Lavasoft Rootkit Remover

Corrine · February 03, 2006, 01:04:31 PM

Ah, Oliver follows in the footsteps of "Urizen" (Nic to you ;) ). Hope the move went well. Thanks for the update. :rose:

winchester73 · February 03, 2006, 02:21:02 PM

Thanks mate ... hope you have a chance to unpack your belongings before too long.

Please say hello to urizen for me.

Assarbad · February 03, 2006, 06:11:13 PM

Here we go: http://www.lavasoft.de/wordpress/?p=57

winchester73 · February 03, 2006, 06:14:02 PM

Nicely done mate ... :thumbsup:

Die Hard · February 03, 2006, 06:44:41 PM

Interesting article you wrote there,Oliver.
Thank you :thumbsup:

Die Hard :)

JOSEPH · February 03, 2006, 08:05:21 PM

Quote from: OYF1P on February 03, 2006, 06:11:13 PM
Here we go: http://www.lavasoft.de/wordpress/?p=57

Thanks guy.

QuoteSince this is my first blog entry ever, bare with me

I'm a bit more seasoned than you in that category lol :)
But can confidently say you done excellent in that write-up. My compliments. Pls continue.

I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.

Total time logged in: 22 hours and 52 minutes.

Assarbad · February 03, 2006, 09:57:20 PM

Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
But can confidently say you done excellent in that write-up. My compliments. Pls continue.

Thanks.

Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.

What do you mean? Our tool is using the SSDT to see whether these 4 functions are hooked. That is one of the indicators.

I will certainly write something about generic rootkit detection and generic rootkit removal soon, because I am completely unhappy with the claims of some companies and people.

winchester73 · February 03, 2006, 10:12:45 PM

Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.

I'd be curious myself to know what local developments you are talking about ...

I thought this turned out to be a case of mistaken identity, that you thought LS' tool was designed to sniff out all rootkits rather than being an application targeted to removing just the Sony item.

Oliver explained the reason for the "warning" ... and now you are "grateful" for it.

What am I missing?

:uhm:

JOSEPH · February 04, 2006, 11:38:21 AM

QuoteI'd be curious myself to know what local developments you are talking about ...

Certainly :) Nothing fancy or too difficult here.

QuoteWhat do you mean? Our tool is using the SSDT to see whether these 4 functions are hooked. That is one of the indicators.

The digital searching technique it uses in and of itself is safe i now understand, and besides the user is prompted before allowing the tool to perform a removal, correct me if this is wrong.
You see with one of the newest security programs i been examining in my own research to various rootkits issues, it employs a kernel mode driver that extends kernel services through similar means as rootkits themselves (such as hooking the system service tables)
I was mainly concerned that somewhere during the scan itself (and now incorrectly so) that it might interfere with this and affect the stability of the operating system.

I should point out that for discussion and purpose i use as reference a Ice Sword reading under the heading of System Services Descriptor Table. It of course displays all kernel system services, a view of the installed system modules and drivers with their base address ETC.
You get the nod on that area of address, interupts, and certainly descriptions from that table etc. LoL

I now understand, i think, that Lavasoft's Sony Rootkit Romover employs in the scanning similar actions to the Resplendence RootKit Hook Analyzer which can show you what kernel hooks are presently active on a system.
Of course your tool takes that another step in the case of aries.sys in making the actual removal possible.

As best as i been able to piece together given my out-of-classroom experiences and short amount of time devoted to this so far is that to make the most use of any tool of this nature effectively, and to reasonably understand at least some of the architecture to them, it helps to be able to correctly interpret the output of those various commands, and the purpose for these interactions in a layman's terms if you will.
You just done that nicely on the recent blog write-up which i commend you again highly on that detailed report.

JOSEPH · February 04, 2006, 02:50:02 PM

I tried to insert this screenshot for a better perspective in what i was referring to in my comments but appears the choice to MODIFY posts was not available at the time.

Assarbad · February 04, 2006, 05:25:20 PM

Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
The digital searching technique it uses in and of itself is safe i now understand, and besides the user is prompted before allowing the tool to perform a removal, correct me if this is wrong.

Even before scanning, because the scanning involves loading of a kernel mode module which in itself could cause the trouble.

Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
You see with one of the newest security programs i been examining in my own research to various rootkits issues, it employs a kernel mode driver that extends kernel services through similar means as rootkits themselves (such as hooking the system service tables)
I was mainly concerned that somewhere during the scan itself (and now incorrectly so) that it might interfere with this and affect the stability of the operating system.

It does not extend anything - actually it is not invasive at all, but uses the kernel mode module to get information that you cannot get otherwise.

Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
I now understand, i think, that Lavasoft's Sony Rootkit Romover employs in the scanning similar actions to the Resplendence RootKit Hook Analyzer which can show you what kernel hooks are presently active on a system.
Of course your tool takes that another step in the case of aries.sys in making the actual removal possible.

Yes, and it only focuses on checking whether aries.sys is loaded and whether the hooks point to it (which is not necessarily the case if someone else hooked the same APIs after it).

JOSEPH · February 04, 2006, 09:42:57 PM

QuoteBlog Quote:
To find what service was requested, the dispatcher takes the number of the service requested as an index into the so-called System Service Dispatch Table (SSDT - or sometimes SST) and looks up the address of the function from this table. The story could end here, but sadly it does not: it is possible to manipulate the entries in this table to divert calls from the actual function address to your own, if you run in kernel mode.

Indeed, it's a given that Sony was certainly not one of the first to take advantage of that services call kernel function and some might conclude that this recent Sony debacle could lend to more of this type problem coming to light, but also in that respect perhaps it's a valuable moment for users, developers, and techs alike in that now many will be more vigiliant to the possibility of this type threat since it's out in the open now.

I would just like to add for the record OYF1P that it's commendable of you to have replied with such dispatch the way you did to this concern very early one. Even though this Topic did originate from an oversight on my part, it's refreshing to find developers like yourself vigilant in both your efforts as well as to the attention that others might bring out in regards to it.

Most of my own efforts lately continue to surround ad/spyware research locally and getting something of a handle & certainly a more accurate understanding on the various exploits that allow these intrusions into business/home users computers be it via URL redirects or installation of hidden bundled programs and such. Your replies and the commentary in Blog are most enlightening chiefly in regards to the Lavasoft Sony RootKit Remover but also i'm sure helped others following this topic to better understand the underlying nature of not only that single issue (Sony rootkit) but perhaps the behavior of rootkits in general from a "developers" point-of-view. And one who is taken the initiative to design a course of correction for not only this one, but hopefully might endeavor to address others in general sometime soon. You certainly have my vote of confidence.

Anyway, i for one welcome that and will certainly look forward to reading more reviews & comments of yours in the future, also wish you much satisfaction with your efforts in your new position at the LavaLab in Research and Development.
(I think i spelled that right?)

Regards: Joseph

JOSEPH · February 20, 2006, 05:27:25 AM

Hmmm, kind of wondering if OYF1P might be going to follow up on the TO BE CONTINUED.......... follow up to that first summary that was made.

It should be interesting to see exactly what develops or rather what new progress we should expect in the anti-malware product camps between now and sometime in spring.

Browsing about in the various rootkit camps lately as i have i found those ambitions look to be going forward on the current NT systems.

By the same measure perhaps, at least some of the AV's for example KAV2006 appear to be pressing ahead in anticipation of those type efforts.

Assarbad · February 20, 2006, 07:52:42 AM

Yes, it is/was indeed my intention to continue the article (probably rather articles). However, the sole lack of time has kept me from doing so. Will try to get it done this week.

I want to write about rootkit detection and so on. A field where great expectations exist - expectations which often are not justified by anything.

JOSEPH · February 20, 2006, 09:16:20 PM

Thanks again for reply. Happy to hear the interest in that is still alive. 8)

As an analyst myself to a degree (volunteer), as well as conducting some personal research, i can relate to those pressing demands in that field. On this end we're probably afforded much more free time for study and discussion but certainly not taxed with the promoting and improving specific popular softs in keeping with standards and industry expectations. LoL

Products like Ad-Aware SE and WindowsDefender & the like are designed for detections as well as safe removals AFTER malicious programs/files have penetrated and been identified yes, but i believe the hope is being raised now that many also would like to hear some comments and feelings on the area of prevention programs or Add-Ons as concern HIPS.

I've already posted something to this effect in another forum but it bears repeating so i'll express it again. :)

We seem to be moving into what is really a very exciting time coming up with all these new approaches and the techniques that are being experimented with. For the security community and end users alike many new introductions in the form of (active prevention), HIPS programs should help strengthen and expand safety knowledge well beyond what the normal boundaries have been in the past and what we all been used to.

If you ask me it's a pretty exciting time to be involved at any end of the spectrum.

http://www.wilderssecurity.com/showpost.php?p=685547&postcount=10