22 enero 2013

Unhide 20121229 is out !

Finalmente y tras haber lanzado la beta con una gran respuesta a nivel descargas y feedback,  ¡tenemos la versión final de Unhide!

Para los mas ansiosos, se puede descargar desde aquí

La nueva versión trae bastantes cambios con respecto a la anterior versión (20110113)

Copio y pego el 'Changelog':


  - unhide-linux26.c was renamed to unhide-linux.c
  - unhide.c was renamed to unhide-posix.c
  - The log file of unhide-linux is renamed 'unhide-linux_AAAA-MM-DD.log'
  - The log file of unhide-tcp is named 'unhide-tcp_AAAA-MM-DD.log'
  - By default, unhide-tcp now use /sbin/ss from iproute2 package, to use netstat as before '-n' option must be given on command line.
  - Display is more verbose and multi-lines for hidden processes (unhide-linux).
  - If asked to (-l and/or -f), display is more verbose and multi-lines for hidden ports (unhide-tcp).
  - sysinfo test is no more called as part of compound quick and sys tests as it may give false positives.

    It could still be run using the checksysinfo, checksysinfo2 or checksysinfo3 command line parameter.


  - Major enhancement of unhide-tcp :

    * Add capability to output a log file (unhide-tcp_AAA-MM-DD.log)
    * Add capability to output more information (via lsof and/or fuser) on hidden port if available
    * Add verbose mode (disabled by default) to display warning
    * Add a new method (via option '-s') very fast on system with huge number of opened ports
  * Make a double check of port access to avoid false positive (previous single check version is available as unhide-tcp-simple-check.c if needed).

  - Add a quick port in C language of unhide.rb (unhide_rb.c) and guess what ...it's 40 times faster than original ruby unhide.rb
Note: unhide_rb doesn't take any option.

  - Add "-d" option for doing a double check in brute test, this reduce false positives.
  - Add "-o" option as synonym of "-f".
  - For found hidden processes, display the user and the working directory as extracted from the process environment. Note that it doesn't work well for kernel processes/threads nor for deamons.
  - For found hidden processes, display cmdline, exe link and internal command name.


  - Add french and spanish man page for unhide-tcp
  - Update english manpage of unhide-tcp to reflect changes
  - Minor corrections in french manpage of unhide
  - Display copyright and license information in start banners.
  - Make message from sysinfo tests more clear.
  - Add a NEWS file :)
  - Update README.txt, LISEZ-MOI.txt and LEEME.txt to clarify difference between unhide-posix and unhide-linux.
  - Remove sysinfo test from quick and sys compound tests as it may give false positive.
sysinfo test still can be used via the checksysinfo[2|3] command line parameters.


  - Suppress pedantic compilation warnings (glibc >=2.3, gcc >=4.6).
  - Correct the number of processes displayed for /proc counting in sysinfo test.

[+] Página principal de Unhide (unhide-forensics.info)


KeepCool dijo...

Probado en Win7 64bits.

Encuentra 1 proceso, a veces sí, a veces no, cambiante en cada ejecución.

El Winunhide-tcp me muestra siempre 4 puertos TCP ocultos, los mismos.

El process explorer de sysinternals no me muestra el PID que indica winunhide, y su TCPView tampoco muestra los puertos que encuentra unhide.

He puesto el Wireshark para monitorizar esos puertos, pero no hay tráfico de momento.

¿Algún consejo? Es decir, ¿qué más hacer después de unhide para diagnosticar más allá, tanto el proceso como los puertos?

Ni antivirus, ni malwarebytes actualizados ven nada raro.