Unreal.A hides driver and file.

Driver hidding based on the following methods:

1. removing module from PsLoadedModulesList
(that bypasses some old rkdetectors)
2. removing object from ObjectDirectory
(that bypassed GMER, IceSword and some others)
3. removing module from DriverObjects
4. removing module from DeviceObjects
5. memzero for POBJECT_HEADER (that finally bypasses DarkSpy)
6. fake thread start address (to be sure that antirootkit will not show "unknown thread")
7. using non usual wait function to bypass "Stealth Walker" detection method of our Rootkit Unhooker Antirootkit.

File hidding based on the following methods:



1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword automatically)
2. ADS attach to root directory of disk C: (that automatically bypass GMER, RootkitRevealer)
3. driver set up itself as File System Filter and filters some IRP's like IRP_MJ_READ, IRP_MJ_QUERY_INFORMATION etc. Thats bypasses all other antirootkit thats using RAW reading (BlackLight, Rootkit Unhooker etc).

Unreal.A contains specific code for AVG Antirootkit and AVZ Antirootkit Module. Specific code was done because both of these products using monitoring dirty-tricks based on Notify Routines which are not a detection at all. Unreal.A do search for antirootkit device (using DeviceObjects lists) and when it's found rootkit do IoDeleteDevice, so antirootkit can't anymore communicate with kernel part. Unfortunately as shows some tests of independent people this part of Unreal.A are little buggy, sometimes AVG/AVZ can show (with help of Notify of course) hidden driver.

As I said before idea is not new, but we do not found any others ready for use rootkits, so we decide to create this special demo to show how in reality useless/helpless/out-of-dated antirootkit software and of course for our internal testings.

There is currently only one thing (excluding special programs like WinHex) that can detect Unreal.A file -> special plugin for IceSword that uses direct disk.sys communication. Hidden driver (that in its state simple piece of code working in kernel mode) currently undetectable by any antirootkit.

We are not stops Unreal development and will create further versions which will include 100% workable antidetection part, Windows 2000 support and some new file hiding techniques.

This simple trick bypasses following Antirootkits, they all can't find driver and file: RootkitRevealer, F-Secure Blacklight, GMER, DarkSpy, IceSword, SVV, Helios, Rootkit Unhooker, SafetyCheck and all AV antirootkits.

In this release we are used specific code against some of antirootkits that using Notify Routine. It is AVG Antirootkit and AVZ Antirootkit module. This part of antidetection is buggy and need more work :)

Note: this demo is not malicious, please understand that this is just a demo.

Unreal.A limitations:
- your disk C: should be NTFS
- this rootkit do not hides registry keys

Rootkit demo can be downloaded from here http://www.rku.xell.ru/?l=e&a=dl

read comments (60) / write comment

recent comments:

Bilby	---||---	11.Feb:05:21
Unreal.A cutted source code	EP_X0FF	01.Feb:03:34
No need to antirootkit to block unreal	neocrackr	31.Jan:13:56
Another code analysys....	valerino	30.Jan:13:02
how it works	Ratter	29.Jan:10:33

. . .

views: 12752   printer-friendly version