AbuIbrahim12's Security Journal

What We Can Learn From Science Regarding Industry-Sponsored Testing of Security Products

2010-11-09T03:33:00.003+02:00

Robert Cialdini, a Psychology professor at Arizona State University, stated his top-notch book, Influence Science and Practice:

"Take the case of the medical controversy surrounding the safety of calcium-channel blockers, a class of drugs for heart disease. One study discovered that 100 percent of the scientists who found and published results supportive of the drugs had received prior support (free trips, research funding, or employment) from the pharmaceutical companies; but only 37 percent of those critical of the drugs had received any such prior support. "

His statement was based on a scientific paper published in The New England Journal of Medicine in 1998. Details of the research can be found here:
Conflict of Interest in the Debate over Calcium-Channel Antagonists

Wow, these results are staggering. 37% of doctors were critical of a particular form of drug. But when some form of support is involved all doctors became in favor of such drug. This and other related research cited at the end of this article scientifically proves (at least from a psychology and medicine perspective) that industry-supported evaluation or testing of security related products such as antiviruses, IPS's, etc. have an influence on the quality and outcomes of their results.

Examples of such type of research studies in the security industry are:
1. Symantec funded an antivirus testing by PassMark: Consumer Antivirus Performance Benchmarks
2. Symantec sponsored another antivirus evaluation by Dennis Technology Labs: PC Anti-Virus Protection 2011
3. ~~Trend Micro sponsored an antivirus testing by NSS Labs:~~(debatable) http://trendmicro.mediaroom.com/index.php?s=43&item=749
4. Microsoft sponsored two NSS Labs tests for comparing the security of IE8 with other browsers:
http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars
5. Trend-Micro commissioned West Coast Labs Anti-Spam comparison tests: http://it.trendmicro.com/imperia/md/content/uk/whitepaper/wp06_wclantispamrpt_090317us.pdf

The results of these studies are not surprising. Symantec was ranked first by Dennis Technology Labs and PassMark. ~~Trend Micro was ranked first by NSS Labs.~~ IE8 was shown to be far superior than its peers according to NSS Labs. Trend Micro topped the antispam comparison tests by West Coast Labs.

The reason I am blogging this, is because I have come across a lot of CIO's and security experts who still believe and take into granted the results published by such kind of studies. Its even a pity to see security gurus from notable organizations such as SANS fall into this and cite these results.

For more information please see:

Study: Industry-Sponsored Research Yields Favorable Results a Majority of the Time: http://www.doctorpundit.com/index.php/2010/08/03/study-industry-sponsored-research-yields-favorable-results-a-majority-of-the-time
The uncertainty principle and industry-sponsored research: http://www.ncbi.nlm.nih.gov/pubmed/10968436
Pharmaceutical industry sponsorship and research outcome and quality: systematic review http://www.bmj.com/content/326/7400/1167.full
Source of funding and outcome of clinical trials - Journal of General Internal Medicine http://www.springerlink.com/content/r654521305u8547k/

2010 Cairo Security Camp

2010-11-02T08:21:00.002+02:00

I gave off a presentation at the 2010 Cairo Security Camp at Cairo, Egypt about 2 months ago. The event was held at Nile University Smart Village. My presentation was on rootkits detection and removal. I have also talked about ADS and MBR infections.
All praise to God, according to the attendees evaluation, I was voted as both, the most liked speaker, and best event topic.

New Features Added to Startups@Ease

2010-10-06T20:10:00.003+02:00

I have made a complete re-design of the user interface of Startups@Ease. I have also included two new additional features to help reduce unnecessary software from running every time the computer restarts, which are:

1. Installed third party services: Services are a type of startups that starts running in the background even before you log into the computer. There is a lot of unwanted services that comes bundled with some of the software you may have installed. Additionaly, these unwanted services may exist from pre-installed software whenever you buy a new computer. You can go through the Q&A wizard to see which of these services that are actively running in your computer that you do not want by clicking on the 'Installed Services' button.

2. Services that are part of the Windows operating system: Windows come with a large amount of services that start automatically and actively run in the background. Most of these services are very important for the the OS to function properly. However, there are few default Windows services that are not essential to the OS and are not always needed to be actively running. Based on how you use your computer, you can determine which of these unnecessary services that you may need by going through a questionnaire that can be accessed by the 'Windows Services' button.

If you have bought a new computer and you have used Startups@Ease, it will be a shame that the tool has not significantly boosted your computer.

Startups@Ease Now Supports 64-bit Windows

2010-08-29T15:30:00.002+02:00

I have re-written the code for Startups@Ease and now it supports both 32-bit and 64-bit operating systems using the same executable.
The tool is automatically compatible with Windows XP 32-bit, Vista 32-bit, 7 32-bit, server 2003 32-bit, server 2008 32-bit, Vista 64-bit, 7 64-bit and server 2008 64-bit.
As for Windows XP 64-bit and server 2003 64-bit, you will need to download and install this hotfix before running this tool. The hotfix would allow 32-bit applications to access the 64-bit locations native to the operating system. Without the hotfix, the tool will not function properly.

Startups@Ease has Been Released

2010-08-20T13:59:00.006+02:00

I finally launched a freeware tool called Startups@Ease that I have been developing in the past few months. The program is mainly designed to help non-geeks to manage unwanted startups in their computers. When executed, the program searches for unnecessary startups and then displays them as a series of questions and (yes/no) answers to the user. These questions are phrased such a way that non-technically sophisticated users can understand and be able to make a judgment whether they actually need the unnecessary startups or not. The tool does NOT delete or uninstall any of your programs. All of the startup programs that appear in the Q&A wizard can be accessed either through the start menu or from the control panel. In addition, the tool automatically creates backups of any programs it has disabled from startups.

The tool is available here: http://www.startupsatease.com

To use the program, click the begin button as in the image below:
If an unnecessary startup is found, a wizard will pop-up similar to the image below. However, the questions posted will vary from one computer to another.
Once, the wizard is complete a page will pop-up which contains a review for all of the selected answers for each question. At this page, select the confirm button and then you will need to restart your computer.The program does not enforce a restart and does not have the option to perform a restart. Hence, users should perform the restart at their own will from the start menu.

Is an Account Lockout Policy Really Worth It

2010-08-07T19:45:00.004+03:00

I strongly agree with Jesper Johansson and Steve Riley with their point of view on account lockouts in which they have mentioned in the book that they have published many years ago, Protect Your Windows Network: From Perimeter to Data. Here is a transcript of what they have written in page 344:

The authors consider that account lockout not only provides no positive security value, but actually decreases security. As we showed earlier, only really poor passwords can be guessed successfully. Thus, the real problem if a guessing attack succeeds is really poor passwords not lack of account lockout. Turning on account lockout does not make the passwords any stronger, and a sophisticated attacker will tailor the attack to work around any account lockout settings. Hence the claim that it provides no security value.

Worse than not doing any good, however, is the fact that account lockout is harmful. It can obviously be used by an attacker in a very easy denial-of-service attack to lock out every single account on the system, rendering the system unusable. Now consider if this were to happen to your Web server it would not be much of a "server" any longer. Moreover, it is highly likely that the account lockout settings are tripped accidentally. For example, almost all vulnerability scanners will trip account lockout settings, resulting in entire data centers being disabled. Finally, even if there is a timeout to the lockout, users will generally call the help desk when their account no longer works.
....

The authors then continue to describe the futility of account lockouts from a risk management point of view. Even though, the reasons that they have provided more than 5 years ago are fairly convincing, today there is a far more important reason why you need to disable account lockout across your network. A large amount of malware today perform dictionary attacks to break account passwords. The most notorious among them, is the conficker worm which has affected tens of millions of computer last year and is still a problematic infection today.

Earlier last year, I was called to assist in an emergency downadup outbreak at a financial institute. What was found is that despite only less than 4% of the machines were affected, it was these 4% that caused a major downtime to the whole business and thousands of employees were not able to get any work done because they cannot log on their machines. The reason was very simple, these small percentage of downadup-ridden machines tried to guess the passwords of every other machine across the network. The institute had to disable the account lockout policy
in order for the business to start functioning again and employees getting back to work. Thanks to account lockout, the institute suffered financially more from this harmful policy more then the mere existence of the malware itself.

I greatly advise that the risk management team of every company that has a windows network to revisit the account lockout policy. Instead, I do recommend that failed logon attempts are logged and a warning message such as an email is sent to notify network administrators after a certain amount of failed logons have been attempted.

Existance of Malware = Vulnerable to Targeted Attacks

2010-05-26T16:12:00.006+03:00

I have came across a couple of companies that tend to focus most of their security strategy in trying to mitigate targeted attacks on their network and given little attention in protecting their businesses from malware (automated attacks) other than a futile reliance on an updated antivirus. It is true that the impact of targeted attacks on a company is far more greater than existence of automated or commercially spread malware, for an example some computer got infected with a Zlob trojan. However, if your security vendor's management console reported a single existance of a malware file in any computer in your network, then sadly, the fact is, your business is an easy target of a potential targetted attack regardless of all the security measures or security software/hardware at your business has put in place. With exception to viruses, the existence of malware in the form of a worm, bot, trojan, exploit, rootkit, keylogger, backdoor, spyware, adware, etc. are all indicators that your business is unprotected against spear attacks.

