CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[DONE]svv

 
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
Meriadoc

Cadet
Cadet


Joined: Sep 12, 2006
Posts: 4
Location: Uk
PostPosted: Tue Sep 12, 2006 9:14 am    Post subject: svv
Reply with quote

Hi,
I've just come to the end of my current job so have some spare time to complete a project - information/unhooker/connections and scan for hidden objects tool.
I have also looked at various source and plan to use my own versions.
One I have looked at extensively is svv and plan to run with something from it, but have some problems that I'm wondering if anyone else have encountered, mainly in the results.
In a vm, xp playground I'm getting different results on a clean system. - System infection level = 0, nothing suspected was detected...as expected, to 5 - deepred Smile when scanning again.
Can anyone here, or mods, share any relevant experiences with svv, perhaps explaining the reasons why the results may vary.
vmworkstation, xppro.
Back to top
View users profile Send private message
PCBruiser

SRT Team Lead
SRT Team Lead
Forums Admin

Joined: May 11, 2005
Posts: 11723

1st Responder Mentors 1st Responders Forums Admin MIRT Moderators Premium Rootkit Experts Security Experts SRT Team CC Committee

PostPosted: Tue Sep 12, 2006 2:48 pm    Post subject:
Reply with quote

In order to work, some types of software have to hook into the OS kernal. These typically are all firewalls, HIPS, some anti-virus and anti-malware software and virtual machines and sandboxes. So, it is scarcely surprising that SVV is finding the VM hooks. Having said that, I cannot explain why multiple scans are reporting differing results.


_________________
Don't read? Can't learn!
Back to top
View users profile Send private message
Meriadoc

Cadet
Cadet


Joined: Sep 12, 2006
Posts: 4
Location: Uk
PostPosted: Wed Sep 13, 2006 9:06 am    Post subject:
Reply with quote

PCBruiser wrote:
In order to work, some types of software have to hook into the OS kernal. These typically are all firewalls, HIPS, some anti-virus and anti-malware software and virtual machines and sandboxes. So, it is scarcely surprising that SVV is finding the VM hooks. Having said that, I cannot explain why multiple scans are reporting differing results.

Hi,
thanks for replying PCBruiser. Yes, I always take note in whats hooking into the system especially after introducing something new, and as you have said legit entries will be in the results.
I did not presume to leave a log file, but if I may leave a paste of svv <check> without any details extension this will be short and show the two different results I've been experiencing.
If no one knows of a bug or known reason why this could happen with the information I have given I will just have a look at that system again, but at the moment I just cant see what is doing this.
Okay, maybe I will start over, but still investigate this incase I have found a problem with the scan but more than likely I'm over-looking something.

System Virginity Verifier 2.3, January 2006
written by Joanna Rutkowska
invisablethings.org
C:\>svv check
Important module ntoskrnl.exe not found
SYSTEM INFECTION LEVEL: 0
--> 0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.
----------------------------------------------------------------------------
C:\>svv check
Important module ntoskrnl.exe not found
ntdll.dll (7c900000 - 7c9b0000)... suspected! (verdict = 5).
kernel32.dll (7c800000 - 7c8f4000)... suspected! (verdict = 5).
ADVAPI32.dll (77dd0000 - 77e6b000)... innocent hooking (verdict = 2).
USER32.dll (77d40000 - 77dd0000)... suspected! (verdict = 5).
SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected![/i]
Back to top
View users profile Send private message
wng_z3r0

MRU Teacher


Joined: Mar 21, 2005
Posts: 1248

1st Responders MVP RootKit Detection Hosts Rootkit Experts Team F@H

PostPosted: Wed Sep 13, 2006 12:15 pm    Post subject:
Reply with quote

svv chech /a /m

please Smile


_________________
Proud member of Alliance of Security Analysis Professionals since 2005
Microsoft MVP-2006
Back to top
View users profile Send private message Visit posters website
Meriadoc

Cadet
Cadet


Joined: Sep 12, 2006
Posts: 4
Location: Uk
PostPosted: Thu Sep 14, 2006 7:04 pm    Post subject:
Reply with quote

wng_z3r0 wrote:
svv chech /a /m

please Smile

C:\Documents and Settings>cd..

C:\>svv.exe
System Virginity Verifier 2.3, January 2006
written by Joanna Rutkowska
invisiblethings.org
C:\>svv check /a/m
Important module ntoskrnl.exe not found
WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM CRASH!
Do you want to continue (yes/no)?
yes
SYSTEM INFECTION LEVEL: 0
--> 0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.
Smile
Back to top
View users profile Send private message
wng_z3r0

MRU Teacher


Joined: Mar 21, 2005
Posts: 1248

1st Responders MVP RootKit Detection Hosts Rootkit Experts Team F@H

PostPosted: Thu Sep 14, 2006 9:46 pm    Post subject:
Reply with quote

Anything else you need help with?

wng


_________________
Proud member of Alliance of Security Analysis Professionals since 2005
Microsoft MVP-2006
Back to top
View users profile Send private message Visit posters website
Meriadoc

Cadet
Cadet


Joined: Sep 12, 2006
Posts: 4
Location: Uk
PostPosted: Fri Sep 15, 2006 2:44 am    Post subject:
Reply with quote

wng_z3r0 wrote:
Anything else you need help with?

wng

No, but thanks for the offer Smile
my worry was that there was an error but I've now found the reason for the two different results.
There is another check/a/m result which differs from the one above - and I know why.
There is no problem with svv just another factor - please feel free to close thread, thanks Smile
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Rootkit Revelations All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
113ppm 0.339s (0.048s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer