Unreal: Rootkit Detectors / Bypassing
Printed From: Sysinternals
Category: Windows Discussions
Forum Name: Malware
Forum Discription: Discussions and news on identifying, cleaning, and preventing malware
URL: http://forum.sysinternals.com/forum_posts.asp?TID=9630
Printed Date: 20 November 2009 at 11:00pm
Topic: Unreal: Rootkit Detectors / Bypassing
Posted By: MP_ART
Subject: Unreal: Rootkit Detectors / Bypassing
Date Posted: 19 January 2007 at 7:45am
|
We are introducing new generation of rootkit technology.
Unreal Test Rootkit Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems. It doesnt have process, so it's not hides processes! It do not hide also a registry keys, so no registry keys are hidden! Make sure, that you readed this post before you start tests or write something. Unreal is Not malicious This rootkit is not intended to be runned with Host Intrusion Prevention Systems. It is intended ONLY for testings with modern AntiRootkit software. Rootkit tech information Supported File system: backdoor-friendly NTFS Implementation: DKOM Predecessors: partially RkDemo, phide_ex and Rustock ARK TESTS: ======================================== 1. Rootkit Unhooker v3.01 BYPASSED 2. Rootkit Revealer v1.71 BYPASSED 3. F-Secure Blacklight BYPASSED 4. DarkSpy v1.05 BYPASSED 5. DarkSpy v1.05fixedbeta2 BYPASSED 6. IceSword v1.20 BYPASSED 7. GMER v1.012 BYPASSED 8. Helios v1.1a BYPASSED 9. SVV v2.3 BYPASSED 10. McAfee Rootkit Detective BYPASSED 11. Sophos AntiRootkit BYPASSED 12. TrendMicro RootkitBuster BYPASSED 13. AVG AntiRootkit BYPASSED 14. AVZ v4.23 ARK Module BYPASSED 15. BitDefender Rootkit Uncover BYPASSED 16. Panda AntiRootkit BYPASSED 17. Panda Tycan BYPASSED 18. modGreeper v0.3 BYPASSED 19. flister BYPASSED 20. UnHackMe BYPASSED 21. SEEM v4.x BYPASSED 22. SafetyCheck v1.5.x BYPASSED 23. Avira AntiRootkit BYPASSED 24. HiddenFinder v1.301 BYPASSED 25. RkDetector v0.6 BYPASSED ======================================== There are no best antirootkits. Download http://www.rku.xell.ru/?l=e&a=dl - http://www.rku.xell.ru/?l=e&a=dl (10 Kb) Supported Operation systems: Windows XP SP2, Windows 2003 SP1 Windows 2000 - untested, but probably also supported Vista is not supported and not will be, we see no sense in this OS. Unreal Installation instructions 1. Make sure that you have NT-based OS, your disk C: have NTFS file system and you are running under administrator rights 2. Start Unreal.exe 3. Press "Install Rootkit" button That is all, now you can see rootkit activity with DbgView, it will display ">unreal" File dropped to disk and protected from read-write operations. You can reboot your PC and Unreal still will work! That proves that we do not use dirty tricks. Unreal Removal instructions 1. Start Unreal.exe 2. Press "Uninstall Rootkit" button (that will erase registry key of rootkit) 3. Reboot 4. Start Unreal.exe again 5. Press "Uninstall Rootkit" button again (that will erase dropped rootkit file) That is all. p.s. Last words. It is theoretically possible for a antirootkit detect Unreal rootkit. However, this would require a level of sophistication not seen in both AV/independent antirootkits to date. Rootkit sources are available, but only by preliminary request only via this email rkunhooker@inbox.ru |
Replies:
Posted By: MEGA
Date Posted: 19 January 2007 at 10:58am
So Unreal hides registry keys  |
Posted By: EP_X0FF
Date Posted: 19 January 2007 at 11:04am
|
No Unreal doesn't hides registry keys. It hides only driver and file, nothing else. ------------- Ring0 - the source of inspiration |
Posted By: jibe
Date Posted: 19 January 2007 at 11:08am
| Is it normal that I get a BSOD on a VM with XP SP2 US Home edition ? |
Posted By: MP_ART
Date Posted: 19 January 2007 at 11:25am
------------- |
Posted By: EP_X0FF
Date Posted: 19 January 2007 at 1:03pm
No, of course, lol. Please provide minidump. ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 21 January 2007 at 4:53am
|
hi,our uncompleted Anti-Rootkit tools detected the file of this rootkit=) see the screenshot http://hi.baidu.com/mj0011/album/item/a49b1bd1ec1443d2562c845b.html - http://hi.baidu.com/mj0011/album/item/a49b1bd1ec1443d2562c84 5b.html click the picture in the center for full view we detected the file c:\unreal.sys and we can delete it then remove the effect we can not detect Driver Object of this rootkit :( KDOM is a very difficult thing for me .......
our Anti-rootkit tools:DarkDetector will release on March or April (I'm not so sure, because I recently busy with combat the some badly local virus=(
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 4:58am
Can you post your screenshot here not on your extremely slow server?