The reason for this is that targeted attacks use the same techniques as malware to compromise a system but at a more complex level. If it's the purpose of information theft, financial theft, espionage or whatever reason, a professional hacker would attempt to gain access of a business resource either through a vulnerability or by social engineering. Since both techniques are also used by malware, we can compare by examples how targeted attacks and malware utilize these techniques as a vector for accessibility.

1. Social Engineering:

- malware would send a generic email that would try to influence any user with no particular target. The email may entice the user to download the malicious file by promising them to see the dancing monkeys, celebrities, clothless people, fake news, etc. At worst case, the email may try to add a little genuinity by saying 'from the IT department'. The Storm worm bot and Waledac emails are excellent examples of a typical malware type social engineering.

- In contrast, in a targeted attack, the social engineering tactic is a lot more sophisticated. The bad guys will try to collect as much information about their targets, for example through social-networking sites.

The socially-engineered email may likely indicate a target name, such as "Dear Alice", indicate a spoofed source, such as "Bob, IT Manager". In fact, the recent attack on Google from Chine was mainly accomplished by social engineering:

McAfee’s Chief Technology Officer George Kurtz announced that the hackers used complex social engineering techniques and advanced reconnaissance techniques to specifically target those individuals which had access to sensitive company information.

Explaining the tactic used, Kurtz mentioned “Speaking generically, we're seeing a lot more targeted attacks where people focus on [employees with] the highest set of privileges, and then work backwards, gaining access to secondary parties to get to the primary source.”

2. Vulnerabilities:

- malware would usually exploit operating system or browser vulnerabilities after patch's are released. For example, the conficker worm tries to spread from one computer to another using an OS vulnerability. Another example, is a variant of the storm worm exploits a vulnerability in internet explorer for drive-by downloads. At some cases malware may sometimes exploit vulnerabilities in flash, java and adobe reader.

- In a targeted attack, the bad guys would try to exploit vulnerabilities that has been publicly disclosed in virtually every type of software you may have, including winzip, quick time, real player, silverlight, etc.. That is why it is important to have a software such as Secunia PSI to ensure that all your software is up to date. At some cases, the bad guys would exploit a vulnerability before a patch is released or at rare cases, not known of before. This has happened in the recent hydraq attack as reported here:

http://www.computerworld.com/s/article/9144938/Microsoft_confirms_IE_zero_day_behind_Google_attack

In conclusion, as a testbench to assess the security of your network, check if there is any reported malware in any computer in your business. Understand how the malware infected the machine such as email, drive-by downloads, vulnerability, social engineering, etc. and then implement counter measures in order to prevent such malware to re-exist in your business. If your business cannot protect all of your computers from malware infections then definitely your network is vulnerable to an unsophisticated targeted attack. Perhaps your business could be or have been compromised and you may not even know it.

Internal Vs. External Attacks Myth

2010-05-26T15:24:00.006+03:00

After encountering a lot of IT representatives from different companies, I am surprised to find that the majority of them still believe that most of the security breaches originate from inside the company.
Michael Kassner has written an excellent article, definitely worth reading, at the Tech Republic last year on why such a belief no longer applies today. Kassner references the CSI/FBI Computer Crime and Security Survey which asks organizations to estimate the percentage of internal attacks they encountered. The results of survey is displayed in the following graph:After doing some statistical analysis, the estimated overall average of security breaches that originate from internal attacks is less than 16%. The difference is overwhelmingly significant that likely any margin of error such as the "different point of view" 's in Kassner's article would still have little effect in proving contrary beliefs.
Hence, allocating your IT security budget of your organization can be calculated by a simple risk management formula. Let,
E = the average financial impact including losses that may result due to an external attack on your organization. The impact may include financial or information thefts, reputation, loss of productivity, recovery, etc.
I = the average financial impact including losses that may result due to an internal attack on your organization.

Further readings:
http://www.pcworld.com/businesscenter/article/147098/insider_threat_exaggerated_study_says_.html

The Myth of Patch Management

2010-04-11T22:21:00.002+02:00

From an old video recording of a security session held at Technet:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=991

“The Air Force had an environment where they standardized , based on a limited number of server build and client build using images and vhd files.. and then they allow them to make another decision. They did a risk assessment of patch delays and came to the following conclusion...

If we delay installation of a patch because we have to test it, then there is a time window between patch download date and install date, of when their machines are vulnerable to attack…

and their risk assessment concluded, that getting attacked in that time window, is much more likely than immediately installing the patch and see if an application breaks. That was their risk assessment. So they have done what I have been begging people to do for years. They have turned their patch management over to Microsoft (outsourced it to us). When we issue a patch, they install it right away.”

- Steve Riley, Former Senior Security Strategist - Microsoft Trustworthy Computing

Book author of "Protect Your Windows Network, from Perimeter to Data"

However, there is one point I would disagree with the Air Force. Newly released operating system service packs and IE versions must be tested in a business environments first regardless how small or large the business is, and if there is a testing team or not. At the same time, I do not recommend delaying installing those updates. I have seen security experts who test the new service pack updates even for their home environment.

Note: Steve Riley is now with Amazon Cloud Computing. He can be found here: http://stvrly.wordpress.com/

Barnes & Noble Sucks! The Rogue Online Bookstore.

2010-04-11T18:32:00.004+02:00

A very close friend of mine was ordering books online and I asked him to order 2 books (a business book and a windows security book) with him since I couldnt find them in the bookstores in my region. He noticed that the shipping options at Barnes & Noble were very attractive compared to other major online stores. In addition we had a discount coupon. So he decided to try it out and little we did know that the experience we were about to get was extremely horrible.

During the order the discount coupon was accepted and clearly indicated that $xx was successfully deducted from our total purchase. Everything seems great and placed our order. A day later we received a notification that our order is being shipped. The next day, my friend received an unexpected email from B&N and that's where several problems started to appear.

He received a no-reply email that one books in the order has been canceled without any justification:

We apologize, but despite our efforts, we weren't able to fulfill some or all of the items in your order, as noted below. These items have been canceled from your order.

We apologize for any inconvenience this has caused and look forward to your next visit to Come back and visit anytime at http://www.bn.com.

I am not sure why they canceled the shipment of one of the books. I doubt it is availability issues, since all the books we ordered clearly indicated on their website that they are in stock. Anyhow, when my friend reviewed his paypal account, he found that the new B&N transaction charged far more than the total order details on B&N site. There was a clear inconsistency between what they charged for and what they display in thier total purchase details.
We decided to do some calculations and found that the price difference equals to all the discounts that he was entitled to including the members discount. Nevertheless, my friend contacted them to clarify with them why an item was canceled and why they charged more than the B&N account indicates. Four business days has passed and they have not responded. My friend will call them tomorrow morning to straighten things with them. At worst case, we will likely cancel all purchases with them.

In summary, B&N sucks because:
1. They cancel items in the order without justification or warning
2. They charge more than the total shipment price that they display to you on their website and via email without notification or consent
3. They show that your discount coupons are in use, but once they cancel one of the items without your consent, all your discounts will go as well without your notice.
4. They do not respond to 'customer care' emails.

Personally, I will stick to Amazon as I have been always been doing, despite their pricy international shipment options. I have purchased over a $1000 worth of books from Amazon, and I am completely satisfied with their excellent and transparent service.

Beware of Fake Alerts and Antiviruses When Google Searching the recent Chile Earthquake

2010-02-28T13:23:00.004+02:00

Symantec issued a security response in a blog posting yesterday stating the following:

A massive earthquake struck near the Chilean city of Concepcion in the early hours of the morning of February 27th, 2010. The quake measuring 8.8 on the Richter scale was considerably stronger than the one that recently caused widespread destruction on the island of Haiti. Fortunately, despite the size of this latest quake, so far there has been few reported casualties. The quake occurred near the coast and tsumani warnings were issued for many countries bordering on the Pacific ocean. Unfortunately as with any major news event, miscreants are not slow to pounce when such opportunities arise to further their aims.

Search engine results returned for terms such as “Chile Earthquake” are being poisoned to lead users to rogue antivirus web sites.
.....

http://www.symantec.com/connect/blogs/massive-earthquake-chile-leads-surge-rogue-antivirus

For further investigation and curiosity, I changed the keywords a little and to my surprise the rogue antivirus webpages are appearing on the first google search page.

