So I have been battling rootkits and nasty viruses for quite some time now. I have learned many new techniques and methods. One such infection that has been causing great devastation is STILL not being recognized by very many anti-virus vendors. I know it as pt.exe and java.exe – they are exploits that get in and hide themselves. They are detectable by rootkit detectors such as rootkit unhooker, etc. I’ve found a major deficiency however in these rootkit detectors as much of the newer stuff seemingly hides from them as well. I will have a full write up soon of my latest technique. Previously I have been using a tool developed by a rootkit developer themselves called cwalker.exe.

It is available by searching through http://www.rootkit.com/ for ARK (Anti-RootKit).

I used that coupled with rootkit unhooker to locate, extract and eliminate some rootkits. I have recently discovered that this may not be enough and that there are still symptoms in a few systems i’ve analyzed that have “hooks” but no method i’ve used or other developers i’m working with have used have illuminated them.

On to my latest techniques.
I started a full memory scan of a system that ARK software is not able to either run or scan on. This memory scan is being run using Memoryze. Here are the articles I am following to do so:

http://www.openrce.org/articles/ – The First article on list: Memoryze Memory Forensics Tool

Memoryze is a very awesome utility because it dumps your entire memory with no bias! As follows I have saved the xml data to the installation folder where Memoryze resides and run the scan as they said. Once done I will be using Mandiant’s (the developers of memoryze) free audit viewer application available here with a signup:

http://www.mandiant.com/products/free_software/mandiant_audit_viewer/

Once I have this memory dump setup, i hopefully will get some really good results from it. Once I have fully implemented and utilized this and have a firm grasp on the technique I will provide another writeup here about my findings. My plans, should this be a great success, will be to setup automated dumps to be able to scan, upon which I will write some automated scripts to scan each dump on as many servers as needed for key factors and email a list so as to be able to track this stuff quickly and hopefully prevent it’s spreading!