It is not our file. ------------- Ring0 - the source of inspiration |
Posted By: MP_ART
Date Posted: 21 January 2007 at 5:19am
------------- |
Posted By: mj0011
Date Posted: 21 January 2007 at 5:20am
|
sorry,the c:\:unreal.sys .... I can not post the screenshot on this forum because the screenshot is large then 15KB where can I unload the screenshot? ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 5:21am
imageshack.us ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 21 January 2007 at 6:31am
|
sorry I try so many times...but screenshot cannot be upload. I will try tomorrow
I can tell you how I detected the file: clear all IFS filter =) ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: mj0011
Date Posted: 21 January 2007 at 6:34am
|
after clear ifs filter,use winhex " edit disk" funciton will also find that file ":unreal.sys" ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 6:38am
Ok, no need screenshots.
That is not a detection, because: - you can clear non-rootkit FS filters - this will lead to BSOD's/GPF in real life with real software running on your PC - simple because it is not a detection, just like uninstalling rustock by starting GMER and pressing reset button.
WinHex is fully bypassed in private version of Unreal. Detection of Unreal is pure trivial, but this require more sophistication, not simple cleaning FS filters
Looking forward for your Antirootkit. p.s. BTW when you cleaned FS-filters it's become visible, so you can't tell was it hidden or not, so IT IS NOT A DETECTION. ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 21 January 2007 at 6:46am
|
It is also very simple to bypass filters
we force clear it because our anti-rootkit tools has some Special use
after clear ifs filter,the detection work of unreal is to find the ADS =)
private version? aha.....
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 6:51am
One simple question. Object A hidden Object B hides Object A Object C searching for object A by removing Object B Object A not hidden 
How you will say that this A is hidden if it is not?
That is bullsh*t not a detection. It is "limited use" because on any other computers that will lead to BSOD. ------------- Ring0 - the source of inspiration |
Posted By: MP_ART
Date Posted: 21 January 2007 at 6:51am
|
DarkSpy Security Group always says that they have a MYSTERY "Super private version". Are your tool like it? ------------- |
Posted By: mj0011
Date Posted: 21 January 2007 at 7:00am
|
Thanks,we'll use "bypass mode" to get real data which your FS filter replaced ,and it the DETECTION =) Expect to see your Private Version =) BTW:Your rootkit include a very interesting idea indeed .... ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: mj0011
Date Posted: 21 January 2007 at 7:20am
|
clear fs filter ,and it easy detection: C:\Documents and Settings\Administrator>lads.exe c:\ LADS - Freeware version 4.10 Scanning directory c:\ size ADS in file The following summary might be incorrect because there was at least one error! 5888 bytes in 1 ADS listed ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: MP_ART
Date Posted: 21 January 2007 at 7:24am
|
Dear mj0011, kiddo, instead of posting here your crap, go, buld your RKdetector and post it. ------------- |
Posted By: mj0011
Date Posted: 21 January 2007 at 7:30am
|
our rkdetector will be released in two or three months ... I'm so busy...:( Many interesting function is not yet complete :p OK,stop my crap... Is the time to sleep ... ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 7:40am
|
Some remarks. For mj0011 and others.
