Detection Example: DSE vs Fu Rootkit
Description: Futo is the successor to fuzen_op's Fu rootkit, and is a kernel-mode rootkit written by author Peter Silberman, with a user-mode front end (fu.exe) for communicating with its driver (msdirectx.sys).
It has two main features - the ability to hide processes, and the ability to hide drivers.
Detection: Because fu.exe is a front end for the driver we can just run fu.exe directly without having to use instdrv.exe to install the driver first. We used version 2.0 of fu.
However, whereas Fu only had one process hiding technique (sending "-ph" using fu.exe), Futo introduces a second technique of "-phng", or "Process hide, no GUI" (no interface). So we created a simple do-nothing executable called nogui.exe which did nothing more than stay alive, without an interface. We then used Futo to hide it, as well as calc.exe (which does have an interface). Both executables are running from the c:\futo\ directory:
The command "fu -phd 252" hides the process with an ID of 252, which in this case is c:\fu\calc.exe (a copy of the \Windows\system32\calc.exe program that comes with Windows).
Neither the c:\futo\calc.exe or c:\futo\nogui.exe processes are visible to process listing programs at this stage, but Deep System Explorer has no problems seeing them in vibrant detail:
They can both also be seen simply by going to DSE's Process List tool, where we can see that it's listed as a hidden process:
Here we can see their hidden handles:
And their hidden threads! ...
And last but not least, we can see Futo's driver (msdirectx) as a Class & Device Filter listed under Non-Plug & Play Drivers:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.