Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmer rootkit removal

From: "Michael D. Wood" <mike () itsecuritypros org>
Date: Sat, 09 Feb 2013 19:15:57 -0500
Oh no problem, didn't think you were pointing fingers at all.  Just asking questions to gather more information from 
you.  I used to do in depth virus and malware analysis for AVG and used a lot of these tools for years.  Its been a 
while,  but I believe the "catchme.sys" gets installed in the temp directory.  Also, dump the registry, I believe the 
file gets removed.

Tdl or tdss was part of the Alureon craze, gmer was a one-hit-wonder for that.  Look it up, good stuff.  If I'm not 
mistaken (it was used in the google hack a few years ago) anyone correct me if I'm wrong - I'm watching tv and too lazy 
to check my references. 

----- Reply message -----
From: "Chip" <jeffschips () gmail com>
To: "Michael D. Wood" <mike () itsecuritypros org>
Cc: <framework () spool metasploit com>
Subject: [framework] gmer rootkit removal
Date: Sat, Feb 9, 2013 6:45 pm
On 2/9/2013 6:03 PM, Michael D. Wood 
wrote:




Gmer, to my knowledge, was only successful in removing the TDL 
family of rootkits.  As I remember,  I don't ever recall it 
submitting info to the developer?  Are you saying it asked, or 
this is what you found gmer changing on the system?  Did the 
executable come from the original source?  http://www.gmer.net/

Did you find the system driver gmer installs called "catchme.sys"?



----- Reply message -----



To: <framework () spool metasploit com>

Subject: [framework] gmer rootkit removal

Date: Sat, Feb 9, 2013 11:47 am






Anybody familiar with 
Gmer rootkit removal product?



http://www.pentestit.com/gmer-rootkit-removeal-tool/



The developer asks users to submit reports after running the 
software which include such entries as the following but then 
does not get back to the submitter.  I'm wondering if the data 
sent, such as the following, could be used to remotely 
compromise a machine (the following entries have been altered to 
protect the innocent):







Rootkit scan 2013-02-02 
16:11:41

Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> 
\Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 
325.09GB

Running: gmer.exe; Driver: 
C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys





---- System - GMER 2.0 ----



SSDT   \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys 
(Immunet Self Protect Driver/Windows (R) Win 7 DDK provider)  
ZwCreateKey [0xF87D0AJD]



Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] 
[67854088]                                                               
pIofCallDriver

Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] 
[8764971E]                                                               
pIofCompleteRequest



---- Kernel code sections - GMER 2.0 ----



.text  
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                          


section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820]



---- User code sections - GMER 2.0 ----



.text  C:\WINDOWS\system32\SearchIndexer.exe[0976] 
kernel32.dll!WriteFile                                                
9KLU765FF 7 Bytes  JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL 
(mssrch.dll/Microsoft Corporation)



---- Registry - GMER 2.0 ----



Reg    
HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456 

         5678435689

Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell 
Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}   





---- EOF - GMER 2.0 ----


Thank you.  The executable was downloaded from the gmer.net site.  
No, the executable did not -- to my knowledge -- automatically 
submit information.  The gmer.net site asks if a user has any 
questions, to forward the results of the scan, which I did, because 
I had a specific question:  No reply.  



I am not pointing a finger at the gmer developer in the least, as it 
does appear at least on the surface to do the job it says it does.  
However, all the output from the scan to my untrained eye seems to 
contain a lot of information that could be used by a malicious user 
-- again, I am not saying the developer is malicious -- to develop 
code specifically for that one machine and I'm asking if anyone 
familiar with this kind of information cares to comment on that.  By 
the way, what do you mean when you say "Gmer, to my knowledge, was 
only successful in removing the TDL family of rootkits".  What is 
TDL?



And where would someone look for catchme.sys - I can't find it in 
the system32 folder.



Thank you kindly.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: