Author Topic: Can someone comment on this IAT hook detection, false positive?  (Read 5249 times)

0 Members and 1 Guest are viewing this topic.

November 16, 2015, 03:28:59 pm

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Can someone comment on this IAT hook detection, false positive?
« on: November 16, 2015, 03:28:59 pm »
So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.

But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)

However Roguekiller is the only program that detects anything, full scans by TDDSkiller, aswMBR, Kaspersky Virus Removal Tool, HitmanPro, ESET Online Scanner, Malwarebytes Anti-Malware and F-Secure have found nothing. I know that it's most likely just a false positive too just because of that, but could someone with more knowledge tell me if that one looks suspicious?

Reply #1November 16, 2015, 06:56:37 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #1 on: November 16, 2015, 06:56:37 pm »
Hi Jukka,

Quote from: Jukka
So, first off that F-Secure -related Zeus detection is false and happens with all computers that have F-secure, you should whitelist it.
Thanks for reporting it. This will be fixed in RogueKiller next release.

Quote from: Jukka
But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)
Do you use anti-exploit softwares on your computer ?

Regards.

Reply #2November 16, 2015, 07:25:26 pm

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #2 on: November 16, 2015, 07:25:26 pm »
Quote from: Jukka
But that isn't what I'm worrying about, I'm worried about that IAT hook that was detected:
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateUserProcess : Unknown @ 0x7ffb99622018 (jmp 0xffffffff8000bb88)
Do you use anti-exploit softwares on your computer ?

Mm, I don't think so, can't remember installing any anti-exploit software on this machine. Unless F-Secure or Malwarebytes Anti-Malware does something like that, but I find it unlikely. Does that mean that it has come from malicious sources, or is there any way to get more information about that?

Also noting that I don't have any visible symptoms of infection or anything, I'm just doing regular scans to be sure.
« Last Edit: November 16, 2015, 07:30:22 pm by JukkaG »

Reply #3November 17, 2015, 06:37:16 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #3 on: November 17, 2015, 06:37:16 pm »
Hi Jukka,

The hook is mostly related to your antivirus.
However, we are going to verify it.

Please follow the following process.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Reply #4November 17, 2015, 09:09:54 pm

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #4 on: November 17, 2015, 09:09:54 pm »
Hi Jukka,

The hook is mostly related to your antivirus.
However, we are going to verify it.

Please follow the following process.
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Hi, I posted the dump to you. Actually I posted it multiple times like an idiot because I thought that it was supposed to give me a confirmation about the completed upload and I thought that it didn't work at first, but then I realized that it just doesn't give a confirmation. So don't wonder if you have received that file something like 5 times...

Also, I found a possible explanation for anti-exploit like behavior: I just remembered F-Secure has a so-called Deepguard module that interjects processes and monitors them if it can't verify them as safe through the cloud. It sort of sounds like a thing that would create a hook like that.
« Last Edit: November 17, 2015, 09:11:33 pm by JukkaG »

Reply #5November 18, 2015, 01:35:27 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #5 on: November 18, 2015, 01:35:27 pm »
Hi Jukka,

Quote from: Jukka
Hi, I posted the dump to you. Actually I posted it multiple times like an idiot because I thought that it was supposed to give me a confirmation about the completed upload and I thought that it didn't work at first, but then I realized that it just doesn't give a confirmation. So don't wonder if you have received that file something like 5 times...
In fact, I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Quote from: Jukka
Also, I found a possible explanation for anti-exploit like behavior: I just remembered F-Secure has a so-called Deepguard module that interjects processes and monitors them if it can't verify them as safe through the cloud. It sort of sounds like a thing that would create a hook like that.
That's highly possible.

Regards.

Reply #6November 18, 2015, 03:30:09 pm

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #6 on: November 18, 2015, 03:30:09 pm »
In fact, I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Here it is: https://dl.dropboxusercontent.com/u/17953443/explorer.zip

Reply #7November 19, 2015, 01:48:28 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #7 on: November 19, 2015, 01:48:28 pm »
Hi Jukka,

Thanks.
We will analyze the dump as soon as possible.

EDIT : The hook was confirmed to belong to F-Secure.

Regards.
« Last Edit: November 19, 2015, 08:27:28 pm by Curson »

Reply #8November 19, 2015, 09:38:16 pm

JukkaG

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #8 on: November 19, 2015, 09:38:16 pm »
Million thanks to you, now I can keep on using my computer without paranoia ;D

And at least you can now eliminate some false positives that nobody else has to get spooked by the same thingy again!

Reply #9November 20, 2015, 12:39:36 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: Can someone comment on this IAT hook detection, false positive?
« Reply #9 on: November 20, 2015, 12:39:36 am »
Hi Jukka,

Quote from: Jukka
Million thanks to you, now I can keep on using my computer without paranoia ;D
You are very welcome. :)

Quote from: Jukka
And at least you can now eliminate some false positives that nobody else has to get spooked by the same thingy again!
Indeed. It should be fixed in RogueKiller next release.

Regards.