Sunday, January 08, 2006
[FUN] (Poor Man's) SONY Rootkit Revealer
I was listening to "Security Now" episode #12 (Transcript for that episode and links to the podcast on the top of the page) and SONY's Rootkit can be revealed by creating any file that starts with "$sys".
NOTE:To those who still haven't heard of the term Rootkit it's advised that you either "google" about it or check out Security Now Episode #9
Well.. I was sitting down and see if i had rootkit or not...
Ah.. all this does is just simply creating a file that starts with $sys$($sys$test.txt) and check if exists after creating it(and deletes later on). There is no fancy stuff done here...
If you don't have SONY Rootkit then you will see:
Or.. if you happened to be one of those unlucky ones...:
Wouldn't it be great if someone could modify this to run this function over network? :)
Ah.. an instance of "System.Management.Automation.MshCredential" class argument can come in handy..
Well.. Run it at your own risk.. :)
Tags: fun Monad msh security ¶ 8:30 PM
NOTE:To those who still haven't heard of the term Rootkit it's advised that you either "google" about it or check out Security Now Episode #9
Well.. I was sitting down and see if i had rootkit or not...
Ah.. all this does is just simply creating a file that starts with $sys$($sys$test.txt) and check if exists after creating it(and deletes later on). There is no fancy stuff done here...
# author: dance2die
# title: Ghetto SONY Rootkit Revealer~ :)
# date: 01/08/2005 @ 20:05
# comment: LOL, this is quite funny...
function RevealSONYRootkit {
# create a file(in a current dir)
# that starts with "$sys$" which is what SONY used to hide their files.
$private:testFile = ".\`$sys`$test.txt"
trap [System.IO.FileNotFoundException] {
# well something happend so i am guessing that the a rootkit is on the machine..
Write-Host -foregroundColor "red" -backgroundcolor "white" "You might have SONY rootkit installed... I am chickening out..."
if ([System.IO.File]::Exists($private:TestFile)) remove-item $private:testFile
break
}
If (![System.IO.File]::Exists($private:testFile)) {
# i am not using [void] here since new-item will display the file created on console... to make sure that people get to see the result
new-item -type file $private:testFile
} else {
Write-Host -foregroundColor "green" -backgroundcolor "white" "Your system is clean..."
# i don't usually like to have multiple exit points in a function but wth...
return
}
if ([System.IO.File]::Exists($private:testFile)) {
Write-Host -foregroundColor "green" -backgroundcolor "white" "Your system is clean..."
} else {
Write-Host -foregroundColor "red" -backgroundcolor "white" "FATAL:You have a SONY Rootkit installed!!!`nReinstall your Windows!!!"
}
remove-item $private:testFile
}
If you don't have SONY Rootkit then you will see:
Or.. if you happened to be one of those unlucky ones...:
Wouldn't it be great if someone could modify this to run this function over network? :)
Ah.. an instance of "System.Management.Automation.MshCredential" class argument can come in handy..
Well.. Run it at your own risk.. :)
Tags: fun Monad msh security ¶ 8:30 PM
