Page 1 of 1

Rootkits for Testing

PostPosted:Tue Jan 11, 2011 3:09 pm
by a_d_13
Hello,

Here is a set of old rootkits that was used to test RootRepeal. It contains the following rootkit droppers:
  • Dr.allinone(TR.inject): All-In-One Rootkit (aka. Trojan.Inject.104). See here.
  • Dr.Cutwail bulknet runtime2
  • Dr.Haxdoor(ntio256 series)
  • Dr.Haxdoor.sm
  • Dr.MBR I_mat25
  • Dr.MBR_RkII_se
  • Dr.MBR_RKIIII.v2rxu6
  • Dr.Nulprot-Saturn
  • Dr.Rustock B huy32
  • DR.Rustock lzx32
  • Dr.Rustock xpdx
  • Dr.Rustock.PE386
  • Dr.Srizbi
Also attached is a package of old TDSS droppers - the gxvxcserv, kbiwkm, msliksurserv, msqp, seneka and ytasfw variants.

Some other rootkits that can be used for testing:
  • TDL3 - Downloads available here.
  • TDL4 - Downloads available here.
If you know of any other rootkits that can be used for testing, please post them here.

Thanks,
--AD

EDIT: The set of old rootkits is courtesy of fatdcuk :)

Re: Rootkits for Testing

PostPosted:Thu Jan 27, 2011 6:29 pm
by EP_X0FF
I think it is a good idea to share some rare rootkit samples.

Here are few rootkits found in collection few days ago when I was searching for one specific.

BlackEnergy 2+
BlackEnergy 2
ZeroAccess
pre ZeroAccess (Max++ Win32k Router)
TDL2
Ascesso
ObOpenObjectByName hooker
Triplex
MaxSS (TDL3 mod)
Bootkit V2 (Sinowal/Maosboot)
Srizbi
runtime

pass: malware

some of them needs manual setup to work

Re: Rootkits for Testing

PostPosted:Fri Jun 10, 2011 4:28 pm
by EP_X0FF
While looking for some museum exhibits today I have found some old Rustock droppers of several versions/version branches and some other rootkits including first ITW rootkit defeated by RkU in 2006.