RkDetection it is not when you started few forensic tools and searched for known place where hidden object are located. And it is not cleaning FS filters, because this is a very likely will lead to BSOD (for example if you have EFS filters). So what is the RkDetection? 1. It is when I started RkDetector on different computers, not only mine, and not got stupid BSOD on start. 2. It is when RkDetector can locate rootkits even if it is do not knows where rootkits are located. 3. It is when I do not worry about BSOD's only because somebody wanna cleanup fs-filter queue =)))) 4. It is when I can locate these hidden objects not from the ass of the world (command line prompt with mount, unmount commands, forensic tools etc) From Normal GUI application with few pretty buttons (not f**ken labels or comboboxes) where one of them is named "SCAN" or "Scan for rk". I see Nothing from this here right now, so further discussion have no sense. ------------- Ring0 - the source of inspiration |
Posted By: _cardmagic
Date Posted: 21 January 2007 at 11:00am
some reasons...some limits... we cant release either internal rootkit or internal detector at current...but maybe u will see it in the future... but its not called " darkspy" ,and its not released by us :( .. anyhow.. good work ! well done! |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 11:08am
|
Thank you friend :)
And keep up the good work too. btw, whats up with your profile? ------------- Ring0 - the source of inspiration |
Posted By: _cardmagic
Date Posted: 21 January 2007 at 11:15am
password incorrect... :( |
Posted By: EP_X0FF
Date Posted: 21 January 2007 at 11:16am
 
sad ------------- Ring0 - the source of inspiration |
Posted By: SpannerITWks
Date Posted: 21 January 2007 at 3:06pm
|
MP_ART Thanx for releasing another Test RK, which is even more impressive than the others, as can be seen in your screenie above. Backdoor-friendly NTFS, lol. As i've said before on various forums, if people don't have access to a Real RK etc, how can they possibly test their security Apps, they can't ! And with this they can, and SAFELY too.
Hi, i'm looking forward to the release of DarkDetector, as i'm sure quite a few people will be too. All the best with it ! I tried to reach your www, but couldn't ? cardmagic Good to see you back. Newbie lol ! Spanner ------------- Stay Safe - SpannerITWks/SpannerInTheWorks - BOClean AntiMalware - http://www.nsclean.com/boclean.html |
Posted By: Flower
Date Posted: 22 January 2007 at 12:58am
ScreenShots from CnBeta
|
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 1:20am
|
And now please give this detector for tests. FYI We detected it before release.
Oh, I see cnBeta.com. So is that the mysterious DarkDetector that cleaned up FS queue? Unless I will not try it, any screenshot not more than fake. BTW, stop call me EP_XOFF, or I will perverse your nicknames too. ------------- Ring0 - the source of inspiration |
Posted By: jibe
Date Posted: 22 January 2007 at 2:34am
|
Seems to happen when a debugger is connected to the VM. BugCheck 1000008E, {c0000005, f9fc344b, f9e9ea74, 0} Probably caused by : ntoskrnl.exe ( nt!IopSynchronousServiceTail+60 ) Followup: MachineOwner --------- kd> !analyze -v ************************************************************ ******************* * ; ; ; ; ; ; ; * * ; ; Bugcheck Analysis &nbs p; &nbs p; &nbs p; * * ; ; ; ; ; ; ; * ************************************************************ ******************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: f9fc344b, The address that the exception occurred at Arg3: f9e9ea74, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - L'instruction "0x%08lx" emploie l'adresse m moire "0x%08lx". La m moire ne peut pas tre "%s". FAULTING_IP: +fffffffff9fc344b f9fc344b 8b5f18 mov ebx,dword ptr [edi+18h] TRAP_FRAME: f9e9ea74 -- (.trap fffffffff9e9ea74) ErrCode = 00000000 eax=01800101 ebx=804e3661 ecx=816390a8 edx=00000ffc esi=8157b198 edi=00000000 eip=f9fc344b esp=f9e9eae8 ebp=f9e9eb0c iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 ; efl=00010202 f9fc344b 8b5f18 mov ebx,dword ptr [edi+18h] ds:0023:00000018=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 804e37f7 to f9fc344b STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. f9e9eb0c 804e37f7 8155ddb8 8157b008 806ee2d0 0xf9fc344b f9e9eb1c 8056a101 8157b198 00000000 8157b008 nt!IopfCallDriver+0x31 f9e9eb30 805784c0 8155ddb8 8157b008 81681a88 nt!IopSynchronousServiceTail+0x60 f9e9ebe4 804de7ec 8000032c 800002f4 00000000 nt!NtWriteFile+0x602 f9e9ebe4 804ddc35 8000032c 800002f4 00000000 nt!KiFastCallEntry+0xf8 f9e9ec80 80591d45 8000032c 800002f4 00000000 nt!ZwWriteFile+0x11 f9e9ecd4 80591a8d 00000200 00000000 f9e9ecfc nt!CmpFileWrite+0x14c f9e9ed2c 8059108b fffffe00 e1019740 8068d960 nt!HvpWriteLog+0xcc f9e9ed40 805dd141 e1019701 8056147c 805571a0 nt!HvSyncHive+0x71 f9e9ed5c 805dd09b 00000000 817ca640 00000000 nt!CmpDoFlushAll+0x6c f9e9ed74 804e426b 00000000 00000000 817ca640 nt!CmpLazyFlushWorker+0x51 f9e9edac 8057be15 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 f9e9eddc 804fa4da 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: nt!IopSynchronousServiceTail+60 8056a101 807d1400 cmp byte ptr [ebp+14h],0 SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: nt!IopSynchronousServiceTail+60 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9 FAILURE_BUCKET_ID: 0x8E_nt!IopSynchronousServiceTail+60 BUCKET_ID: 0x8E_nt!IopSynchronousServiceTail+60 Followup: MachineOwner |
Posted By: phoenix84
Date Posted: 22 January 2007 at 3:47am
Hmm, how did you test it? Looks like it is even detected by the first public beta version of AVG Anti-Rootkit :) 1.0.0.13: http://img154.imageshack.us/my.php?image=unreal27uc.jpg">  1.1.0.29: http://img444.imageshack.us/my.php?image=unreal7zd.jpg">  |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 4:05am
Hmm, how did you get this pics? Unfortunately AVG (any build) in principle can't detect this rootkit. What I see here means only one - it is not working or malfunctioned. Check it work with DbgView. And your Windows version please. ------------- Ring0 - the source of inspiration |
Posted By: phoenix84
Date Posted: 22 January 2007 at 6:21am
|
WinXP Pro SP2... I've also made a video, you can download it here: http://www.wikiupload.com/download_page.php?id=58766 - http://www.wikiupload.com/download_page.php?id=58766 |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 6:30am
|
Tested under several Windows XP, including SP1, SP2.
Here is Windows XP SP2 screenshot. AVG Driver loaded correctly, but not working with Unreal, as it should be. That is all what AVG (any build) can show if Unreal is installed/working correctly, so I guess it is simple not working properly on your PC.  ------------- Ring0 - the source of inspiration |
Posted By: phoenix84
Date Posted: 22 January 2007 at 6:36am
|
According to the message box you haven't restarted your computer after the installation of AVG Anti-Rootkit, have you?
|
Posted By: MP_ART
Date Posted: 22 January 2007 at 6:38am
|
Yes, we make reboot, but AVG does not started with Unreal ------------- |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 6:38am
|
If I'm not restarted my computer then why AVG driver is already loaded? It doesn't loads drivers right after installation.
According to this message: it means that DriverObject of this antirootkit was successfully erased by Unreal ------------- Ring0 - the source of inspiration |
Posted By: phoenix84
Date Posted: 22 January 2007 at 6:41am
|
As the message box and the setup states the restart is required after the installation ;) Otherwise it won't work. As you can see in my video, it does detect a working unreal rootkit :) |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 6:43am
|
I repeat, if AVG is detected this rootkit, then it Unreal is not FULLY working. Even if AVG is restarted it's driver object been deleted by Unreal, so it's can't start scan. What I see here - simple MP_ART bug. ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 6:44am
|
Want me upload video? Joke :) A little tutorial on clean Windows XP SP2 installation.
1. I will install AVG ARK 2. I will install Unreal 3. I will do reboot 4. I will start AVG and press Scan button 5. I WILL GET THIS PICTURE that above. ------------- Ring0 - the source of inspiration |
Posted By: jibe
Date Posted: 22 January 2007 at 7:10am
| What is the purpose of erasing the driver object ? |
Posted By: phoenix84
Date Posted: 22 January 2007 at 7:17am
If you can't bypass it, you simply delete it? Nice job However, that's not really the goal of a rootkit, is it? Anyway, you argue that unreal isn't correctly installed on my test computer (even though it seems to be running) then I can also argue that AVG AR is not correctly installed (it even shows an error message) on your system :) Could you please test it on a machine where AVG AR is working correctly and test again? It seems like your machine is broken as you can see in this video (I did it exactly as you said and it was detected): http://www.wikiupload.com/download_page.php?id=58803 - http://www.wikiupload.com/download_page.php?id=58803 |
Posted By: jibe
Date Posted: 22 January 2007 at 7:44am
| I think that by erasing the driver object, the user process can't obtain an handle on the driver and can't communicate with it. Without communication, the driver can't send the scan results to the user process. Am I right ?? |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 9:09am
Dear phoenix84, If you think that I'm idiot, so you are totally wrong. I think that your lovely AVG is pure SH|T. It is not a detector by one reason: It uses Notify Routine. PsSetLoadImageNotifyRoutine PsSetCreateProcessNotifyRoutine So it can monitor image loading process and add it to internal table. This is not a detection. So against this "powerful" method was used analogue methods :) All others ARK was bypassed conceptually. To bypass such wonderful methods of 'detection' as Notify we can put our driver on boot start, so it will be a first driver that was loaded before setting up any Notify. After this AVG will be bypassed conceptually, because Notify Routines is the only one detection method of AVG.... Another method will be to remove Notify from our driver. That is more hard to implement but of course not impossible. But.. rootkit becomes very dependent on ntoskrln version... Or we can simple destroy it from kernel mode. The most simplest way. And it was chosen ;) With the same success we can destroy any other ARK, but we do not do that, because they are not use 'dirty monitoring tricks'. Why two first methods were not used in Unreal? We want to demonstrate how is possible to attach file to root directory (C:\:unreal.sys). This attach automatically bypasses RootkitRevealer and some others ARK, because due to implementation they not do full disk scan. p.s. And please stop speaking here sh*t in my address, or I will do the same in yours. I'm not a kid and not a stupid idiot, so some remark that you made a little irritates me. You uploaded here images that shows only one thing - AVG detection made by MP_ART has failed to do it job. I can upload images from every computers & VM's to which I have access right now (eight) and everywhere I will get the screenshot with the same result, that I posted previously. In your case it is simple bug. But thank you, we will fix it in Unreal.B
