подозрение на руткит, но никаких реальных зацепок
Показано с 1 по 4 из 4.

подозрение на руткит, но никаких реальных зацепок

  1. 27.03.2009, 00:20 #1
    Lonely Soul
    Lonely Soul вне форума
    Junior Member Репутация
    Регистрация
    20.01.2009
    Сообщений
    9
    Вес репутации
    63

    подозрение на руткит, но никаких реальных зацепок

    Различные руткит детекторы (Rootkit Unhooker, GMER) палят такое необычное явление:

    -- Rootkit Unhooker --
    Код:
    ntkrnlpa.exe+0x0002CD1C, Type: Inline - RelativeCall at address 0x80503D1C hook handler located in [unknown_code_page]
ntkrnlpa.exe+0x0006DEBE, Type: Inline - RelativeJump at address 0x80544EBE hook handler located in [ntkrnlpa.exe]
[920]winlogon.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[976]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[1380]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
    У процесса avp.exe (KAV7) хуков побольше:
    Код:
    [3908]avp.exe-->kernel32.dll+0x000027CC, Type: Inline - RelativeJump at address 0x7C8027CC hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x000027DC, Type: Inline - RelativeJump at address 0x7C8027DC hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x00002C10, Type: Inline - RelativeJump at address 0x7C802C10 hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x00002F48, Type: Inline - RelativeJump at address 0x7C802F48 hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00423170 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x00423218 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004230EC hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004230E0 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00423214 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00423210 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004230B4 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00423138 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x004231F0 hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00423170 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x00423218 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004230EC hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004230E0 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00423214 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00423210 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004230B4 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00423138 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x004231F0 hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
    -- GMER --
    Код:
    .text           C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW                                                                                                                                                                                                               7C802336 5 Bytes  JMP 100033D8 
.text           C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!connect                                                                                                                                                                                                                        71A94A07 5 Bytes  JMP 10003320 
.text           C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!send                                                                                                                                                                                                                           71A94C27 5 Bytes  JMP 10002C04 
.text           C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!WSARecv                                                                                                                                                                                                                        71A94CB5 5 Bytes  JMP 10002438 
.text           C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!recv                                                                                                                                                                                                                           71A9676F 5 Bytes  JMP 100023BC 
.text           C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!WSASend 
.text           C:\WINDOWS\system32\lsass.exe[1496] kernel32.dll!CreateProcessW                                                                                                                                                                                                                 7C802336 5 Bytes  JMP 100033D8 
.text           C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!connect                                                                                                                                                                                                                          71A94A07 5 Bytes  JMP 10003320 
.text           C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!send                                                                                                                                                                                                                             71A94C27 5 Bytes  JMP 10002C04 
.text           C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!WSARecv                                                                                                                                                                                                                          71A94CB5 5 Bytes  JMP 10002438 
.text           C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!recv                                                                                                                                                                                                                             71A9676F 5 Bytes  JMP 100023BC 
.text           C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!WSASend 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] kernel32.dll!CreateProcessW                                                                                                                                                                                                    7C802336 5 Bytes  JMP 100C33D8 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!connect                                                                                                                                                                                                             71A94A07 5 Bytes  JMP 100C3320 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!send                                                                                                                                                                                                                71A94C27 5 Bytes  JMP 100C2C04 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!WSARecv                                                                                                                                                                                                             71A94CB5 5 Bytes  JMP 100C2438 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!recv                                                                                                                                                                                                                71A9676F 5 Bytes  JMP 100C23BC 
.text           C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!WSASend                                                                                                                                                                                                             71A968FA 5 Bytes  JMP 100C32D4
    Перехваченные функции из ws2_32.dll есть почти у всех процессов.

    В процессах, службах и драйверах ничего необычного.
    AVZ палит только хвосты от Outpost'а (sandbox.sys + afwcore.sys) и некоторые тривиальные вещи:
    Код:
    1.1 Поиск перехватчиков API, работающих в UserMode
 Анализ kernel32.dll, таблица экспорта найдена в секции .text
Детектирована модификация IAT: LoadLibraryA - 6603EE88<>7C801D7B
 Анализ ntdll.dll, таблица экспорта найдена в секции .text
 Анализ user32.dll, таблица экспорта найдена в секции .text
 Анализ advapi32.dll, таблица экспорта найдена в секции .text
 Анализ ws2_32.dll, таблица экспорта найдена в секции .text
 Анализ wininet.dll, таблица экспорта найдена в секции .text
 Анализ rasapi32.dll, таблица экспорта найдена в секции .text
 Анализ urlmon.dll, таблица экспорта найдена в секции .text
 Анализ netapi32.dll, таблица экспорта найдена в секции .text
    Сканирование KAV7 и Dr.Web CureIt с LiveCD - ничего.
  2.  Будь в курсе! Будь в курсе!
    Реклама на VirusInfo

    Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

    Anti-Malware Telegram
     
  3. 27.03.2009, 09:33 #2
    priv8v
    priv8v вне форума
    External Specialist Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для priv8v
    Регистрация
    26.06.2008
    Сообщений
    1,373
    Вес репутации
    1270
    думаю, что специалистам для уверенности хотелось бы посмотреть на результаты второго стандартного скрипта АВЗ как минимум...
    // ...
  4. 27.03.2009, 23:57 #3
    Lonely Soul
    Lonely Soul вне форума
    Junior Member Репутация
    Регистрация
    20.01.2009
    Сообщений
    9
    Вес репутации
    63
    Где взять этот скрипт? В дистрибутив вроде не входит.
  5. 28.03.2009, 00:16 #4
    AndreyKa
    AndreyKa вне форума
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для AndreyKa
    Регистрация
    08.01.2005
    Адрес
    Россия
    Сообщений
    13,632
    Вес репутации
    1321
    Что-то меня беспокоит Гондурас...
    Если подозреваете заражение компьютера обратитесь в раздел Помогите: http://virusinfo.info/forumdisplay.php?f=46
    Куски логов не читаем, по игральным картам не гадаем.
« Предыдущая тема | Следующая тема »

Похожие темы

  1. Подозрение на руткит
    От Trustful в разделе Помогите!
    Ответов: 2
    Последнее сообщение: 11.11.2011, 17:44
  2. Предложен метод сокрытия IP-адреса реальных пользователей в торрент-сетях
    От Kuzz в разделе Новости интернет-пространства
    Ответов: 2
    Последнее сообщение: 16.04.2010, 12:34
  3. Подозрение на руткит
    От bo4karev в разделе Помогите!
    Ответов: 3
    Последнее сообщение: 10.11.2008, 19:33
  4. НОВЫЙ ИСТОРИЧЕСКИЙ БОЕВИК — «АДВОКАТ» (ФИЛЬМ ОСНОВАН НА РЕАЛЬНЫХ СОБЫТИЯХ).
    От SDA в разделе Юмор
    Ответов: 2
    Последнее сообщение: 26.10.2008, 19:19
  5. Подозрение на руткит
    От Toren в разделе Помогите!
    Ответов: 1
    Последнее сообщение: 14.10.2008, 20:12

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  

Правила форума

Page generated in 0.01465 seconds with 18 queries