Detection Example: DSE vs Srizbi Rootkit
Description: Srizbi, also known as Troj/RKAgen-A and Rootkit:W32/Agent.EA (amongst others) is a trojan that sends spam emails, and uses rootkit tricks to hide itself (both its process and its kernel driver).
It is one of the harder rootkits to detect, but Deep System Explorer has no problems.
Srizbi starts out as a .exe file (which is carrying a .sys kernel driver), but when that program is run it installs a .sys kernel driver and activates that. From this point on the .exe is no longer needed - the infection is complete.
Detection: The first thing we can see is two Code Modifications that suspiciously jump to a driver with a random filename - suof53.sys in this case:
The original process itself (the .exe file) doesn't remain running, it simply installs and starts the driver, so there is no process to be detected, just the driver.
Looking in the Driver List tool we can see that suof53.sys is listed, but without a full path, and it doesn't appear to exist either:
We can also see an IRP hook pointing to c:\windows\system32\suof53.sys, with the hook itself being on IRP_MJ_DIRECTORY_CONTROL. It is this hook which hides its files:
It is also detected as a Hidden Service:
And in Class & Device Filters we can see that Root\Suof53 is detected as an active device filter, listed under Non-Plug And Play Drivers:
(This image is a composite of two screenshots, merged due to on-screen size restrictions but still an accurate image of the detection)
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.