Yes, you are right :) Please see above description why it was made. edit: fixed typo, added smiley  ------------- Ring0 - the source of inspiration |
Posted By: phoenix84
Date Posted: 22 January 2007 at 9:47am
So, you wanted to demonstrate that method but as the rootkit was still detected by some anti-rootkit tools, you also added a routine to manipulate or kill these known detectors? In general I think that it is much more suspicious if a rootkit causes a detector to fail to start or show an error message than to simply keep quiet and hidden from it... No offense intended, but stopping the detector from working is not what I'd call a real rootkit... |
Posted By: MP_ART
Date Posted: 22 January 2007 at 10:06am
Tell it to gromozon rootkit ------------- |
Posted By: phoenix84
Date Posted: 22 January 2007 at 10:10am
|
Yep, I know it's being done in malware but if you want to create a rootkit for demonstrating specific methods to avoiding detection I wouldn't do it :) Well, of course it's much nicer to have a completely undetected rootkit
|
Posted By: Karlchen
Date Posted: 22 January 2007 at 1:56pm
|
Hi, phoenix84.
I think a demo rootkit like Unreal may use any dirty trick to avoid being detected which a real, non-demo rootkit would use, too. This includes loading before any AV product and render its driver useless. The difference between a demo rootkit and a real rootkit is not that the demo rootkit behaves nicely, but that the demo rootkit will not do permanent damage to your system. The demo rootkit serves to demonstrate what a rootkit can do - with the exception of the malicious payload attached to real rootkits. If a demo rootkit can bypass an AV product, a real rootkit based on the same technology will do so, too. And telling the rootkit author that this is not nice will not help much. Study their tricks, learn and try to beat them, but do not complain that a rootkit does not play fair. If it did it would be no rootkit. Kind regards, Karl |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 2:09pm
|
Thanks phoenix84. Point taken.
Currently we are developing Unreal.B that will bypass AVG/AVZ conceptually, not by dirty-trick. Just wait for some time. And I think DarkDetector (so scare ) will be bypassed too... ------------- Ring0 - the source of inspiration |
Posted By: saso
Date Posted: 22 January 2007 at 2:31pm
|
@Karlchen generally i agree with you, but if we would like to make something more constructive then creating POC like demo rootkits that use no dirty tricky is better since dirty tricks (or as joanna calls it "Implementation Specific Attacks (ISA)") are always possible @EP_X0FF about this Unreal i have one question ever since you announce it... do you have any plans (wishes) to add the needed sophisticated technology to properly detect it ? |
Posted By: SpannerITWks
Date Posted: 22 January 2007 at 2:57pm
|
Some info on mj0011. It looks like mj0011 is a girly, or posting a pic of one in some of the Chinese forums when posting anyway - http://imageshack.us"> Nice smile ! I've seen an App called - Killqx - in various versions up to 1.8, command line + GUI, which appears to be have been written by mj0011 as a virus killer. I tried to DL it from numerous places, but it's long gone on the ones i saw ! I notice those screenies of the CnBeta have disappeared since earlier today ? Spanner ------------- Stay Safe - SpannerITWks/SpannerInTheWorks - BOClean AntiMalware - http://www.nsclean.com/boclean.html |
Posted By: saso
Date Posted: 22 January 2007 at 3:03pm
|
if that is mj0011 than i want to be a bad bad rootkit writer that needs to be punished ...it is probably his girlfriend or somene that he likes. |
Posted By: Sierra
Date Posted: 22 January 2007 at 7:57pm
l.0.l |
Posted By: mj0011
Date Posted: 22 January 2007 at 8:28pm
|
God.....
