I am going to try to start a rootkit information database project. I hope that it will be usefull.

Anyone wishing to post the following info, I will add it to my database.

Rootkit Name
Alias (Other names for the rootkit)
Files (All Files related to the rootkit)
Registry (Registry entries made by the rootkit)
Link (url link of more info or where you got the info)
Notes (Memo field any special steps required to remove, or if you should just say screw it and rebuild!)

I have a small excel 2000 file you can (please) use to enter the info. I can then import it into my access database quickly. Once I get a decent number of entries I can release it. (Not sure in what form yet.) Then add updates as needed. (Please delete the example!!!!)

To verify that all information is correct, please post your info into the forum, along with an attached excel sheet, so others can varify it. Once it is varified, I can then include your data.

There is no code or macros in this sheet.

MD5 hash for my spreadsheet rar -
388CFBC516562E1F0481D1F31887692D RootKitDataEntry.rar
Theres a MD5 hash for the file inside too.


I would like opnions on this project!! I won't be offended!
Good idea?
Waste of time?
Should I add or subtract anything?
Please give reasons with your opnion!

Thanks!

Coder68

RootKitDataEntry.rar
Description:		Download
Filename:	RootKitDataEntry.rar
Filesize:	1.74 KB
Downloaded:	47 Time(s)

OK ... so why would it be a waste of time though?

Not very encouraging there. Don't sweat it. The people who complain all the time are not the ones who meet with success simply because they never do anything. Those that can, do; those who won't, complain.

I got started on a project similar to yours when these forums first opened, but I am very busy completing a book on rootkits. When that's done I can attend to these lists again. Keep at it.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Well, I am going to try to do it anyways.

If for nothing else, I will do this for my own edification. When I am at a clients house scanning, I do not always have access to fast Internet so having a portable database of info would be helpful. IMHO.

I found a partial list of rootkits that I will post. People could take on one or some of them. I would post that it is taken so that we do not duplicate our work.

I think we should still post our work first so that it is as correct as possible. Then I could add it to the database.

ErikAlbert, you think it is a waste of time and that is fine. Do you think this because the information is on this site? While that is true, it is not always easy to find. I did a search for hackerdefender and got hundreds of hits. And when I went to look for the files, it was hit or miss. This would be, as much as possible, all the data in one quick, searchable location.

----------------------------------------------------------------------------

This list is taken from a post made by AbuIbrahim


01. lrk3, lrk4, lrk5, lrk6 (and variants);
02. Solaris rootkit;
03. FreeBSD rootkit;
04. t0rn (and variants);
05. Ambient's Rootkit (ARK);
06. Ramen Worm;
07. rh[67]-shaper;
08. RSHA;
09. Romanian rootkit;
10. RK17;
11. Lion Worm;
12. Adore Worm;
13. LPD Worm;
14. kenny-rk;
15. Adore LKM;
16. ShitC Worm;
17. Omega Worm;
18. Wormkit Worm;
19. Maniac-RK;
20. dsc-rootkit;
21. Ducoci rootkit;
22. x.c Worm;
23. RST.b trojan;
24. duarawkz;
25. knark LKM;
26. Monkit;
27. Hidrootkit;
28. Bobkit;
29. Pizdakit;
30. t0rn v8.0;
31. Showtee;
32. Optickit;
33. T.R.K;
34. MithRa's Rootkit;
35. George;
36. SucKIT;
37. Scalper;
38. Slapper A, B, C and D;
39. OpenBSD rk v1;
40. Illogic rootkit;
41. SK rootkit.
42. sebek LKM;
43. Romanian rootkit;
44. LOC rootkit;
45. shv4 rootkit;
46. Aquatica rootkit;
47. ZK rootkit;
48. 55808.A Worm;
49. TC2 Worm;
50. Volc rootkit;
51. Gold2 rootkit;
52. Anonoying rootkit;
53. Shkit rootkit;
54. AjaKit rootkit;
55. zaRwT rootkit;
56. Madalin rootkit;
57. Fu rootkit;
58. Kenga3 rootkit;
59. ESRK rootkit;
60. rootedoor rootkit;
61. hacker defender
62. haxdor
63. AFX rootkit
64. Hacktool
65. W32.Naras
66. w32.spybot.nlx
67. Homutex
68. Agentdoc.c
69. Hoosmi trojan
70. Comxt.b

If anyone has more to add, let me know.

Those in BOLD are "taken".

Coder68

OK, I had some time and got this made up for hackerdefender.

Please let me know if I am missing anything!!!
I got the info from the link listed.

Rootkit Name
Hacker Defender

Alias
Backdoor.HackDefender
W32/Hacdef
Troj/HacDef
Backdoor.Win32.HacDef

Files
hxdef100.exe
hxdefdrv.sys

Registry
HKLM\SYSTEM\CurrentControlSet\Services\[service_name]
HKLM\SYSTEM\CurrentControlSet\Services\[driver_name]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service_name]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[service_name]

Link
http://www.f-secure.com/v-descs/hacdef.shtml

Notes
None at the moment.

There is more information on the link, but I do not think it needs to be in the database. Besies if you really need it there is the link. IF you can get out to the Internet that is...


Coder68

ErikAlbert has suggested that a white list would be better then a black list. There is a lot of sense to this, especial since castlecops does already have a list of files you can look up. It tells you what it is, and if it is legitimate. (Found it today when I googled WgaLogon.dll and the first hit was with this site.


Example:

http://www.castlecops.com/o20list-156.html

O20 AppInit_DLLs and Winlogon Notify
Field Value
O20 Type Winlogon Notify
Name WgaLogon
Path/File WgaLogon.dll
Status L
Description Windows Genuine Advantage
Viewed 34229 times since Jul 8 2005, 2200 Hours UTC-4.STATUS KEY:

"L" - Legitimate
"O" - Open to Debate
"X" - Malware/Bad
"?" - Unknown

It sounds like it would be easier.

Could we get a mobile database of that information Administrators? It would be great to have when you are at someone’s house and need access to the information, but cannot get to it for one reason or another. It could be stored on a jumpdrive or CD or a PDA and be updated before you leave to clean off a system.

What do you guys think?


Coder68
[/url]

You are not a friendly person are you?

I have been very polite. I took what you said and thought about it... and modified what I was thinking based on your objections. They made some sense to me.

I never called you a nitpicker... I was open to all your objections. Yet you insist on your bad attitude.

I will ignore you from now on.

Coder68

Coder68, ignore the naysayers, your efforts are appreciated by the rest of us. And, I do think you are working on something useful, as do the rest of us.

@ErikAlbert, it would be appreciated if you treated other members here with a little more respect. If you really know as much as you think and claim to know, which I doubt, then do something positive and contribute to our efforts for a change. And, you might just consider this an informal warning on this subject.

I have stickied this topic so it will be at the top of the forum. One more thing is needed.
If anyone wants to make trouble in this thread, they shall be removed.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Thanks Prince_Serendip!

I will be working on and off on this, and hope it will be helpful to some people.

I would like your opinion Prince_Serendip... what would be better in your view...

A database of known rootkits and the files they usually use

or

A database of known false positives. This website does have a list for files and it tells you if it is legit or not... that would be a big jump forward.

AntiRootkit.com has a list of know rootkits, and seems to be well laid out. I will be emailing them about making a portable downloadable version that could be updated.

Your thoughts would be greatly appreciated.

Also, (to everyone)

I need takers on the rootkits! IE: help! I do not have time to do them all! Please let me know which ones you would like to do. If 30 or 40 people would each take one or two, this would go fast!

Thanks again!!!

Coder68

Why an either or? Personally, I think both are valuable. Think of it like this, someone uses one or more rootkit diagnostics, and sees baddies identified in the DB, plus other entries that are unidentified. So, how to tell if the unidentified ones are good ones or unidentified new baddies? No way to do that unless you list both known good and bad. That still won't help for completely unidentified ones, but it sure can narrow things down a bit.

I will work on adding a sheet to the excel file to add in known false positives, and what program that false positive goes with.

Thanks for the input!

Coder68