Any combination of keywords such as tsunami, santiago, chile, earthquake, pictures, etc. would display poisoned search results on google. Many of the results appear to be compromised legitimate websites. A small sample of such websites include the following (enter at your own risk):

hxxp://papeteriengrosshandel.ch/pap.php?q=santiago-earthquake
hxxp://jashburn.org/pot.php?sell=santiago%20earthquake
hxxp://borderchorders.org/fjn.php?m=santiago%20chile
hxxp://2009.v3lingyue.com/ydx.php?t=santiago%20chile
hxxp://www.cyprusbestcompanies.com/phocadownload/ddo.php?q=usgs+chile+earthquake
hxxp://www.pennbrew.com/index2.php?p=chile-earthquake
hxxp://joaap.org/wuw.php?do=chile%20earthquake%20facts
hxxp://addsisli.org/jxz.php?page=chile%20earthquake%201960%20facts
hxxp://hnhmp.com/xvauhiqo/earthquake23049.php
hxxp://neuromodfound.org/jvv.php?do=chile%20earthquake%202009
hxxp://chinadowntown.com/chi.php?q=chile-tsunami-2010
hxxp://www.nudeyrudey.co.nz/nud.php?q=chile-earthquake-1960
hxxp://bannerdesigns.co.za/ban.php?q=chile-earthquake-1960
hxxp://sbk.com.pl/njenh/sokzp.php?tsunamis-earthquake
hxxp://www.justlite.com/xaftk/gzlk.php?earthquake-tsunami-photos
hxxp://ymc.kr/gjux/fsa.php?california-earthquake-tsunami-possibility
hxxp://theperfumeseller.com/the.php?q=chile-quake-map
hxxp://cpbusa.com/cbp.php?q=earthquake-chile
hxxp://www.mindmakers.nl/26omall/14.php?q=earthquake+worksheeta
hxxp://n.clanstar.org/ykopo.php?c=pictures-of-earthquake-in-chile
hxxp://12a1nhc.com/bxg.php?do=chile%20earthquake%201960%20pictures
hxxp://refinedwebdesigns.com/zgu.php?go=chile%20earthquake%201960%20pictures
hxxp://files.liamfiddler.com/xsy.php?o=earthquake-in-chile-today
hxxp://10500bcfilms.com/ttx.php?in=chile%20earthquake%202010
hxxp://diamond-virgin.net/fdz.php?p=chile%208.8%20earthquake
hxxp://jaredunderwood.com.au/yhy.php?f=recent-earthquake-chile

Each of the above pages would direct users to the following sites which would display fake antivirus alerts:

hxxp://188.124.5.159/index.html
hxxp://188.72.246.99/index.html

hxxp://you22tube.com/?id=103&ids=cb7c54&d=1&s=2
hxxp://www1.dotout-forscan-get.in
hxxp://www1.dotoutfor-scanget.in/
hxxp://www1.letfastscanand-cure.in/
hxxp://www1.dotwin-to-scan-get.in/
hxxp://www1.dotwintoscan-get.in/
hxxp://www1.setfast-scan-and-cure.in
hxxp://scan1.run-spyware-a0.com
hxxp://www1.let-fast-scanandcure.in/

Some of the sites include a payload for unpatched browsers. Additionaly, clicking anywhere on the site would prompt an unwary user to download the installation file for the rogue antivirus.

So far, I have picked up three different variants of malware files from the above pages. Two of the malicious files were reported to MMPC. The third variant was somwhat blocked in my machine.

The first file is currently detected by 11 out of 41 security vendors as shown here: http://www.virustotal.com/analisis/fabca4efdaf5c89d36e153637fbe92bc130f62812d6261833b073a23240260c8-1267321093

The second file is detected by only 6 out of 41 security vendors: http://www.virustotal.com/analisis/6120d00068c7e9c15c664ca0aefbbea6a5e97c589074007635bfffad8ef49e9f-1267350125

All of the above urls have been submitted to malwareurl.

The Dangers of Iframe

2010-01-13T16:48:00.002+02:00

This is old news but something worth blogging about.

An estimated 5.8 million pages belonging to 640,000 websites were infected with code designed to launch malware attacks on visitors, according to a report released Tuesday.
...
An estimated 54.8 percent of the attacks observed by Dasient involved malicious javascript that was injected into compromised sites. iFrames that silently redirected users to malicious sites came in second at 37.1. Dasient has cataloged more than 72,000 unique malware infections involving websites.

Full article from the Register: Mass web infections spike to 6 million pages

Also:

The number of legitimate Websites being hacked to host malware has hit startling highs in recent days, new figures from MessageLabs have revealed.
Data taken from the days between May 4 and 8 showed that 84.6 percent of Websites blocked by the company for hosting malicious content were 'well-established' domains that have been around for a year or more.

Full article from PCWorld: Most Attacks Come from Legit but Hijacked Sites

Iframe attacks, being a largescale threat is relatively new. In the past, we used to tell people to surf the internet safely by not to searching or browsing suspicious websites, porn, cracks, free music/lyrics/movies, gambling, etc.. Then came along safe search add-ons such as mywot and siteadvisor which would greatly help people avoid questionable and unsafe sites. However, the threat webscape today has changed as the bad guys are moving into different tactics. With the appearance of iframe attacks, the borderline that distinguishes black and white sites might no longer be useful. The problem is that the sites that we completely trust can be vector of getting our computers infected. Browser security software such web access protection (used by antiviruses and firewalls) and reputation rating in these cases will no longer work here. It will protect user from being infected from black sites, but not from the white sites. Also, there is no way to tell if a legitimate site contains an iframe unless we look at its page source, since iframes may oftenly not change the sites appearance or functionality.

In my opinion the only way to be protected from a trusted site that happens to have a malicious iframe is disabling iframes altogether.
For details on how to disable iframes on Internet Explorer, please see:
http://antivirus.about.com/od/securitytips/ht/ieiframe.htm

How to tell if an unknown file is a legitimate or a malware file

2009-12-13T17:22:00.007+02:00

This article is intended mainly for HJT helpers and trainees. Prior knowledge and expertise of the windows OS is required. None of the steps below are 100% accurate. You will need to use multiple steps in this guide order to be able to end up with a confident conclusion.

Step 1. there are 4 rules of thumb in which you can immediately know within seconds that the unknown file is a malware file:

1) The name of the file or folder is randomly generated or makes absolutely no sense. These type of files would typically display zero results in search engines.

Ex: c:\p0sdn8flqy.exe

2) The malware uses a name that is similar to the name of a legitimate file (commonly windows file) within the same folder.

Ex: legitimate = c:\windows\system32\lsass.exe

malware = C"\windows\system32\lsasss.exe

3) The malware uses the exact name of a legitimate file, commonly a windows file but in another folder.

Ex: legitimate = C:\windows\explorer.exe

malware = c:\windows\system32\explorer.exe

4) The malware uses a name that are commonly only used by malware. Ex. startup file names with controversial words somewhere within its name, the names of celebrities, the use of non-alphanumeric characters, or white spaces.

Ex: c:\windows\system32\crack.dll

Step 2. Searching the file name or CLSID on www.systemlookup.com

Step 3. Using google search for file name, service name, md5 and CLSID. UNITE schools provide an excellent guide on how to use google to identify malware files in diagnostic logs. You will need to join a school to access the guides.

Step 4. Below is a list of websites where you can upload and scan individual files to make sure that they are safe or not:

http://virscan.org/

http://www.virustotal.com/en/indexf.html

http://virusscan.jotti.org/

http://scanner.virus.org/

However, no detections from the antimalware scanners, does not necessarily mean that the file could be safe.. The file could be new malware released to the wild. On the other hand, due to false positives, a legitimate file could be possibly detected by 5 or less antimalware scanners.

Step5. Disassembling the file and check for hints within the strings of the file. This step would require a bit of an expertise. One simple way to distinguish a legitimate file from a malware is to look for keywords, IP addresses or a web url. The strings would also provide hints on the file functionality and behavior. Most dissassemblers have features to populate the strings in the file. Examples are Filealyzer 2 and PE-Explorer.

To demonstrate using a dissembler in analyzing a legitimate file, I randomly chose a strange file name that had no description from the drivers folder:

C:\windows\system32\drivers\wssbtr1f.sys

A screenshot of the list of strings is shown below:

At one place of the results, it is somewhat related to hardware card. Could be either a PCMCIA or a memory card. Another place it mentions a Bluetooth device. Based on the results, we can conclude that this file is related to a Bluetooth card which is exactly what I have.

On the other hand, the string results of a malware file would populate malware-related keywords, urls or IP addresses. Example below is the strings list of a P2P worm. This worm uses keywords as shown in the screenshot as a social engineering tactic for attracting new victims.

Also a file with an .scr extension is an executable. So having a file named AVI.scr or MP4.scr would definitely indicate suspicious behavior.

Step 6. Running the unknown file in a test machine or in a virtual environment and analyze the file and network behaviour. Analysis can be done with a combination of regshot, procmon, netstat, wireshark, tcpview and/or dirmon. However, since most people do not have a test machine or a VM, you can upload the unknown file to an online malware analyzer such as Sunbeltlabs and ThreatExpert. Within minutes or hours, the online malware analyzer would provide a report that includes; file/folders created, windows registry modifications, network traffic and system modifications.

Virmansec Event Success!

2009-11-29T10:03:00.002+02:00

Elhamdulilah, the presentation I gave on conficker at the Microsoft Innovation Center, Riyadh was a success.

The presentation can be downloaded from here:
http://staff.kfupm.edu.sa/coe/shafei/downadup.zip

The powerpoint slides is mostly pictures and it may not be of much benefit to those who havent attended. However, a lot of the technical information has already been mentioned here this blog. The presentation style was inspired by the best presentation gurus such as:
- bio/intro and overall structure as by Garr Reynolds
- slides and graphics as by Dick Hardt and Seth Godin
- speaking freely as by Guy Kawasaki
- walking freely as by Steve Riley

Running the powerpoint will be a bit heavy on a windows OS. had to optimize my operating system in order for it to run smoothly on a projector with completely no lag. This is what I have done to have a lag-free presentation:
1. Disabled all real-time protection tools including firewall. (assuming you are not connected to the internet)
2. Disabled automatic updates
3. Disabled Task Scheduler via services mmc
4. Disabled screensaver, and all power saving options.
5. Disabled wireless connection and all related processes. (left bluetooth on for my bluetooth mouse/pointer)
6. Disabled all unneccessary processes. In my task manager I had a total of 28 processes left running on an XP machine. I preferred not to disable other OS processes because I had to run a demo on the same machine.

Conficker Presentation at Riyadh

2009-11-04T11:32:00.002+02:00

God willing, I will be doing a presentation at the Microsoft Innovation Center on fighting the Conficker worm. This a highly technical presentation mainly targeted towards enterprise environments. The presentation includes live demos on infected machines. Microsoft Corporation (MSFT), Virmansec and R-Tech will be sponsoring the event.
The presentation covers all possible techniques in detecting and removing conficker for enterprises.

Attendance and registration is for free. Snacks and refreshments are also for free. If you are in Riyadh, please take the time to read and register for the event here:
http://www.eventbrite.com/event/472252520

Advanced knowledge about windows NT operating systems and active directory is a must.

Server 2008 RMS Installation Problem

2009-11-02T16:18:00.003+02:00

I spent a few days trying to implement a simulation environment to test windows Rights Management Services and some third-party plugins on a server 2008 native. Every time I attempt to install RMS 2008 I was confronted with the following error message:

Error: Attempt to configure Active Directory Rights Management Server failed. An error was encountered while trying to provision AD RMS. Remove and re-install AD RMS to attempt provisioning again.

Despite uninstall/reinstalling the RMS service several times and verifying all the pre-requisites the error message still popped-up. I have followed every single line mentioned in the microsoft guide but yet the error re-appeared. There were absolutely no log files or events to explain the acause of the error. Also I couldnt find any solution on the internet that worked.
Almost giving up, my partner and I resorted to an unexpected solution..... changing the AD domain name.
RMS 2008 seemed to distaste single lettered domain names such as A.com and B.com that we initially tried to use. This was a bit strange since RMS 2003 worked fine using these same test domain names.

So after the changing the domain name to demo.com seemed to work with us in getting rid of the mysterious error message.

With courtesy of Samer Alotaiby.

3,200 Reported Account Hijacking on Facebook,Twitter

2009-10-21T17:11:00.003+02:00

If you're on Facebook, Twitter or any other social networking site, you could be the next victim.
That's because more cyberthieves are targeting increasingly popular social networking sites that provide a gold mine of personal information, according to the FBI. Since 2006, nearly 3,200 account hijacking cases have been reported to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance

Continue reading:
http://edition.cnn.com/2009/CRIME/10/19/social.networking.crimes/index.html?iref=mpstoryview

From the article:

How to protect yourself against social media scams:
- Change your passwords frequently
- Adjust Web site privacy settings
- Be selective when adding friends
- Limit access to your profile to contacts you trust
- Disable options such as photo sharing
- Be careful what you click on
- Familiarize yourself with the security and privacy settings
- Learn how to report a compromised account
- Use security software that updates automatically

(Information provided by FBI and Internet security experts)

New Variant of Total Security Locks up Applications on Infected PC's

2009-10-21T05:00:00.002+02:00

A new variant of scareware has been detected that not only inundates
users with exhortations to purchase phony antivirus software called
"Total Security 2009," but that also locks users out of nearly all
applications until they purchase the disreputable product. Once their
PCs are infected with the malware, the only program users can open is
Internet Explorer, so they can navigate to the site and make a purchase.

More:
http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scareware-locks-up-your-pc.html
http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html

Removing Conficker/Downadup from Your Network Using Active Directory

2009-10-17T14:46:00.005+02:00

A couple of security companies have provided some neat freeware tools for network administrators to cleanup the downadup worm within their business networks. Some examples of these tools are:
1. Kaspersky Administration kit
2. Bitdefender Network Removal Tool
3. Sophos Conficker Network Cleanup Tool

These tools provide an automated deployment and disinfection for multiple computers at once.

However, I was called to an enterprise client who was suffering from a Downadup outbreak last May. The client had approximately 4000 computers across 6-8 domains. There was one problem though; since the network tools were not provided by the antivirus vendor they had installed, the client was not comfortable to install any third-party software on their servers. Luckily, they were ok with using the tiny, fast and silent Kaspersky kk.exe program. Now, I had to figure out to run this tool across all the infected machines for each domain. This is how I did it:

First, in each domain I copied the kk.exe into a shared folder. The shared folder could be on any server such as a file server. The accessibility of the shared folder was to everyone.

Second, I created a batch script that can deployed via the active directory:

@ECHO OFF
:: batch file made by AbuIbrahim12, Microsoft MVP
:: downadup/kido/conficker/conflicker removal tool
:: restores windows services, removes added policies
color 1F
copy \\{serverName}\{sharedFolder}\kk.exe c:\kk.exe
cd \
start kk.exe -s -x -l C:\VirusReport.txt
sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc

Third, I went to the domain controller for every domain and done the following:
Active Directory Users and Computer -> right-click domain name (or 'Users') in the left pane and select Properties -> Group Policy tab -> new -> name the new policy to 'Downadup Script' -> edit -> you can now create either a startup script or a logon script. I prefer using the logon script as not everyone would reboot their computers and there could be some computers that the business would not like to have rebooted.
The logon script can be created as follows:
User Configuration -> Windows Settings -> Scripts -> double-click Logon in the right pane -> Show files -> record the location of the logon folder -> copy and paste the batch file into the logon folder -> close the logon folder -> Add -> browse to the logon folder and add the batch file -> ok -> ok -> close the group policy editor -> Apply
open the command prompt and then type: gpupdate /force

Now depending on the severity of the issue, you may want to ask the employees to immediately logoff/logon from/to their machines or at some time later. My client decided to wait until the next day when employees logon into thier machines in the morning. The script would run kk.exe completely unnoticeable in the background with completely no disruption to employee activities as it disinfects the worm-ridden machines.
After 3 days, the 4000 machines were downadup free and the logon script was removed from the active directory.

Investigating New Trends of Rogue Antiviruses - Part 2

2009-09-26T12:33:00.003+02:00

Besides the randomly named sites that host the rogue antivirus pages, I have also noticed a huge amount of legitimate sites that have been compromised to direct traffic to the rogue antivirus domains.

Each compromised website contains a folder with a 5 lettered randomly generated name. The folder also contains another randomly generated folder of the same length that contains hundreds of computer generated infected php web pages.

Examples of the folders found on compromised legitimate sites that I have discovered via google are:
http://kingofthecageskennels.com/hoabe/sueno/
http://trd3tv.net/qiqut/aejpc/
http://markingsstudio.com/ppplc/iyiux/
http://internationalharpmuseum.org/keaeb/qrdaw/
http://romania-ti.com/steuf/sgqrm/
http://bizbuilderswa.org/pmrum/bpakx/
http://mrantasi.com/ljglc/mjqrl/
http://amerilao.org/grano/kpsxm/
http://appliancerepair.tv/bseul/ewsyo/s
http://susancastor.org/czpmf/dihbl/
http://deartes.net/qesbr/sieme/
http://ffseguros.net/zwwzo/ommil/
http://eventsregister.net/cbuga/dykdb/
http://giaitri8x.net/bdrmh/bhusp/
http://alu-vene.com/eiika/zeypc/
http://streetmedia.us/iktdl/ytzcq/
http://butteredhost.com/iwyiw/xdbhc/
http://leadershipsummit.net/tyird/yeirh/
http://vogelrentalproperties.ca/iljqu/daogi/
http://punk-designs.com/uaiyx/tkuif/
http://guard-door.info/fqrna/nyhlh/
http://mortgagecapitalrealty.com/cyzle/ubpnr/
http://endoscopyspecialists.com/kescd/drwiy/
http://californiahistoricalsociety.org/ieeci/skelr
http://uriellaw.com/ilrxb/dxixr
http://elrealsabordecuba.com/lyxei/uolqe/
http://karpovthewreckedtrain.com/epjfw/htgbs/
http://moto-osat.com/npkcg/zuzfj
http://swanjoy.com/ewyqi/fopzi/
http://stevericks.net/yuyrz/tbrdw/
http://costumeoriental.com/lwicu/nghep/
http://kfgroup.net/nbfep/biqni/
http://otroma.com/omhig/flwbi
http://bilikbahasa.com/nsege/olgyf/
http://catasticbritz.com/imgjx/ekquz
http://tomspencerbassin.com/pcuwz/sbous
http://puijonsrknuoret.net/exhcy/sirfa/
http://caflasvegas.org/zeaen/ifpkl/
http://energizardelvalle.com/xisfe/esixm/

Examples of infected php pages taken from one of the above sites:
http://kingofthecageskennels.com/hoabe/sueno/survivors.php
http://trd3tv.net/qiqut/aejpc/pomegranate.php

The list of compromised sites continue to grow every hour.

