ARB Windows Rootkit


ARB

ARB is a rootkit that is based on System Service Descriptor Table (SSDT) hooking and IRP_MJ hooking. SSDT hooking is considered 1st generation hooking but with that said ARB is being developed in a modular way that allows newer stealth techniques to be swapped in.

ARB Components:

  • arb.exe - User-level application (Command and Control)
    • Loads device driver. Includes writing registry settings for proper driver loading.
    • Implements sending IOCTL commands to the driver for real-time control of device driver.
    • Remove functionality that deletes registry settings and unloads the driver.
  • msfsdav.sys - Device Driver (Implementation of stealth techniques)
    • Handles IOCTL communication from user-level ARB application and writes the commands to the registry for rootkit persistence.
    • Uses SSDT hooking to hide processes and files/directories.
    • Uses IRP_MJ hooking to hide network connections.

Features:

  • Persistence - ARB survives reboots since the driver is marked with [auto start] and the driver will read command settings from the registry on initial load.
  • Real-time Command and Control - Command and control code (IOCTL) and thread-safe synchronization code allows the rootkit to be updated with new commands without having the driver be unloaded and then reloaded.

Tested Operating Systems: Windows 2000 Pro & Server, XP Home & Pro, 2003 Server

] Current Command Set

Command Line Arguments Decription
proc process_name Hides the process that matches process_name.
fs file_name Hides files and directories that match file_name.
net #port Hides TCP network connections that match #port. This includes both incoming and outgoing network connections.
remove Unloads the driver and removes registry settings. (Unhides everything).

] Command Line Usage

ARB can take any of the parameters in any order on the command line. The latest command will always replace the previous one. So for example, if arb is currently hiding foo1.exe and ARB is run with arb.exe -proc foo2.exe then foo2.exe is now the hidden process and foo1.exe is no longer hidden.

Examples:

  • arb.exe -proc foo_process -fs foo_dir -net 1337
  • arb.exe -proc -fs foo_dir -proc foo_process
  • arb.exe -net 1337

Operational Usage

Installation:

  1. Copy device driver (msfsdav.sys) to c:\windows\system32\drivers directory on target. Remember it's winnt on Windows 2000 Operating Systems.
  2. Copy arb.exe anywhere on the target system. Obviously the name on the target system will be something different than arb.exe.
  3. Run arb.exe with choice of commands for the current operation.
  4. Delete arb.exe before leaving the target system and leave the device driver behind.

Removal:

  1. Go back to target system and copy arb.exe anywhere on the target system. Obviously the name on the target system will be something different than arb.exe.
  2. Run arb.exe -remove
  3. Delete arb.exe before leaving the target system. You are done.

Download:

Windows Binary       MD5: d5e92ddbb0f1c9d18d1c7e5a3ccca528

HOME