Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Unreal: Rootkit Detectors / Bypassing
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Unreal: Rootkit Detectors / Bypassing

 Post Reply Post Reply Page  123 22>
Author
Message
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Topic: Unreal: Rootkit Detectors / Bypassing
    Posted: 19 January 2007 at 7:45am
We are introducing new generation of rootkit technology.
Unreal Test Rootkit

Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems. It doesnt have process, so it's not hides processes! It do not hide also a registry keys, so no registry keys are hidden! Make sure, that you readed this post before you start tests or write something.

Unreal is Not malicious

This rootkit is not intended to be runned with Host Intrusion Prevention Systems.
It is intended ONLY for testings with modern AntiRootkit software.

Rootkit tech information

Supported File system: backdoor-friendly NTFS
Implementation: DKOM
Predecessors: partially RkDemo, phide_ex and Rustock

ARK TESTS:
========================================
1. Rootkit Unhooker v3.01 BYPASSED
2. Rootkit Revealer v1.71 BYPASSED
3. F-Secure Blacklight BYPASSED
4. DarkSpy v1.05 BYPASSED
5. DarkSpy v1.05fixedbeta2 BYPASSED
6. IceSword v1.20 BYPASSED
7. GMER v1.012 BYPASSED
8. Helios v1.1a BYPASSED
9. SVV v2.3 BYPASSED
10. McAfee Rootkit Detective BYPASSED
11. Sophos AntiRootkit BYPASSED
12. TrendMicro RootkitBuster BYPASSED
13. AVG AntiRootkit BYPASSED
14. AVZ v4.23 ARK Module BYPASSED
15. BitDefender Rootkit Uncover BYPASSED
16. Panda AntiRootkit BYPASSED
17. Panda Tycan BYPASSED
18. modGreeper v0.3 BYPASSED
19. flister BYPASSED
20. UnHackMe BYPASSED
21. SEEM v4.x BYPASSED
22. SafetyCheck v1.5.x BYPASSED
23. Avira AntiRootkit BYPASSED
24. HiddenFinder v1.301 BYPASSED
25. RkDetector v0.6 BYPASSED
========================================


There are no best antirootkits.

Download http://www.rku.xell.ru/?l=e&a=dl (10 Kb)

Supported Operation systems:
Windows XP SP2, Windows 2003 SP1
Windows 2000 - untested, but probably also supported
Vista is not supported and not will be, we see no sense in this OS.

Unreal Installation instructions
1. Make sure that you have NT-based OS, your disk C: have NTFS file system and you are running under administrator rights
2. Start Unreal.exe
3. Press "Install Rootkit" button

That is all, now you can see rootkit activity with DbgView, it will display ">unreal"
File dropped to disk and protected from read-write operations.

You can reboot your PC and Unreal still will work! That proves that we do not use dirty tricks.

Unreal Removal instructions
1. Start Unreal.exe
2. Press "Uninstall Rootkit" button (that will erase registry key of rootkit)
3. Reboot
4. Start Unreal.exe again
5. Press "Uninstall Rootkit" button again (that will erase dropped rootkit file)

That is all.

p.s. Last words.

It is theoretically possible for a antirootkit detect Unreal rootkit. However, this would require a level of sophistication not seen in both AV/independent antirootkits to date.

Rootkit sources are available, but only by preliminary request only via this email rkunhooker@inbox.ru

Edited by MP_ART - 29 January 2007 at 6:55am
Back to Top
MEGA View Drop Down
Groupie
Groupie


Joined: 04 December 2006
Status: Offline
Points: 40
Post Options Post Options   Thanks (0) Thanks(0)   Quote MEGA Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2007 at 10:58am
Quote It do not hide also a registry keys, so no registry keys are hidden!


Quote
2. Press "Uninstall Rootkit" button (that will erase registry key of rootkit)


So Unreal hides registry keys

Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2007 at 11:04am
No Unreal doesn't hides registry keys. It hides only driver and file, nothing else.
Back to Top
jibe View Drop Down
Newbie
Newbie


Joined: 03 August 2006
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote jibe Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2007 at 11:08am
Is it normal that I get a BSOD on a VM with XP SP2 US Home edition ?
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2007 at 11:25am
Originally posted by jibe jibe wrote:

Is it normal that I get a BSOD on a VM with XP SP2 US Home edition ?
Can not say anything about it. It is completely tested under XPSP2Pro and Server 2003 SP1 on VM, and on real XPSP2Pro(ru)
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2007 at 1:03pm
Originally posted by jibe jibe wrote:

Is it normal that I get a BSOD on a VM with XP SP2 US Home edition ?


No, of course, lol. Please provide minidump.
Back to Top
mj0011 View Drop Down
Newbie
Newbie
Avatar

Joined: 10 January 2007
Location: China
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote mj0011 Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2007 at 4:53am

hi,our uncompleted Anti-Rootkit tools detected the file of this rootkit=)

see the screenshot

http://hi.baidu.com/mj0011/album/item/a49b1bd1ec1443d2562c84 5b.html

click the picture in the center for full view

we detected the file c:\unreal.sys and we can delete it then remove the effect

we can not detect Driver Object of this rootkit :( KDOM is a very difficult thing for me .......

 

our Anti-rootkit tools:DarkDetector will release on March or April

(I'm not so sure, because I recently busy with combat the some badly local virus=( 

 

http://blog.csdn.net/mj0011
my (anti-)rootkit site
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2007 at 4:58am
Can you post your screenshot here not on your extremely slow server?

Quote c:\unreal.sys


It is not our file.
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2007 at 5:19am
Originally posted by mj0011 mj0011 wrote:

c:\unreal.sys

               
         
         
         

Edited by MP_ART - 21 January 2007 at 5:20am
Back to Top
mj0011 View Drop Down
Newbie
Newbie
Avatar

Joined: 10 January 2007
Location: China
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote mj0011 Quote  Post ReplyReply Direct Link To This Post Posted: 21 January 2007 at 5:20am

sorry,the c:\:unreal.sys ....

I can not post the screenshot on this forum because the screenshot is large then 15KB

where can I unload the screenshot?


Edited by mj0011 - 21 January 2007 at 5:23am
http://blog.csdn.net/mj0011
my (anti-)rootkit site
Back to Top
 Post Reply Post Reply Page  123 22>
  Share Topic   

Forum Jump Forum Permissions View Drop Down