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
....Posted By: EP_X0FF
Date Posted: 22 January 2007 at 9:29pm
We already implemented new detection method for drivers that fully reveals running Unreal.sys, so it can be dumped. There are no (normal) ways to determine it name, because this data was specially erased, so it will be shown as Driver Name "None". What about hidden file detection... It was implemented also in Private version 3.1, so now it is simple question of time to port it into public version. Some stability tests are needed. As you can guess Internal/Private version are very unstable, because they are used only on few computers, so not all things are completely tested. Detection of Unreal.A will be added in RkU v3.20 that will be released in February 2007... But we already have Unreal.B that bypasses even it ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 9:30pm
Umm, very nice face/smile indeed 
mj0011 is that you?
Why? Think girl can't be a rootkit programmer? Our friend DNY are girl There are several Win32 viruses that were written by her, Trojan.HDDKill series. And at least two rootkits :)------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 22 January 2007 at 9:45pm
|
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 9:46pm
So mj, are you girl? or...?   ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 22 January 2007 at 10:43pm
|
er...So that is my photographs ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: SpannerITWks
Date Posted: 22 January 2007 at 10:48pm
|
mj0011 Aha, so i was right ! How about some in colour, that'd be nice too. It's great to see girlies coding as well as the guys. Regards, Spanner ------------- Stay Safe - SpannerITWks/SpannerInTheWorks - BOClean AntiMalware - http://www.nsclean.com/boclean.html |
Posted By: EP_X0FF
Date Posted: 22 January 2007 at 11:12pm
You are beautiful I'm hit.------------- Ring0 - the source of inspiration |
Posted By: saso
Date Posted: 23 January 2007 at 1:02am
i know, i know and i have nothing against girls i am just somehow surprised that there seems to actually be quite a lot of them...
i love this forum, it is such a nice place with such nice people |
Posted By: EP_X0FF
Date Posted: 23 January 2007 at 4:07am
C'mon mj, please answer on my pm  ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 23 January 2007 at 4:12am
|
I visited this forum too slow ...
when I send the message...
< name=frmEditMessage ="return Reset();" ="return Check();" =pm_new_message_.asp?code=edit method=post> Your Private Message "RE: Hi", has not been sent! ------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 23 January 2007 at 4:20am
Can you try again? ------------- Ring0 - the source of inspiration |
Posted By: Flower
Date Posted: 24 January 2007 at 1:36am
|
http://hi.baidu.com/mj0011/profile - http://hi.baidu.com/mj0011/profile What about this one? MJ0011(girl) is a Chinese Anti-Malware software developer from http://www.360safe.com - cnBeta, UnReal become a well-known rootkit in China. Sorry for my poor English. Edit:Change Picture to link to bypass some Super technique. |
Posted By: EP_X0FF
Date Posted: 24 January 2007 at 1:42am
|
------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 24 January 2007 at 1:49am
|
Unreal.A (v1.0) source code has been sent to F-Secure Researchers, because they antirootkit has the more potential than any other from AV company. ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 24 January 2007 at 3:36am
In colour looks very nice ------------- Ring0 - the source of inspiration |
Posted By: fcukdat
Date Posted: 24 January 2007 at 5:36am
|
C'mon EP play fair where's your mugshot ------------- ___________ Ade Gill Malwarebytes Researcher |
Posted By: EP_X0FF
Date Posted: 24 January 2007 at 5:43am
|
ummmm ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 1:41am
|
Detective Story!
http://bbs.360safe.com/viewthread.php?tid=89527 - http://bbs.360safe.com/viewthread.php?tid=89527 Mars in the attack!
I spend a lot of time in while reading this 
Now some remarks. We are not "malicious hackers"
Unreal is simple FSD. It is poor that nobody before us do not released such rootkit =) Oh, no... PE386 Any antirootkit can be bypassed in maximum five days after it will be published. So it just a matter of time when we will release next version that will bypass so scare DarkDetector, mj
It is reality, that there are no best antirootkits. But in the same reality it is very simple to detect Unreal.A (even without such antirootkit tool named WinHex )
Awaiting new "duck tales"
p.s. And mj0011, I'm not EP_XOFF, as well as you not mjOO11 ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 25 January 2007 at 2:13am
|
there are all translated by "GOOGLE TRANSLATE" of the article in the Cnbeta,and the translate tools Reservations "0" and "O" :( so your are not the "malicious hackers" expect your new rootkits:)
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 2:17am
Ok, damn Google
What about yours? ------------- Ring0 - the source of inspiration |
Posted By: mj0011
Date Posted: 25 January 2007 at 2:31am
|
it will release after our Lunar New Year maybe in March or April Recently, I was really too busy ....
