![]() |
Unreal: Rootkit Detectors / Bypassing |
Post Reply
|
Page 123 22> |
| Author | ||
MP_ART
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 947 |
Post Options
Thanks(0)
Quote Reply
Topic: Unreal: Rootkit Detectors / BypassingPosted: 19 January 2007 at 7:45am |
|
|
We are introducing new generation of rootkit technology.
Unreal Test Rootkit Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems. It doesnt have process, so it's not hides processes! It do not hide also a registry keys, so no registry keys are hidden! Make sure, that you readed this post before you start tests or write something. Unreal is Not malicious This rootkit is not intended to be runned with Host Intrusion Prevention Systems. It is intended ONLY for testings with modern AntiRootkit software. Rootkit tech information Supported File system: backdoor-friendly NTFS Implementation: DKOM Predecessors: partially RkDemo, phide_ex and Rustock ARK TESTS: ======================================== 1. Rootkit Unhooker v3.01 BYPASSED 2. Rootkit Revealer v1.71 BYPASSED 3. F-Secure Blacklight BYPASSED 4. DarkSpy v1.05 BYPASSED 5. DarkSpy v1.05fixedbeta2 BYPASSED 6. IceSword v1.20 BYPASSED 7. GMER v1.012 BYPASSED 8. Helios v1.1a BYPASSED 9. SVV v2.3 BYPASSED 10. McAfee Rootkit Detective BYPASSED 11. Sophos AntiRootkit BYPASSED 12. TrendMicro RootkitBuster BYPASSED 13. AVG AntiRootkit BYPASSED 14. AVZ v4.23 ARK Module BYPASSED 15. BitDefender Rootkit Uncover BYPASSED 16. Panda AntiRootkit BYPASSED 17. Panda Tycan BYPASSED 18. modGreeper v0.3 BYPASSED 19. flister BYPASSED 20. UnHackMe BYPASSED 21. SEEM v4.x BYPASSED 22. SafetyCheck v1.5.x BYPASSED 23. Avira AntiRootkit BYPASSED 24. HiddenFinder v1.301 BYPASSED 25. RkDetector v0.6 BYPASSED ======================================== There are no best antirootkits. Download http://www.rku.xell.ru/?l=e&a=dl (10 Kb) Supported Operation systems: Windows XP SP2, Windows 2003 SP1 Windows 2000 - untested, but probably also supported Vista is not supported and not will be, we see no sense in this OS. Unreal Installation instructions 1. Make sure that you have NT-based OS, your disk C: have NTFS file system and you are running under administrator rights 2. Start Unreal.exe 3. Press "Install Rootkit" button That is all, now you can see rootkit activity with DbgView, it will display ">unreal" File dropped to disk and protected from read-write operations. You can reboot your PC and Unreal still will work! That proves that we do not use dirty tricks. Unreal Removal instructions 1. Start Unreal.exe 2. Press "Uninstall Rootkit" button (that will erase registry key of rootkit) 3. Reboot 4. Start Unreal.exe again 5. Press "Uninstall Rootkit" button again (that will erase dropped rootkit file) That is all. p.s. Last words. It is theoretically possible for a antirootkit detect Unreal rootkit. However, this would require a level of sophistication not seen in both AV/independent antirootkits to date. Rootkit sources are available, but only by preliminary request only via this email rkunhooker@inbox.ru Edited by MP_ART - 29 January 2007 at 6:55am |
||
![]() |
||
MEGA
Groupie
Joined: 04 December 2006 Status: Offline Points: 40 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 January 2007 at 10:58am |
|
So Unreal hides registry keys ![]() |
||
![]() |
||
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 4758 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 January 2007 at 11:04am |
|
|
No Unreal doesn't hides registry keys. It hides only driver and file, nothing else.
|
||
![]() |
||
jibe
Newbie
Joined: 03 August 2006 Status: Offline Points: 5 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 January 2007 at 11:08am |
|
|
Is it normal that I get a BSOD on a VM with XP SP2 US Home edition ?
|
||
![]() |
||
MP_ART
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 947 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 January 2007 at 11:25am |
|
|
||
![]() |
||
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 4758 |
Post Options
Thanks(0)
Quote Reply
Posted: 19 January 2007 at 1:03pm |
|
No, of course, lol. Please provide minidump. |
||
![]() |
||
mj0011
Newbie
Joined: 10 January 2007 Location: China Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 January 2007 at 4:53am |
|
|
hi,our uncompleted Anti-Rootkit tools detected the file of this rootkit=) see the screenshot http://hi.baidu.com/mj0011/album/item/a49b1bd1ec1443d2562c84 5b.html click the picture in the center for full view we detected the file c:\unreal.sys and we can delete it then remove the effect we can not detect Driver Object of this rootkit :( KDOM is a very difficult thing for me .......
our Anti-rootkit tools:DarkDetector will release on March or April (I'm not so sure, because I recently busy with combat the some badly local virus=(
|
||
|
http://blog.csdn.net/mj0011
my (anti-)rootkit site |
||
![]() |
||
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 4758 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 January 2007 at 4:58am |
|
|
Can you post your screenshot here not on your extremely slow server?
It is not our file. |
||
![]() |
||
MP_ART
Senior Member
Joined: 08 March 2006 Location: Russian Federation Status: Offline Points: 947 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 January 2007 at 5:19am |
|
![]()
![]() Edited by MP_ART - 21 January 2007 at 5:20am |
||
![]() |
||
mj0011
Newbie
Joined: 10 January 2007 Location: China Status: Offline Points: 21 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 January 2007 at 5:20am |
|
|
sorry,the c:\:unreal.sys .... I can not post the screenshot on this forum because the screenshot is large then 15KB where can I unload the screenshot? Edited by mj0011 - 21 January 2007 at 5:23am |
||
|
http://blog.csdn.net/mj0011
my (anti-)rootkit site |
||
![]() |
||
Post Reply
|
Page 123 22> |
|
Tweet
|
| Forum Jump | Forum Permissions ![]() You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |