Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - HKLM\Security\Policy\Secrets rootkits
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

HKLM\Security\Policy\Secrets rootkits

 Post Reply Post Reply Page  123 4>
Author
Message
hervesors View Drop Down
Newbie
Newbie


Joined: 13 September 2006
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote hervesors Quote  Post ReplyReply Direct Link To This Post Topic: HKLM\Security\Policy\Secrets rootkits
    Posted: 08 November 2006 at 10:33am

Just discovered that with RootKit Revealer and I'm sure it was not there a couple of weeks ago:

HKLM\Security\Policy\Secrets\SAC*  Key name contains embedded nulls

HKLM\Security\Policy\Secrets\SAI*  Key name contains embedded nulls

Of course these keys are not visible with RegEdit

Could it be the result of some software (Cryptainer, Outpost) hiding the keys or of some malware?

Any advise will be appreciated

Hervé

 

 

Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2006 at 10:52am
There are other recent reports. These are believed to be legitimate keys but their origins haven't yet been confirmed.
Gil
Back to Top
hervesors View Drop Down
Newbie
Newbie


Joined: 13 September 2006
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote hervesors Quote  Post ReplyReply Direct Link To This Post Posted: 09 November 2006 at 10:06am

Thanks a lot..after investigating with possible "culprits", these legitimate keys appear to be written by the Spy Sweeper software.

Hervé

 

Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 09 November 2006 at 10:20am
Interesting. Thanks for posting back. AFAIK HKLM\Security\Policy\Secrets\... is home for passwords etc - i.e. used as the LSA private data store
Gil
Back to Top
P.SCD View Drop Down
Newbie
Newbie


Joined: 11 November 2006
Location: France
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote P.SCD Quote  Post ReplyReply Direct Link To This Post Posted: 11 November 2006 at 3:36am
Hello.
New on the forum.
I have just the same detections found this morning:
Full LOG obtained with RootkitRevealer 1.71 on Windows XP Home SP2:

HKLM\SECURITY\Policy\Secrets\SAC*    19/01/2005 11:04    0 bytes    Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*    19/01/2005 11:04    0 bytes    Key name contains embedded nulls (*)

Thanhs to namehto who seems to have already given an answer.
By the way, I don't got Spy Sweeper ...
Have a good week end



Edited by P.SCD - 11 November 2006 at 3:45am
Back to Top
Twigleaf View Drop Down
Newbie
Newbie
Avatar

Joined: 13 November 2006
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Twigleaf Quote  Post ReplyReply Direct Link To This Post Posted: 13 November 2006 at 9:16am

This is kind of interesting, as these have only shown up after I upgraded to the newest version of RootKitRevealer V1.71 .  As of the older V 1.7 of RKR, and on the same system it would not show these 2 new items in the log.  Directly after the RKR update to 1.71, these started appearing on my logs also. 

I do not have any of the above mentioned Spy Sweeper software on my system either.  I am just wondering if these have been there all along, but never been picked up by the earlier versions of RKR

Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 14 November 2006 at 6:55am
Quote I am just wondering if these have been there all along, but never been picked up by the earlier versions of RKR

This has been confirmed. RKR 1.71 evidently now checks the security hive.
Gil
Back to Top
Haruspex View Drop Down
Newbie
Newbie


Joined: 01 October 2006
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Haruspex Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2006 at 4:52am
Same here after i install 1.71 these 2 "boys" appear.I am using Win XP Pro SP2 and i have never installed Spy Sweeper on my system.

Any more info about these entries would be helpful.

HKLM\SECURITY\Policy\Secrets\SAC*    &nb sp;13/10/2006 10:13      0 bytes     Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI*    &nb sp;13/10/2006 10:13      0 bytes     Key name contains embedded nulls (*)

Back to Top
circuitburner View Drop Down
Newbie
Newbie
Avatar

Joined: 15 November 2006
Location: United States
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote circuitburner Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2006 at 10:20pm

Ditto  here ...

These two keys seem to be resident in XP .

I took alarm to them at 1st , but based on the responses here am releived .

Heres something interesting though ,

I scanned a clients troubled PC exhibiting the " haunted house " effect , and she says it showed 10,000 plus discrepencies !

I havent been on-site yet ( it will be friday the 17th ) to see for myself . Her Boss told me when I asked him weeks ago the he hasnt installed any "ghost-ware" .  Yet there are lots of anomalies that I cant explain . Get this - today during the scan , she says he was hanging out near her and her computer , glancing at the monitor a lot and looking quite suspicious as the scan built-up it results . I think I have the bastard caught . Im billing them hundreds of dollars if I indeed find traces or evidence of the type of Ghost-ware he has been PROVEN to run on his own computers .  He has cost me lots of time and effort trying to root-out ( no pun ) problems on this particular machine . Am I fair for punishing him for his stunts if I can determine indeed he has back-doored this machine for whatever reason ? I mean , he denied doing this type of thing when asked , so Ive been misled . He also never looked me directly in the face when I asked him either . Oh Im so pissed ! 

They have money ( real estate brokers ) , and Ive wasted so much time fixing and re-fixing stuff , just to have unexplainable things changing after Im done . She IS his employee , but honesty is all I asked for .  Damn him .

Back to Top
hdwlc View Drop Down
Newbie
Newbie


Joined: 15 November 2006
Location: Belgium
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote hdwlc Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2006 at 10:24pm

Found both SAC and SAI on two machines. An XPpro and W2KServer.

The time stamps mentioned are the date/time the systems were installed. Will accept them as benign for now untill further notice.

Other key's were reported in the W2kServer. Will ask about those in another post.

Regards,
hdwlc

Back to Top
 Post Reply Post Reply Page  123 4>
  Share Topic   

Forum Jump Forum Permissions View Drop Down