Investigating New Trends of Rogue Antiviruses - Part 1

2009-09-26T11:26:00.005+02:00

After being intrigued by the fact that my user name being used as keywords for developing malicious pages, I started investigating further the rogue antivirus pages the past two weeks whenever I had some free time.

I currently found so far the following main webpages where a lot of infected web pages direct their traffic to:
hxxp://fast-virus-scan7.com
hxxp://myzonesecure.com
hxxp://winfixscanner1.com
hxxp://7removespyware.com
hxxp://onlinesearch-protect.net
hxxp://compurerthreats2.com
hxxp://mytotalscanner.com
hxxp://mytotalscanner17.com
hxxp://mytotalscanner17.com/scan2/video2.php?pid=111
hxxp://protectyourpc-now1.com/pr.cgi?id=2739
hxxp://best-scanpc.net/disk/?code=934
hxxp://check-threats-online.com

The following domains which are likely bot generated sites that redirects traffic to the above malware sites:
jntscxwv.cc
hibqeidh.cc
gmfcmdt.cc
ppsjucknp.cc
cqmilpkl.cc
fymhizm.cc
ockdtsahp.cc
srpantlq.cc

(Most links are now expired)

Another variant of Rogue Antiviruses called Antivirus Plus are hosted in the following domains
ihaerxi.cn
ikaocy.cn
iqevun.cn
ijobuaw.cn
iqoysab.cn
iniegox.cn
inejayf.cn
ihouvi.cn
ilipyw.cn
ikyadeh.cn
ilyocij.cn
ikorate.cn
ijobuaw.cn
ijuoxe.cn
idoafy.cn
ikuaxge.cn
ifueme.cn
gowyti.cn

Beware, most of these links are still active.

The malicious executable files that are hosted on these websites have already been reported to the Microsoft Malware Protection Center. I would like to thank MS for their quick response and creating definitions for all of the submitted samples.

Information about the malware hosted on these sites are documented here:
TrojanDownloader:Win32.Renos
Trojan:Win32/FakeXPA
Trojan:Win32/Yektel.A

New Smitfraud Variant

2009-09-06T09:55:00.009+02:00

I was searching my username today on google and I found a malicious site that uses my username as keywords. The malicious pages includes the following urls:
hxxp://q84.isutv.com/wap715-abuibrahim12.html
hxxp://ps51.isutv.com/wap565-abuibrahim12.html
hxxp://ps51.isutv.com/wap84-cherrytoons.html
hxxp://q84.isutv.com/wap363-query-letter.html
hxxp://ps51.isutv.com/wap780-whippedwomen.html
hxxp://ps51.isutv.com/wap293-dr-emma-starr.html
hxxp://q84.isutv.com/wap561-bnz.html
hxxp://q84.isutv.com/wap895-dmaiv.html
hxxp://q84.isutv.com/wap632-unesco.html

Each of the pages would redirect you tothe following rogue antivirus pages:
hxxp://best-virus-scanner4.com/scan1/?pid=111&engine=pHT3zjjyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMIEMPAZO
hxxp://fast-virus-scan9.com/scan1/?pid=111&engine=pHT22jzyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMkEMPAlO

The web page displays a classic fake explorer page giving an impression that your hard-disk partitions are being scanned and malware was found in the computer.
Clicking anywhere around the page, will prompt you download a new trojan named Antivirus_111.exe which at the time I write this blog entry has no detections by any antivirus.

The file when uploaded on VirusTotal, produced the following results:

File Antivirus_21_1_.exe received on 2009.09.06 07:48:07 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.09.06	-
AhnLab-V3	5.0.0.2	2009.09.05	-
AntiVir	7.9.1.8	2009.09.04	-
Antiy-AVL	2.0.3.7	2009.09.04	-
Authentium	5.1.2.4	2009.09.05	-
Avast	4.8.1351.0	2009.09.05	-
AVG	8.5.0.409	2009.09.05	-
BitDefender	7.2	2009.09.06	-
CAT-QuickHeal	10.00	2009.09.05	-
ClamAV	0.94.1	2009.09.06	-
Comodo	2204	2009.09.06	Heur.Packed.Unknown
DrWeb	5.0.0.12182	2009.09.06	-
eSafe	7.0.17.0	2009.09.03	-
eTrust-Vet	31.6.6721	2009.09.04	-
F-Prot	4.5.1.85	2009.09.05	-
F-Secure	8.0.14470.0	2009.09.05	-
Fortinet	3.120.0.0	2009.09.06	-
GData	19	2009.09.06	-
Ikarus	T3.1.1.72.0	2009.09.06	-
Jiangmin	11.0.800	2009.09.06	-
K7AntiVirus	7.10.837	2009.09.05	-
Kaspersky	7.0.0.125	2009.09.06	-
McAfee	5732	2009.09.05	-
McAfee+Artemis	5732	2009.09.05	-
McAfee-GW-Edition	6.8.5	2009.09.06	-
Microsoft	1.5005	2009.09.06	-
NOD32	4399	2009.09.05	-
Norman	6.01.09	2009.09.04	-
nProtect	2009.1.8.0	2009.09.06	-
Panda	10.0.2.2	2009.09.05	-
PCTools	4.4.2.0	2009.09.04	-
Prevx	3.0	2009.09.06	-
Rising	21.45.14.00	2009.09.01	-
Sophos	4.45.0	2009.09.06	-
Sunbelt	3.2.1858.2	2009.09.05	-
Symantec	1.4.4.12	2009.09.06	-
TheHacker	6.3.4.3.396	2009.09.04	-
TrendMicro	8.950.0.1094	2009.09.05	-
VBA32	3.12.10.10	2009.09.05	-
ViRobot	2009.9.4.1919	2009.09.04	-
VirusBuster	4.6.5.0	2009.09.05	-

Additional information
File size: 167424 bytes
MD5 : 3aeef8ccec46822d91c97ed92f8a4af2
SHA1 : 9e310ffad459fe3a10544d6ee78403a3b382891d
SHA256: b2d842f4ebf1561429a0d84929ceeda2c7c5a7f850c2fd66ac4fa2ea6b6d6f15

http://www.virustotal.com/analisis/b2d842f4ebf1561429a0d84929ceeda2c7c5a7f850c2fd66ac4fa2ea6b6d6f15-1252223287

Upon executing the file, the following gui appears:The program then automatically installs a fake antivirus called "Total Security":
The malware creates the following folders:
c:\program files\common files\TSUninstall
c:\program files\TS

It also creates the following file:
C:\WINDOWS\system32\iehelpmod.dll

The following registry keys have been added:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}]
&IE Help - C:\WINDOWS\system32\iehelpmod.dll [2009-09-06 335360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TS"=C:\Program Files\TS\tsc.exe [2009-09-06 1542176]

[HKEY_USERS\S-1-5-21-725345543-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\TS]

If you attempt to uninstall the rogue antivirus, it will show up the following window in order to lure unwary users to purchase their fake product:
I have uploaded the file C:\Program Files\TS\tsc.exe on virustotal which showed that Mcafee is the only antivirus that was able to detect it:

File tsc.exe received on 2009.09.06 11:48:22 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.09.06	-
AhnLab-V3	5.0.0.2	2009.09.05	-
AntiVir	7.9.1.8	2009.09.06	TR/Crypt.ZPACK.Gen
Antiy-AVL	2.0.3.7	2009.09.04	-
Authentium	5.1.2.4	2009.09.05	-
Avast	4.8.1351.0	2009.09.05	-
AVG	8.5.0.409	2009.09.06	-
BitDefender	7.2	2009.09.06	-
CAT-QuickHeal	10.00	2009.09.05	-
ClamAV	0.94.1	2009.09.06	-
Comodo	2204	2009.09.06	-
DrWeb	5.0.0.12182	2009.09.06	-
eSafe	7.0.17.0	2009.09.03	-
eTrust-Vet	31.6.6721	2009.09.04	-
F-Prot	4.5.1.85	2009.09.05	-
F-Secure	8.0.14470.0	2009.09.06	-
Fortinet	3.120.0.0	2009.09.06	-
GData	19	2009.09.06	-
Ikarus	T3.1.1.72.0	2009.09.06	-
Jiangmin	11.0.800	2009.09.06	-
K7AntiVirus	7.10.837	2009.09.05	-
Kaspersky	7.0.0.125	2009.09.06	-
McAfee	5732	2009.09.05	FakeAlert-HP
McAfee+Artemis	5732	2009.09.05	FakeAlert-HP
McAfee-GW-Edition	6.8.5	2009.09.06	Trojan.Crypt.ZPACK.Gen
Microsoft	1.5005	2009.09.06	-
NOD32	4399	2009.09.05	-
Norman	6.01.09	2009.09.04	-
nProtect	2009.1.8.0	2009.09.06	-
Panda	10.0.2.2	2009.09.06	-
PCTools	4.4.2.0	2009.09.06	-
Prevx	3.0	2009.09.06	-
Rising	21.45.14.00	2009.09.01	-
Sophos	4.45.0	2009.09.06	-
Sunbelt	3.2.1858.2	2009.09.05	-
Symantec	1.4.4.12	2009.09.06	-
TheHacker	6.3.4.3.396	2009.09.04	-
TrendMicro	8.950.0.1094	2009.09.05	-
VBA32	3.12.10.10	2009.09.05	-
ViRobot	2009.9.4.1919	2009.09.04	-
VirusBuster	4.6.5.0	2009.09.05	-