------------- http://blog.csdn.net/mj0011 my (anti-)rootkit site |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 2:44am
|
Ok, will wait it.
Another interesting post about Unreal.A http://malware-test.com/weblog/2007/01/22/new-rootkit-technology/ - http://malware-test.com/weblog/2007/01/22/new-rootkit-techno logy/ Sometimes I think that some guys do not reads fully what we are writing before "BYPASSED" list. ------------- Ring0 - the source of inspiration |
Posted By: Flower
Date Posted: 25 January 2007 at 5:32am
"俄罗斯黑客公布新型恶意软件技术 中国黑客迅速破解之" I think it should be "Russian hackers released a new Malware technology, Chinese hacker resolved(cracked) it quickly"
so you, MP_ART and MJ0011 are "hackers", but not "malicious hackers".
|
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 5:38am
|
One question, how can be a rootkit technology cracked or resolved? Until I will not try any tool (except IceSword plugin or WinHex) any screenshots and statements no more than screenshots and statements.
Oh, I see we are "hackerzz", lol In general I'm simple Software Engineer ------------- Ring0 - the source of inspiration |
Posted By: SirMalware
Date Posted: 25 January 2007 at 10:32am
|
http://www.symantec.com/enterprise/security_response/toughse curity/index.jsp
Symantec power. |
Posted By: MP_ART
Date Posted: 25 January 2007 at 10:40am
------------- |
Posted By: SirMalware
Date Posted: 25 January 2007 at 5:35pm
| It's not related to Unreal. Just Rustock. |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 7:33pm
|
http://www.rootkit.com/newsread.php?newsid=647 - Unreal.A Bypassing Modern Antirootkits ------------- Ring0 - the source of inspiration |
Posted By: BlackStone
Date Posted: 25 January 2007 at 8:58pm
|
The reply of the IceSword's author about unreal is at http://www.blogcn.com/user17/pjf/blog/51465364.html - here. Beacause it's chinese,I give the PJF's operation of how to finding the Unreal.sys in english. 1.Launch the IceSword 2.Choose the menu item of Plugin->FileReg 3.Type the "mount 0 0" and "ads /#5" comand in the new pop plugin winodw You will see the file of "C:\Unreal.sys". the IceSword download URL: http://www.blogcn.com/user17/pjf/blog/44731756.html - http://www.blogcn.com/user17/pjf/blog/44731756.html ------------- I'm sorry for my pool english. BlackStone |
Posted By: EASTER
Date Posted: 25 January 2007 at 11:30pm
|
Good article and fine explaination EP_XOFF I can just picture those 'kit detector's author's and some commerce vendors drooling all over that article descriptions/methods outlined. ------------- INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER. |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 11:34pm
|
@BlackStone
LOL on pjf. My article includes remark about IceSword plugin (in Unreal.B we added special code for Icie )
There are several limitations of IceSword plugin. 1. You MUST KNOW that rootkit is INSTALLED and WHERE IT PLACED 2. There is NO MESSAGE about -HIDDEN- FROM API in this plugin, so it can be simple ADS added to root directory. IceSword author can tell everything, his tool BYPASSED ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 25 January 2007 at 11:40pm
|
And in the end. I can use normal specialized tools (like WinHex) and detect Unreal.A
So pjf, time to stop speaking about IceSword power. ------------- Ring0 - the source of inspiration |
Posted By: MP_ART
Date Posted: 26 January 2007 at 12:32am
------------- |
Posted By: techno_rulez
Date Posted: 26 January 2007 at 12:37pm
1. Installed AVG ARK 2. Installed Unreal 3. Rebooted 4. AVG ARK found Unreal > Reboot 5. AVG ARK removed Unreal > Clean http://rapidshare.com/files/13513986/avgar-vs-unrrk.rar - Video for download Don't want to be offensive, but would blame your computer (and/or settings). Words like "unreal", "undetected", "bypassed" are not suitable in this case, as there were more people that used AVG Anti-Rootkit with successful results. tr |
Posted By: MP_ART
Date Posted: 26 January 2007 at 12:47pm
oh...one more
http://rootkit.com/newsread.php?newsid=647 - http://rootkit.com/newsread.php?newsid=647 ------------- |
Posted By: EP_X0FF
Date Posted: 26 January 2007 at 1:08pm
offense taken. For all unlucky users of AVG antirootkit (which is full sh*t I must say), we will update Unreal.A rootkit to f**k this "antirootkit" (it is not =) ) out. Wait for tomorrow update. Will see how you will repeat this steps
btw, instead of posting sh*t like statements about "unreal", "undetected" and so on, go on rootkit.com and read article posted above. ------------- Ring0 - the source of inspiration |
Posted By: techno_rulez
Date Posted: 26 January 2007 at 1:43pm
MP_ART: Thank you, I've read the article.
