[Full-Disclosure] RKDetect - behaviour based rootkit detection utility

http://www.security.nnov.ru/search/document.asp?docid=6198

Rkdetect is a little anomaly detection tool which can find services hidden by generic Windows rootkits like Hacker Defender.

Tool very simply. It enumerates services on remote computer through WMI (user level) and Services Control Manager (kernel level), compare result and display difference. In this way we can find hidden services which usual used to start rootkit.
Similar approach can be used to enumerate processes, files, registry keys and anything that rootkits can to hide.

Rkdetect available here:

http://www.security.nnov.ru/files/rkdetect.zip

Tool consists from VBScript file rkdetect.vbs and sc.exe utility.
Sc.exe it's standard Windows tool to work with SCM which you can find on any Windows Box with W2K3.

Usage:
1. Unzip archive.
2. If you don't trust me (I hope you
don't :-), copy sc.exe
(c:\WINDOWS\system32\sc.exe in my case) from Windows folder to the rkdetect folder.
3. Change dir to rkdetect folder.
4. Start it:

cscript rkdetect.vbs <machine_name/ip>

Example:

C:\detector>cscript rkdetect.vbs 200.4.4.4 Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001.
All rights reserved.

Query services by WMI...
Detected 79 services
Query services by SC...
Detected 80 services
Finding hidden services...

Possible rootkit found: HXD Service 100
Done

C:\detector>

Thanks to 3APA3A for testing and hosting.

Thanks for your attention and sorry for my English.

GL.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu May 13 03:02:50 2004