Additional information
File size: 1542176 bytes
MD5...: 47f48d75791e9ff4831b0e4a553c5569
SHA1..: 3a1f8a2186611e0c3bcf53cc650307dd5a6bbe82
SHA256: a7173500bd783ef55d520cb4c9cdd235a250437e639ed589ac99855d65324b5f
ssdeep: 24576:L6x4SD2YP9PeJaSl2eiaQtXOstG0Bu/SCoIxFViKsSKlRZMXK:G4Si2Op2 TaQtestpiUSaZ

http://www.virustotal.com/analisis/a7173500bd783ef55d520cb4c9cdd235a250437e639ed589ac99855d65324b5f-1252237702

I have also uploaded the associated file iehelpmod.dll on virustotal and no definitions have been created for this trojan yet:

File iehelpmod.dll received on 2009.09.06 10:43:15 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.09.06	-
AhnLab-V3	5.0.0.2	2009.09.05	-
AntiVir	7.9.1.8	2009.09.04	-
Antiy-AVL	2.0.3.7	2009.09.04	-
Authentium	5.1.2.4	2009.09.05	-
Avast	4.8.1351.0	2009.09.05	-
AVG	8.5.0.409	2009.09.06	-
BitDefender	7.2	2009.09.06	-
CAT-QuickHeal	10.00	2009.09.05	-
ClamAV	0.94.1	2009.09.06	-
Comodo	2204	2009.09.06	-
DrWeb	5.0.0.12182	2009.09.06	-
eSafe	7.0.17.0	2009.09.03	-
eTrust-Vet	31.6.6721	2009.09.04	-
F-Prot	4.5.1.85	2009.09.05	-
F-Secure	8.0.14470.0	2009.09.06	-
Fortinet	3.120.0.0	2009.09.06	-
GData	19	2009.09.06	-
Ikarus	T3.1.1.72.0	2009.09.06	-
Jiangmin	11.0.800	2009.09.06	-
K7AntiVirus	7.10.837	2009.09.05	-
Kaspersky	7.0.0.125	2009.09.06	-
McAfee	5732	2009.09.05	-
McAfee+Artemis	5732	2009.09.05	-
McAfee-GW-Edition	6.8.5	2009.09.06	Heuristic.LooksLike.Trojan.FakeAntivirus.I
Microsoft	1.5005	2009.09.06	-
NOD32	4399	2009.09.05	-
Norman	6.01.09	2009.09.04	-
nProtect	2009.1.8.0	2009.09.06	-
Panda	10.0.2.2	2009.09.05	-
PCTools	4.4.2.0	2009.09.04	-
Prevx	3.0	2009.09.06	-
Rising	21.45.14.00	2009.09.01	-
Sophos	4.45.0	2009.09.06	-
Sunbelt	3.2.1858.2	2009.09.05	-
Symantec	1.4.4.12	2009.09.06	-
TheHacker	6.3.4.3.396	2009.09.04	-
TrendMicro	8.950.0.1094	2009.09.05	-
VBA32	3.12.10.10	2009.09.05	-
ViRobot	2009.9.4.1919	2009.09.04	-
VirusBuster	4.6.5.0	2009.09.05	-

Additional information
File size: 335360 bytes
MD5...: 5a07fb253ebefadd26d289ccab379a99
SHA1..: 0b25e2c20b6e6b08df8f05267710f1ed9325dc32
SHA256: 73ac8c99e02c5475a55434f574d1ceee0bec2c56e126578fb466fd6f5c6b2c7c

If you ever get infected with VirusTotal, you can easily get rid of the pest by following these instructions:

1. end process to tsc.exe in taskmgr
2. close all browsers
3. make sure to view hidden files, system files and extensions within folder options
4. browse and delete the following folders:
c:\program files\common files\TSUninstall
c:\program files\TS
5. Run Hijackthis, and select 'do a system scan only', and then place a checkmark beside each of these entries:
O2 - BHO: &IE Help - {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} - C:\WINDOWS\system32\iehelpmod.dll
O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe
6. Then restart the computer

A. Elshafei

Which is the best antivirus out there?

2009-08-16T10:26:00.009+03:00

I have been asked this question almost everyday by friends, family, colleagues, businesses and a lot of people I bump to. As a security expert, I find this question is not that easy to answer. In my opinion there is no best antivirus software. Each has its own advantages and disadvantages. Also, I tend not to rely on the various antivirus ratings/comparisons performed by third-party organisations and those found on the internet. Though they do repesent accurate results depending on what testbenches they use, but they do not represent an accurate picture of the overall performance/quality of an antivirus software.

There is so much involved in evaluating an ativirus such as:
1. Detection rates (which most antivirus ratings tend to focus on). For better accuracy, detection rates should depend on the latest or existing malware out there on the internet. It would be pointless to evaluate the detection rate of an antivirus and compare it others using extinct malware samples such as apropos rootkit or even worse using vius samples from the DOS era.
2. Removal capabilities of active malware => an antivirus with a high detection rate does not necessarily mean that it is capable of removing the infection after it detects it. An antivirus would render useless if it is unable to clean or remove a virus it detects. I have seen this quite often with highly rated antiviruses.
3. False positive considerations
4. Memory and CPU resources and Scan times. People will refrain installing an antivirus if it will hog down thier systems regardless on how much you swear this is the best protection.
5. Rootkit, ADS, MBR detection+removal
6. Cleaning malware registry keys. A couple of antiviruses just remove virus files and leaves all associated registry items intact.
7. For businesses: integration with exchange, SAP, sharepoint, file servers, etc. and whatever is required to meet business needs.
8. Dealing with patched system files and file infectors.
9. How quick an antivirus responds to new threats and zero-day malware.
10. Customer experience with thier support system for either businesses or home (Not that important but worth mentioning).
11. Robustness => ideally a malware should not cripple or disable the antivirus or tamper with any of its files.

As a result, you will find the results from one antivirus ratings to another varies at a huge proportions. The top 10 in one rating could be among the last 10 in another rating. For example, NOD32 is rated 3rd best antivirus according to av-comparatives.org. But according, to mtc.sri.com, NOD32 was ranked last from among 30 antiviruses. In AV-test it is ranked 15th.
In my opinnion, OITC ratings provides a better picture among all antivirus ratings. But yet I do not depend on its results to tell which is the best antivirus since it does not evaluate the other criteria I mentioned above such as removal capabilities.

Anyhow, for those who still greatly beleive in the various antivirus ratings and depend on them on making thier business decisions, I have combined the ratings from the following trusted third-party comparison results:
1. http://mtc.sri.com/live_data/av_rankings/
2. http://winnow.oitc.com/AntiVirusPerformance.html
3. http://virusinfo.info/index.php?page=testseng
4. http://www.av-comparatives.org/comparativesreviews/main-tests
5. http://www.av-test.org/

The comparions were combined by averaging the rating from each site and then sorting the averages in an ascending order. Each ratings were given equal weights. Antiviruses that appeared only in a single rating were excluded. The results of averaging those 5 rankings are as follows:

1	Antivir
2	Ikarus, F-secure
3	Kaspersky
4	trustport
5	escan
6	Microsoft
7	Gdata
8	Bitdefender
9	Avg
10	Sophos
11	Secureweb
12	symantec
13	esafe
14	nod32
15	Avast
16	Norman
17	prevx
18	mcafee
19	panda
20	F-prot
21	Authentuim, VBA32
22	CAT
23	Trendmicro
24	DrWeb
25	k-7 computing
26	fortinet
27	ClamAV
28	Ahnlab, Rising, Hacksoft
29	etrust
30	sunbelt
31	Virusbuster

Again, I would not take these results as granted. Based on the results of the 5 ranking, Antivir is ranked first. Although Antivir has an impressive detection rates but it had a very bad shortcomming. It wasnt capable of cleaning infected system and legitimate files (file infectors such as Sality). Instead it gave an option of either quarantine or delete the infected system and legtimate files. If you choose either option, your system would be unbootable. Dr. Web on the other hand, is the best antivirus vendor to clean the infected files safely. Dr.Web is the only vendor I would recommend when dealing with file infectors. But yet Dr.Web has its own shortcommings.

