posted: Wed Apr 28, 2004 2:04 am Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
Bucky Breeder wrote:
| Quote: | Here's where I've resolved it: If Steve Gibson hasn't thrown out a
flurry of red-flags, and my other scans are coming up clean, I'm
blowing them off as some kind of hoax or probe until there's some
reliable feedback going on.
|
From the buzz already posted, it's not a hoax--just incompetent twits
alpha-testing software and getting CNet to go along with their bullshit.
(Or maybe they've paid CNet to plug it....)
| Quote: | Am I the only one?
|
Nope. See other postings in this group.
--
Gary G. Taylor * Rialto, CA
gary at donavan dot org / http:// geetee dot donavan dot org
"The two most abundant things in the universe
are hydrogen and stupidity." --Harlan Ellison |
|
| Back to top |
|
|
Tim Smith
Guest
|
| Posted: Mon May 03, 2004 4:14 pm Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
In article <jnde6c-sp2.ln@speaker.rodsbooks.com>, Rod Smith wrote:
| Quote: | I suspect, but am not positive, that the name derives from the name of the
administrative user (and associated administrative privileges) on Unix
systems: root. I generally hear the word "rootkit" applied to
|
Yes.
| Quote: | exploits for Unix (or related OSs, like Linux). My impression is that
worms and viruses are far more common on Windows. In some sense, they're
just specialized types of rootkits with some ability to replicate
automatically. I don't know whether the OP's scanner has detected worms,
viruses, manually applied rootkits, or something else.
|
No, rootkits and viruses/worms are fundamentally different. A rootkit is
basically a set of tools left behind by an intruder that makes it easy for
them to come back, generally consisting of backdoored versions of one or
more network services, *and* hacked versions of various system utilities so
as to hide the rootkit.
So, for example, a Unix rootkit might include a modified ssh daemon that has
a backdoor, and also a modified ps that ignores the modified ssh daemon, and
a modified ls that ignores the directory that contains the modified ssh
daemon and the other rootkit files. Once a rootkit is installed and
running, you are in trouble. You can't really trust any command. Do an
md5sum on /bin/ps to compare to another system...but how do you know the
rootkit didn't replace md5sum with one that lies about /bin/ps?
They are named root*kits* because people have them packaged up into bundles
all ready to stick on a compromised system and quickly install.
On Windows, rootkits might patch things like the kernel's task enumeration
functions so that they can be made to skip certain processes, so they do not
show up in the Task Manager, and hook the filesystem so as to not show the
rootkit files.
--
--Tim Smith |
|
| Back to top |
|
|
Rod Smith
Guest
|
| Posted: Tue May 04, 2004 3:20 am Post subject: Re: 45 rootkits listed on my system? Ouch!! |
|
|
In article <6Qplc.3194$8S1.3149@newsread2.news.atl.earthlink.net>,
Tim Smith <reply_in_group@mouse-potato.com> writes:
| Quote: |
In article <jnde6c-sp2.ln@speaker.rodsbooks.com>, Rod Smith wrote:
worms and viruses are far more common on Windows. In some sense, they're
just specialized types of rootkits with some ability to replicate
automatically.
No, rootkits and viruses/worms are fundamentally different. A rootkit is
basically a set of tools left behind by an intruder that makes it easy for
them to come back, generally consisting of backdoored versions of one or
more network services, *and* hacked versions of various system utilities so
as to hide the rootkit.
|
Note my qualifier, "in some sense." I wasn't claiming they're one-to-one
identical but on different platforms. Besides, at least some worms and
viruses do what you describe, too.
The bottom line is that there's a whole range of security threats with
varying capabilities, and many individual threats straddle lines, making
classification difficult.
--
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking |
|
| Back to top |
|
|
|
|
|
|
| |
Watched Topics
Search
Register
Log in to check your private messages
Profile
Log in
Memberlist
Usergroups