Jump to content


Photo

Stealth mode malware and BartPE


  • Please log in to reply
1 reply to this topic

#1 JonF

JonF

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 01 October 2005 - 03:55 PM

The "Stealth Mode Malware" article is right-on. Already it's far more convenient to kill viruses and malware from an independent OS than from the native OS; soon it'll be required.

I just thought I'd give a few pointers for those who want to learn more, and perhaps use, the BartPE system mentioned in the articles. First, the forums at The CD Forum are the place for getting plugins and help and tips and tricks; there's a Yahho! group and I think there's an MSDN forum too, but they are not as active.

HijackThis! works fine in BartPE. A good HijackThis! plugin is at ironGeek: Security and Hacking Plugins for Bart's PE Builder. HJTHotkey also works well; I use my own plugin for this:

HJTHotkey,inf:
; PE Builder v3 plug-in INF file
; For HijackThis Hotkey http://hometown.aol.co.uk/jrmc137/HJTHotkey/

[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="HijackThis Hotkey"
Enable=1

[WinntDirectories]
a="Programs\HJTHotKey",2

[SourceDisksFolders]
Files=a

[Software.AddReg]
; Add to start menu
0x2,"Sherpya\XPEinit\Programs","Anti-Spyware\HijackThis Hotkey","%ProgramFiles%\HJTHotKey\HJTHotkey.exe"
0x2,"Sherpya\XPEinit\Desktop","HijackThis Hotkey","%ProgramFiles%\HJTHotKey\HJTHotkey.exe"

[Append]
nu2menu.xml, HJTHotKey_nu2menu.xml

HJTHotKey_nu2menu.xml:
<!-- Nu2Menu entry -->
<NU2MENU>
	<MENU ID="Anti-Spyware">      
	<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\HJTHotKey\HJTHotKey.exe))" CMD="RUN" FUNC="@GetProgramDrive()\Programs\HJTHotKey\HJTHotKey">HiJackThis Hotkey</MITEM>
	</MENU>
</NU2MENU>

with all the HJTHotkey files put in a "Files" subdirectory of the plugin directory. Note that, since version 3.053, HJTHotkey has supported the /update commend-line switch which causes it to update all databases in the directory in which it was started and exit, making keeping your plugin up-to-date much easier.

Spybot S&D 1.4 (and, presumably, higher versions) is "BartPE aware". If it is running in BartPE it automatically detects and loads the host system registry and scans that. Alas, the programmers decided to always popup a proxy server inquiry when starting in BartPE; essentially always the right thing to do is to press "cancel" in this dialog box. Safer-networking has a BartPE plugin here; it isn't all that great. Of course, I think my Spybot plugin is the best, but DigiWiz's version is also good. Be aware that Spybot 1.4 supports the /autoupdate /autoclose switches, which downloads all updates relative to the directory in which it was started and exits.

Ad-Aware is not BartPE aware, but it works very well if run inside a wrapper which loads the host system registry. The wrapper is Runscanner from Paraglider's plugins, where you will also find a very nice Ad-Aware SE plugin.

Microsoft Antispyware can be made to run in BartPE, but only if it is also installed on the host system, and doesn't seem to be worth it. Xoftspy works, see this topic. Spyware Doctor also works, see this topic. There are some others which work but I forget the links.

Sysinternals Root Kit Revealer works, but you have to run it under the infected OS and under BartPE. See this thread for a plugin. There's also EZPCFix, which includes a rootkit killing function based on RootKitty.

If you want to use BartPE on a variety of machines with different hard disks and/or network adapters, you need the driver pack from UBCD Downloads, installed as discussed at Adding drivers. You may need Paraglider's InfCacheBuild, but I'm not going to go inte how to use it here. Search the CD Forums.

If you are serious about BartPE you need Sherpya's XPE plugin from Sherpya WinPe Stuff, which gives you the familiar Explorer-based desktop and interface. There are lots of tricks for speeding up XPE which are too detailed to discuss here. If you use Joshua's Preshell (from PE Builder Plug-ins from Joshua and discussed at Joshuas PreShell, conf settings before launching the shell) to set up a swap file and/or RAMdisk and/or RAMFile you can even boot using XPE on a machine with only 32 MB.

Alas, if the host system is Win9x, you are sc***d. The Win9x registry is incompatible with the NT/XP registry, and nobody has a tool that allows you to boot BartPE or any equivalent and fix a Win9x registry. You can, of course, scan the hard drive with Ad-aware and kill the files.

#2 Ikester

Ikester

    Member

  • New Member
  • Pip
  • 1 posts

Posted 04 October 2005 - 04:46 PM

Just wondering how folks with pre-XP/Win2003 systems can deal with root kits ... or is it expected that root kits will not target such systems?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button