Finally, you've got it. If your product is not generic for any RK tool (devil take AVG and others), then make an update that will look like (at least) a generic and do not claim, all tools were bypassed as they were not, obviously. If you take it as offense, that is your problem. If you need to use rude words, your problem. I did my best to talk to you in the most convenient way, but ... it seems it is like a russian roulette. |
Posted By: EP_X0FF
Date Posted: 26 January 2007 at 7:39pm
|
@techno_rulez
If you read this article, then why you posted here your previous post? Uploading and demonstrating here how your lovely AVG can find something -
For what? To attract our attention to AVG 'Antirootkit', which is full sh*t, not a detector? I already know that. What about "rude words", "your problems" etc. It is your problems =))) I will not let you, or somebody else speak BULLsh*t in my/my friends/our work address. You previous post is simple bullsh*t. It is very simple to say that our work "suxx" (I know you don't tell this, but the sense the same) and say that this f**ken AVG is good. Okay, we suxx, AVG rules. So in next version we will not simple delete device of this sh*t, it will hard f**ked from kernel mode :)
^  bullsh*t ||
So any kind of posts (including that about "roulete") from you for me now - bullsh*t. Have a nice day and welcome to my/our ban lists. ------------- Ring0 - the source of inspiration |
Posted By: EP_X0FF
Date Posted: 27 January 2007 at 12:09am
|
Grab it kiddo/roulete
http://www.rku.xell.ru/?l=e&a=dl - http://www.rku.xell.ru/?l=e&a=dl hope it will work (not blown your system into the bsod) and you will see how your AVG will surrender ------------- Ring0 - the source of inspiration |
Posted By: EASTER
Date Posted: 27 January 2007 at 12:44am
|
@techno_rulez
------------- INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER. |
UNREAL!Posted By: techno_rulez
Date Posted: 27 January 2007 at 3:32am
It seems you have not got it again. My original thought: Make a rootkit (public with small code-mod.) that will be hidden for all tools. Your reaction is common for most flame-soldiers, I do not want to make a flame-war here. I do not say your Unreal sucks. Let's say I am on the other side of your Unreal ("like-tool-supporter") and I am trying make you to make it generic (I know you plan the B,C variants which will do that, now also the A one). Why? To make the tools enhanced and more powerfull. I thought we could be friends and talk about these, but obviously not, maybe my post was wrong, maybe you are too aggressive in your posts .
Last but not least: I'm not directed to AVG tool only, if the BlackLight would unhide your Unreal (under some special circumstances), but you would claim it does not, I would support BlackLight^. Hope, you will got it now and no got upset again. The new version: Yes, this is what I would like to see. Now the tools can be improved now to offense your Unreal. Congratulations! EASTER: Very nice! |
Posted By: techno_rulez
Date Posted: 27 January 2007 at 5:21am
EASTER: I like Unreal things and all! Unreal's dirty-trick for removing the scanning ability of AVG-tool (for its dirty tricks) can be bypassed by editing the hardcoded string in the Unreal driver (or the executable installer itself). If the AVG-tool's string signatures would change, the Unreal dirty-trick would not be fully functional. If the AVG-tool would somehow modify it's string signatures, this dirty-trick would be unusable in this case. |
Posted By: EP_X0FF
Date Posted: 27 January 2007 at 10:38am
|
------------- Ring0 - the source of inspiration |
Posted By: techno_rulez
Date Posted: 28 January 2007 at 11:38am
|
|
Posted By: EP_X0FF
Date Posted: 28 January 2007 at 12:56pm
|
To prove that we have technology that can detect/remove Unreal.A we uploading here some information from our private version.
Unreal.A (v1.0.1.0) VS RkUnhooker v3.6.20.400 Private Edition 1. Hidden Driver Detected (can be dumped) 
2. Hidden File in ADS Detected (can be copied/wiped) 
Please do not ask us to give this version of RkUnhooker, because... it's private :) Some parts of showed here detection technology will be released in upcoming RkUnhooker v3.2 ------------- Ring0 - the source of inspiration |
Posted By: saso
Date Posted: 28 January 2007 at 1:59pm
|
very nice, i am sure we all are looking forward for the upcoming builds
|