Re: RootKit Detectors - Not all = ! in Security http://www.dslreports.com/forum/r16795695 en Sun, 29 Nov 2009 18:11:02 EDT Sun, 29 Nov 2009 18:11:02 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16844618 fatdcuk : Vampirofo

I don't believe that Spanner or any of the BOC fanboys(Hi John :)) believe for one moment that BOClean is the be all and end all(eg the mythical silver bullet).

Spanner uses a software firewall as well as a Processfirewall in the form of Winsonar.Its called a layered defence,should BOC be bypassed then the next layer steps upto the plate :)

Again John i belive uses Acronis true image as part of his security arrangement.

These are not unintelligent people,they all use layers of defence,tea or coffee.Fanboys will be fanboys expect no less :)]]> http://www.dslreports.com/forum/remark,16844618 Tue, 05 Sep 2006 13:32:41 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16843925 SpannerITWks : Vampirefo

Well either it's clarified or it's not ! Doesn't seem it is, but Not in the way it appears that you're saying.

Look, you or Anybody else can NOT go round putting words into someone elses mouth, and also making False assumptions, it's just NOT on ! In fact you're lucky i'm even responding to you after All that outburst from you.

When did i Ever say that i " don't trust it ", or " are afraid to test it " or that i " have no faith in it " ? Never that's when ! You said it NOT me, just Remember that.

None of what you said is true whatsoever, Zero = Ziltch = 0 so you can take back what you STATED. Note you did NOT ask me if those things where my belief, you told me ? WTF is that all about ?

If i didn't trust BOClean i wouldn't run live nasties on my PC as + when i have + do + constantly escape with NO harm done, err would i.

If i have time to do those things you mentioned, + if i feel like it, i might well do it. If i don't i won't, simple as ABC ! Plus if people think they can come along and almost Demand that someone tests things, the're very much mistaken.

What is your beef with BOClean anyway, that's what i and lots of others are wondering ?

I guess you must have been trying to be funny or something, asking me 2 buy BOClean 4 U, yes of course you were. I don't have to, nor will i be doing lol. You can get a 30 day $ back if not happy trial, and test away yourself if you Really wanted to !

If you want an RK or 2 to test, just holla. Looking forward to Your tests ASAP.

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16843925 Tue, 05 Sep 2006 11:33:15 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16842780 danny9 : Expecting Spanner to purchase BOClean for you is a little lame.

"If you don't own/run BOClean, what do you base your opinion on? It can only be guesswork, or heresay, in my view." John2g

We all have opinions but to state as fact should be tested and proven or give sources that have.
I would expect that if you feel so strongly about it then you should provide your own tools to prove your point and not expect others to do it for you.
I'm no expert in testing as some here are but like others here, I would be curious as to the results.
--
To Think or not to Think: That is the real question. VoicePulse 07/29/04]]> http://www.dslreports.com/forum/remark,16842780 Tue, 05 Sep 2006 06:33:41 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16842662 John2g : If you don't own/run BOClean, what do you base your opinion on? It can only be guesswork, or heresay, in my view.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.]]> http://www.dslreports.com/forum/remark,16842662 Tue, 05 Sep 2006 05:12:51 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16840587 Vampirefo :
said by SpannerITWks See Profile :

oshooda
John2g

Yes thanx i appreciate that, and now i hope that this has indeed clarified the situation, for him and others too !

Spanner
Spanner this doesn't clarify anything for me, You have pretty much clarified it for me though.
You are a paid user of BOClean yet you don't trust it, you are afraid to test BOClean the way I describe Why? simply you have no faith in BOClean, you are afraid the rootkits will slip through.

If you had any faith in BOClean you wouldn't even hesitate testing it. So you want me to test BOClean for you?

OK I will, under this condition, you buy me copy of BOClean, I will test it for you once it fails like I know it will I will return it to you, you send it back, they will give you a refund you wont be out anything, and your pc will be clean.

Send me a copy of BOClean to vampirefo@yahoo.com include any RootKits you want me to test against BOClean.

