Nervingas Žydas: InprocServer32 / embedded nulls Tipo "False Positive" apie rootkit scan

Aš siandien noriečiau kalbeti apie kaip tu reiki supranti "Embedded Nulls". Gal kada nors tu ieskai Rootkit su programa kaip RootKitRevealer iš Microsoft. Gal tu jau ieskai ir dabar žinai kad jūsų kompeterai turi Embedded Nulls. Tu turi buti Nervingas jeigu tu rasysi kad jūsų komputerai yra pilna "Embedded Nulls". Taip gal turesi, bet yra tipo False Positive.

Pirma, InprocServer32 yra COM server kad gali sakyti tikslai path iš DLL. Daug informacija yra čia: http://msdn.microsoft.com/en-us/library/ms682390.aspx. Beveik visi rootkit gali daryti InprocServer arba InprocServer32. Ir kartais Registry Key su Embedded Null dirba su ImprocServerumi.

RootKitRevealer dažnai sakai gal yra Rootkit. PaVyždžiui čia yra vienas Log:

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C 63153}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582 C741C}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C 16034}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D0 8C8B9}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83 632C0}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94 DB145}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD 34C19}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E9570 82D6D}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619 AC1A5}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF96 19B6F}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B 3DCEC}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304 BCD84}\InprocServer32* 2/19/200 5 18:15 0 bytes Key name contains embedded nulls (*)

Ir jeigu tu nori Delete TU NEGALI. Tikrai atrodai Rootkit. Bet dažnai nera. Mark Rusinovic rašo vienas mažas programas nes Delete Embedded Nulls. Čia tu gali tureti laisva: Download RegDelNull

Nervingas Žydas

Wednesday, February 25, 2009

InprocServer32 / embedded nulls Tipo "False Positive" apie rootkit scan

No comments:

Post a Comment

About Me

Blog Archive

NeBlogai Blogas

Followers