In conclusion, if you are a home user, go for a free antivirus such as AVG and Avira. If you are a corporation, what to select should depend mainly on your business needs. However, I would stay away from any of the security products mentioned here.

The Best Freeware Tools to Detect and Remove the Conficker/Downadup/Kido worm

2009-07-28T13:34:00.002+03:00

In my previous post I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup. I started to do a quick evaluation of almost all the conflicker removal tools listed here:
http://isc.sans.org/diary.html?storyid=5860
The tests were made on infected live machines and networks. The results I have found are:

The best downadup detection tool:

Mcafee Conficker Detection Tool: http://www.mcafee.com/us/enterprise/confickertest.html
This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool.
The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.

The best downadup removal tool:

I have found that the kaspersky Kido Killer is the best so far. It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. Sadly, when I tested the Bitdefender Conflicker removal tool (which I thought was good) on some machines, it did not succesfully remove one of the variants although it did detect it.

KK.exe has some neat command line that not only removes the infection, it can also restore the windows services that were disabled (does not restore windefender and security center though), restores the display of hidden system files, disables autorun, restore safeboot keys and many more.

I commonly use the following command line:
kk.exe -j -a -x -l report.txt

Windefender and the windows Security center can then be restored by the following command lines:
sc config wscsvc start= auto
sc config winDefend start= auto
sc start wscsvc
sc start WinDefend

The worst tool I came across was Symantec Downadup removal tool. It took over 6 hours scanning and since I am impatient I gave up and had to abort it. I could not tell if it actually does detect or remove the worm.

How to Manually Remove the Downadup/Conficker/Kido Worm

2009-07-18T08:18:00.003+03:00

1. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key) , is by running this command-line:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs
I use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. e.g. abcde. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.

Another quick way to determine if conficker exist, is by running gmer. The results of the quick scan that gmer runs when starting would show that C:\windows\system32\svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.

2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid

3. Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\abcde
You may not view the contents of the key since the permissions were removed by the infection.
right-click the abcde key > permission > add > everyone > select full control > ok > F5 to refresh > go to the parameters key and take not the path of the dll
e.g. c:\windows\system32\wxyz.dll

4. Use fixpolicies.exe to reset policies that were added by the worm, such as disabling viewing system files.

5. Look for the dll file located at C:\windows\system32\
right-click the dll file > properties > uncheck read-only > ok > then delete the file. If the file cannot be deleted try stopping the service first.
In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.

6. Use the following command-line to delete the service:
sc delete abcde

7. Reboot the computer

8. You can create a batch file to restore the following windows services:

sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc

9. Finally, make sure the machines has the latest recommended updates from microsoft:
http://windowsupdate.microsoft.com
The most important is that kb958644 is installed.

A. Elshafei

Detecting and Removing Rootkits in a Nutshell

2009-07-11T16:56:00.002+03:00

** FOR HJT HELPERS

Categorizing the rootkit detection and removal method is solely based on my personal opinion. I will appreciate any feedback or reports of inaccuracies, fallacies, found in this article:

abuibrahim0 AT gmail DOT com

Important Guidelines Before Removing a Rootkit if a rootkit is found on a machine:

1. Backup all important data, emails, documents, etc.

Þ this is just for safety measures. Removing a rootkit can cause system instability and a antirootkit software may sometimes remove a system file along with the rootkit. This step is particular important when using automatic tools for rooktit detections and removal.

2. Disconnect from the internet

3. Close down All Scheduling/Updating + Running Background tasks etc.

4. Disable real-time monitoring programs

5. When scanning for a rootkit, do not use the computer at all

6. Use 2 or more rootkit scanners

Þ Never rely on the results of one anti-rootkit software. Rootkits uses different technologies for hiding and no single anti-rootkit can find all rookit techniques.

Methods of Detecting and Removing Rootkits:

1. Automatic Detection and Removal

2. Semi-automatic Detection and Removal

3. Manual Detection and Removal

4. Advanced Detection and Removal

1) Automatic Detection and Removal:

Tools that automates the process of detecting a rootkit and removes them. Minimal skills are required to uses these tools.

Examples:

1. F-secure online scan: http://support.f-secure.com/enu/home/ols.shtml

2. AVG antirootkit

3. Trend-micro Rootkit Buster

4. Panda Antirootkit

5. Avira Antirootkit

6. Mcafee Rootkit Detective

7. Sophos Antirootkit

Disadvantage of using these Automated tools:

1. Highly unstable software. Have used it once at the rootkit revelations forum and it destroyed windows beyond repair

2. Highly unpredicatable -> they sometimes report that they remove a rootkit and they actually did nothing

3. Highly unreliable -> cannot find rootkits that use newer techniques.

The automatic tools are good though if you are removing the most popular or classic rootkits such as pe386.

2) Semi-automatic Detection and Removal:

- For more experienced users

- You will need to distinguish rootkits from false positives

- Such tools will highlight entries that are predicted to be rootkits. For example Icesword and GMER will highlight services and processes that are rootkits. RKunhooker will tag what are hidden.

Examples:

1. GMER

2. Icesword

3. Rootkit Unhooker

4. Darkspy

5. SVV

6. VICE

7. RootRepeal

Detection and Removal are split into two ways:

1. Rookits that use drivers (more common):

- Two important indicators are: hidden service, and rootkit files.

Rootkit files can be found at processes list (ex. Icesword), SSDT list (ex Icesword), rootkit file scan (ex. GMER), rootkit file browsing (ex. Darkspy) or from the service image path in the registry.

- Rootkit Removal steps:

Step1: Stop or Disable Service

Step2: End executable process(s)

Step3: Delete service and related files

2. Rootkits that use inline hooking or DLL hooking such as Vanquish (less common):

- One important indicator: presence of a dll file

The dll file can be found by two ways: "Code Hook" scan using RKunhooker (recommended), the other way is doing a full file scan using GMER or any other anti-rootkit tool

Note: GMER and Icesword do not automatically find these kind of rookits. Only when a full file scan is performed or rootkit file browsing, some hidden files may appear.

Also

- Removal steps:

Step1: perform "Code Hook" scan using RKunhooker

Step2: highlight all entries related to culprit dll file and click 'unhook selected'

Step3: End executable related process(s) if applicable (ex. vanquish.exe)

Step4: Delete dll and related files

3) Manual Detection and Removal:

¨ Manual Detection Tools:

1. RootkitRevealer

2. Rootkit Hook Analyzer

3. Sysprot

For how to know if there is a rootkit present in the rootkitrevealer results:

http://abuibrahim12.blogspot.com/2009/07/does-my-rootkitrevealer-log-show.html

To know how to intepret rootkitrevealer logs:

http://forum.sysinternals.com/forum_posts.asp?TID=2408&PN=1

¨ Manual Removal Methods:

1. Manually deleting files in safe mode

» given that the rootkit does not use SafeBoot keys to be hidden in safe mode as well

2. DOS commands

» may or may not work. HackerDefender can be completely deactivated and cleaned up using this method

such as:

Sc stop RKservice

Sc delete RKservice

Net stop RKservice

REG DELETE RKregpath

3. Manual Removal Tools

Example:

- Delete on reboot using killbox

- Avenger

- Combofix

In combofix the rootkit:: directive is not always needed. I found that file::, driver:: and killall:: are enough with most rootkits I have encountered.

4) Advanced Detection and Removal:

1. Slaving hard-drive to another computer and perform a normal anti-virus scan

2. Using a Bootable CD-ROM such as BartPE and UBCD4Win

3. Offline file comparisons: http://abuibrahim12.blogspot.com/2009/07/detecting-rootkits-in-windows.html

MBR Rootkits:

- Detection: see http://www2.gmer.net/mbr/

as you can observe the presence of the phrase: "\Device\Harddisk0\DR0" any where in a GMER log is an indication of an MBR rootkit regardless of its variant. However, you may need to verify first that changes done to MBR is not perfomed by a legitimate application such as acronis.

- Removal:

1. Windows Recovery Console:

Windows XP/2k: fixmbr

Windows Vista: bootrec.exe /fixmbr

2. Stealth MBR rootkit detector 0.2.2 by Gmer:

http://www2.gmer.net/mbr/mbr.exe

3. ESET Mebroot Remover:

http://www.eset.cz/download/emebremover

Guidelines Before Responding to Hijackthis Logs

2009-07-07T13:35:00.002+03:00

** FOR HJT HELPERS ONLY **

When replying to a hijackthis log either it is a practice log or a live log, you will need to do the following actions in order:

1. The first thing is to make sure that hjt log posted is not an attachment. Do not open the log attachment. Ask the OP to copy and paste the logfile into a new post. A lot of forums have policies that the OP's should post the contents of the log file and not attach files unless requested to do so.

