Rootkit Revealer is only going to help with with HackerDefender type rootkits (rootkits that hide *files*). It works by comparing the file listing obtained through Win32 API calls with kernel APIs. If there is a difference, then a rootkit is probably hiding files from Explorer, CMD and other user mode applications.
If something is altering your event log, Rootkit Revealer is unlikely to find it. Cheers Ken From: Clubber Lang [mailto:[EMAIL PROTECTED] Sent: Friday, 31 October 2008 9:57 AM To: NT System Admin Issues Subject: Re: Unknown account created and added to local admins group I ran Rootkit Revealer. Only four minor issues reported. On Thu, Oct 30, 2008 at 3:39 PM, Ken Schaefer <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: Of course rootkits can do this. But why are we even jumping to the idea that there's one there, and that we need to start distrusting everything we see? Rootkits are much rarer in reality that people seem to think (bar HackerDefender - which can be picked up by most tools). I agree that the box has probably been compromised (so wipe and rebuild). But rootkits are another issue altogether. Cheers Ken > -----Original Message----- > From: Ziots, Edward [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] > Sent: Thursday, 30 October 2008 11:00 PM > To: NT System Admin Issues > Subject: RE: Unknown account created and added to local admins group > > I agree but rootkits can hide the true intention of what is going on in > the system and subvert anything you are seeing in the gui or logs, and > its going to be pretty hard to tell what is legit and what isn't when > you have a kernel rootkit on your system. Abeit there might be a > few-tell-table signs. If its been compromised, incident response > measures should be put in place the system quarantined, wiped and > rebuilt from trusted media. > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] > Sent: Wednesday, October 29, 2008 7:46 PM > To: NT System Admin Issues > Subject: RE: Unknown account created and added to local admins group > > Let's not get carried away with talk of a "rootkit" here. > > It could be a compromise. But rootkits are there to change the behaviour > of the Windows kernel (hence "root" kit). For all we know, this is just > a process running as LocalSystem (e.g. any number of services) that > performed the changes. Still looks like a compromise. > > Cheers > Ken > > > -----Original Message----- > > From: Phil Brutsche [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] > > Sent: Thursday, 30 October 2008 6:17 AM > > To: NT System Admin Issues > > Subject: Re: Unknown account created and added to local admins group > > > > I bet that's what the event log would look like if a rootkit running > as > > SYSTEM added local administrator accounts... > > > > Clubber Lang wrote: > > > Thanks, James. Yeah, the user was the same for all events: NT > > > AUTHORITY\SYSTEM > > > > > > 624 - User Account Created - 9:19:13 AM > > > 626 - User Account Enabled - 9:19:13 AM > > > 642 - User Account Changed - 9:19:13 AM > > > 628 - User Account Password Set - 9:19:13 AM > > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM > > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM > > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM > > > 630 - User Account Deleted - 9:21:28 AM > > > > -- > > > > Phil Brutsche > > [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
