So I fell off point on this, and for that I’m sorry if I have any regular readers. I decided to kill my last windows machine, and in the process of changing from windows XP to a linux system on one of my main workstations I had some unexpected situations, which ended up rm -rf /mnt/storage/virtualmachines 
. Anyway, I’m in the process of rebuilding them, especially the honeynet first! I need to get it all set up again since I have to present on some stuff at work thursday! More to come, before I venture out again!
The opportunity to secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.
-Sun Tzu
On windows Sebek comes in the form of a driver. By default the driver is called sebek.sys and is located in the c:\windows\system32\etc\drivers folder. Once Sebek is configured with the config utility it disappeares from site. In Linux, Sebek fails to restart on reboot. I don’t recall whether this is configurable or not in a hidden manner. Windows on the other side sets up Sebek as a service which starts on reboot. This leaves (in its default configuration) a registry key “HKLM\\System\\CurrentControlSet\\Services\\sebek.” MC pointed this out to me. He attached the following note
# script that will query the registry for
# a hidden service. when sebek is installed
# and you query the registry entry for it, you
# get a “Operation failed: 2″. If you do a query
# for something like “sebeg”, the key length is
# nil, which is true, cause it’s not there.
# written really quick. MC / y0@w00t-shell.net
Take that reg key and MC’s note you can make a nice meterpreter script:
meterpreter > run findsebek
[*] Sebek is running
meterpreter >
//on a host not running the whitey tool.
meterpreter > run findsebek
[*] Sebek is not installed
Although this method works on default configurations, it does not work if the /n= option is used on the installation. Another means of detecting default configurations includes a method noticed by Tan Chew Keong. Utilizing the SearchPath Windows API call, you can locate the sebek.sys file (if you know the location) regardless of its hidden state. Basically its :
if(SearchPath(SEBEK_PATH, SEBEK_NAME, NULL, MAX_PATH, buffer, &ptr) != 0)
{
printf("[+] SEBEK Detected with SearchPath().\n");
}
else
{
printf("[-] SEBEK Not Detected with SearchPath().\n");
dw = GetLastError();
}
Of course, that’s a default configuration. I didn’t really find any cool new way to detect the 3.0.3 version of sebek on windows but I found an old trick that still worked. Again, Tan Chew Keong wrote a utility called kproccheck. Although Kproccheck is not really a method of detecting sebek, it can detect processes running in kernel space. It’s important to note that if you get to this point the target should not be important to you. I found that Kproccheck occasionally will crash the system that it is run on. kproccheck -t is the switch we want, and it will report back a bunch of data. This doesnt mean its sebek, it could just be a rootkit. A full write up on Kproccheck can be found at the link below.
More to come.
http://www.security.org.sg/vuln/sebek215.html
Know Your Enemy: Sebek
http://www.security.org.sg/code/kproccheck.html