2. If the user posted an unreadable log or one with spaces in between the entries, have them rescan with HijackThis and when notepad opens, go to "Format" and uncheck "Word Wrap." Otherwise this will waist a lot of time for helpers to read the logfile.

3. Make sure:

- that hijackthis program used is the latest version

- the log file is not cut-off (incomplete log)

- hijackthis is not running from a temporary folder

- the date stamp of the log file is not more than a week old. You can ask the OP to post an updated logfile

- the OP is authorized to remove files from the company PC

- the OP is not being helped at another forum for the same log

4. Do not assist the OP at all if p2p programs are found within the log or mentioned anywhere by the OP. Request the OP to remove all the P2P programs before proceeding with the cleanup or advising any further instructions.

5. If there is any hints from the OP posts/log, or doubt that the OP may not be using a legitimate windows copy, then ask the OP to download and run the MGA diagnostics tool from microsoft to verify that the windows copy is valid. The tool can be downloaded from here:

http://download.microsoft.com/download/7/B/1/7B1C3ADA-723B-4CC8-8949-7250397FA9CD/MGADiag.exe

If the windows copy is not legitimate, the thread should be locked immediately. The thread will also be locked if the OP has any cracks or warez to any other commercial software.

Hints of non-legitimate copies could be: wgatray.exe process is running. or If the OP has a very old service pack, like XP no-SP, XP SP1, Vista no-SP, Win 2k SP3. However, XP SP3 is relatively new so an OP with XP SP2 only should not raise an alarm.

6. If two or more antivirus programs are found, then ask the OP to uninstall one of them. Two antivirus programs are enough to make the computer unusable. So ask the OP to do so before or within the same post when providing malware removal instructions.

7. If the OP is infected with a malware, then It is a good practice to double-check if the malware is a backdoor+password stealer. In this case you will have to inform the OP about the compromise and to change passwords, contact banks, etc.

For more information about this, please see:

http://spywarehammer.com/simplemachinesforum/index.php?topic=3251.msg8988;boardseen#new

8. If there is no firewall or anti-virus and the OP does not have a serious infection. Then ask the OP to download, install, update and scan the computer before posting any removal instructions. However, if the OP has by definition a worm, a virus, backdoor, malicious keylogger, botnets, or an unknown malware that uses a service, then it is better to install the anti-virus after removing the malware. Viruses in particular are known to either disrupt, infect or delete anti-virus software especially if they aren't installed yet.

9. If the OP has any of the protection programs listed here, then ask the OP to temporarily disable the real time protection tools when providing instructions for malware removal. Once the malware is removed, remember to re-enable the protections tools. An exception to this is when the malware removal procedure is done in safe mode.

10. Once all of the above is cleared, then you can post removal instructions in any form that is applicable, using online scans, manually deleting files, hijackthis fixes, combofix, etc.

Cleaning Up Malware... Manually!

2009-07-06T12:59:00.003+03:00

** FOR HJT TRAINEES AND BEGINNERS **

After identifying the malware files either through an anti-malware scan or through helper tools, the next thing that comes to action is cleaning them from the system.

Manual cleanup is divided into the following:

1. Adware, PUP, foistware and bloatware: use add/remove programs if applicable. To check whether the unwanted program can be uninstalled, please see:

http://www.bleepingcomputer.com/uninstall/

2. File/Folder deletion: In safe mode, simply browse to the suspected files and then delete them. Make sure that the file extensions, hidden and system files are shown before locating the files. Stubborn files may require tools such as Killbox, File Assassin, Unlocker, etc.

3. ADS: A third-party tool is needed. You can use Hijackthis ADS removal or LADS software. Make sure that the ADS process is not active before removal. To learn about Alternate Data Streams see this: http://www.bleepingcomputer.com/tutorials/tutorial25.html

4. Ending Processes: I am not fond of ending processes manually. The only time it is needed is when dealing with rootkits. Task manager always fails so a third-party tool is needed. You can use killbox, hijackthis mult-process killing, icesword, etc.. Hopefully, in safe mode you will not need to end processes. However, if in safe mode a process is active, it is then best to use combofix and other semi-automated tools while in normal mode.

5. Win Services: To remove a service, you will need to stop it first. Three ways to stop a service without any additional tool:

a) using services.msc (not recommended since malware may not be listed there)

b) using sc stop dos command in windows XP/Vista.

c) using net stop dos command in windows 2K/XP/Vista

Please note that a windows service key name is different than its "display name" and description. HJT helpers should be able to identify the service key names from the display names in hjt logs.

To delete a service, the two easiest ways:

a) using sc delete dos command in windows XP/Vista.

b) using hijackthis delete an NT service option at the misc. tools section.

NOTE: There are some malware services that cannot be stopped manually. Only in this case, try deleting the service first and then reboot.

6. Registry keys and entries: There are three different ways of deleting or changing an arbitrary (can be located anywhere) registry item without the aid of a third-party tool.

a) Using a gui interface through regedit

b) Using the command-line reg.exe such as reg delete or reg add

c) Using scripts via .reg files

More information:

http://www.bleepingcomputer.com/tutorials/tutorial44.html

http://www.bleepingcomputer.com/tutorials/tutorial74.html

7. LSP entries: a third-party tool is needed such as LSPfix

http://www.bleepingcomputer.com/tutorials/tutorial59.html

8. Infected host file: you can use mvp hosts to simply replace the bad host file with a much better one. see: http://www.mvps.org/winhelp2002/hosts.htm

9. DLLs: if a dll file does not depend on the rundll32.exe, then it is preferred that they be unregistered before deletion. To unregister a dll, you can use the dos command:

regsvr32 /u

10. R3 entries that cannot be removed by hijackthis: use Registrar Lite to delete the key

11. Registry with embedded nulls: You will need to use tools such as regdelnull and SWreg. For more information about embedded nulls, please see:

http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

12. Infected System Restore files: Based on an old Microsoft KB article, it is best to turn off system restore. This

will clear up all restore files including the infected ones. Once the entire system is clear from malware by a thorough anti-virus scan, you can then turn on system restore and create a restore point.

http://spywarehammer.com/simplemachinesforum/index.php?topic=202.0

13. Policies that have been added by Malware: download and run fixpolicies.exe from here:

http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

14. Rootkits and MBR infections: please read Detecting and Removing Rootkits in a Nutshell

A. Elshafei

How to Import Your Messages from .OST Files

2009-07-05T11:49:00.001+03:00

The common technique to import messages from .ost files is by first using outlook to export your messages to a .pst file. Then you can import the .pst files directly using the import and export wizard. However, what would happen if you cannot export your ost mail to pst or never had a chance to do so. This is exactly what happened to one of my colleagues at work. His OS died all of a sudden fail due to unknown causes. Safe mode, System restore, cd windows repair and repair install all didn't work.

Anyhow all his files were extracted from the hard-disk including his emails for a clean install. The outlook emails were in the form of pst and ost files. However, the ost file had all of his recent emails. According to an outlook MVP, you cannot import an ost file. Others would recommend that you use a commercial tool to convert the ost file to a pst file. I developed my own technique which is far more simpler to import ost messages. It has worked like a charm for my colleague, so you will need to follow these instructions carefully:

First, if you already have set your exchange settings on MS Outlook and had already synchronized with the exchange server, then you will need to export all your current messages to a pst file. Save this pst file in a safe location to be used afterwards.
If you haven't setup your exchange settings yet, then you will need to do so. Try not to synchronize with the server yet. But incase you do need to synchronize with the server, then you will need to export any new messages that you received during synchronization to pst file so you will not lose them.
NOTE: your current exchange settings should be exactly the same as the exchange settings you had for .ost file that you want to import.

Second, go to tools => account settings => data files => under file name, look for the outlook.ost file and take note of its full path.

Third, close outlook and then browse to the folder where the current ost file is located. Copy and paste this ost file in a safe place as a backup in case something goes wrong. Place the ost file that you would like to backup into the same folder (the ost file that you would like to import should replace the current ost). Make sure the name of the ost file is outlook.ost

Fourth, open outlook and start synchronizing. If successfully, you should be able to restore your emails from the ost files. As for the messages that you already had in your outlook, they can be restored by using the import and export wizard to import the pst file you created and saved earlier.

A. Elshafei

Does my RootkitRevealer log show a Rootkit?

2009-07-04T13:59:00.001+03:00

Well there isn't much more to add on how to determine rootkits using rootkitrevealer. The authors of rootkitrevealer provide an excellent tutorial on how to use the tool: http://www.sysinternals.com/Utilities/RootkitRevealer.html

But to keep things simple and succinct, here is a good tip on how to detect a rootkit regardless on how many discrepancies and unconfirmed false positives were found:

Most rootkits register themselves as services in the windows registry. Therefore a rootkit exists if rootkitreveler finds one or more of the following entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xxxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xxxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xxxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxxx

where xxxx is an arbitrary service name given by the rootkit. So to make this clear, if you find any one of these entries in the rootkitrevealer results, then you have a rootkit. If you have none of these entries in your log then most likely you dont have a rootkit.