Looking forward to hearing from you.
--
Best Regards
Vampirefo

]]> http://www.dslreports.com/forum/remark,16840587 Mon, 04 Sep 2006 19:56:26 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16837283 SpannerITWks : oshooda

I did do some tests with live Rootkits as you must very well know, as you have just posted the link to them, and you also posted in that thread, several times !

The tests i did in that thread quite CLEARLY both State and Show that i chose NO to interjections by BOClean. Therefore i ALLOWED the things to happen that did ! I thought it would be very apparent that it Was a TEST to see what i was alerted to when a Real live nasty trys to execute.

I have done other tests with the same, and different nasties, but clicking YES to the prompts kills EVERYTHING.

Therefore ( Obviously ) this does NOT " confirm what Vampirefo is saying " And it hasn't gone unnoticed by many people that he hasn't responded in This thread since last time ?

Making claims is one thing, but you have to be able to back them up with FACTS, which i and others have ! Otherwise false impressions can be given towards both people and products, and even worse, Incorrect information posted that could be Very damaging. That obviously cannot be permitted to go unchallenged or corrected, as in this case.

John2g

Yes thanx i appreciate that, and now i hope that this has indeed clarified the situation, for him and others too !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16837283 Mon, 04 Sep 2006 08:41:58 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16832942 John2g : I hope that I can clarify matters for you.

BOClean will:

1. prevent rootkits from installing
2. clean a computer that is already rooted, whether it be a user mode, or kernel mode, root kit.
3. use its definitions for the detection/cleaning of rootkits.
4. use heuristics for the detection/cleaning of rootkits that are not in the definition database. ALL rootkits have a distinguishing feature that enables easy identification.

I notice that I have responded to Spanner. This was a mistake: I was trying to clarify the postion for oshooda See Profile]]> http://www.dslreports.com/forum/remark,16832942 Sun, 03 Sep 2006 12:39:04 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16832557 oshooda : Spanner, didn't you already do those tests that confirm what Vampirefo is saying?

»Re: Just switched Anti-virus and purchased BoClean]]> http://www.dslreports.com/forum/remark,16832557 Sun, 03 Sep 2006 11:20:05 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16832103 SpannerITWks : rawwhide

Sure before is Always better, but also Installing any new App after the " event/s " that can detect + remove + clean up etc, ain't such a bad thing. This often happens when people find out they wern't protected with what they already had.

Yes agreed " You do however have to have the memory resident scanner running for the detection to occur "

And to expand on further about what i mentioned earlier abot BOClean - Memory scanning is extensive and thorough. It scans all, including the DLLs and files, in both active and inactive memory and monitors the kernel as well.

Yes indeed, i'd like to see Vampirefo do those tests too, but NO words back from him yet ?

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16832103 Sun, 03 Sep 2006 09:09:01 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16825631 rawwhide :
said by SpannerITWks See Profile :

Vampirefo

" BOClean can identify some rootkit as they are installing, but not after installation. "

" Infect a pc with several rootkits, reboot the pc, then install BOClean, not a peep will BOClean make cause it wont be able to detect the rootkits. "

Why do you STATE those things ? Remember you didn't say, you Think X or X etc might not happen, but stated that they would not ! Does this mean you have Actually done ALL the things you mentioned, or ?

I havn't uninstalled BOClean to try what you said, and then reinstall it to see. And i'm Not going to either ! You should try it, if you havn't already, as You're the one making those claims, and tell us Precisely what Malware you installed, and then Exactly what occurred after you installed BOClean.

Looking forward to your tests !

Thanx 4 your kind comments, i appreciate them !

Spanner
I take the term of detect(to discover the existence of) to mean something can detect nasties whether its before or after infection. Preferably before the infection because even some virus are able to use some form of stealth to elude detection once installed. That's why catching the things before installation is preferred. Any program that offers detection capability before the infection should be able to claim the software is capable of detecting the nasties. Regardless if the software can detect the nasties after the infection or not. Once an infection occurs all bets are off and we enter into a new realm.
edit: You do however have to have the memory resident scanner running for the detection to occur. I do not know if the AV can detect much less clean a rk infection once it has occurred. Maybe Vanpirefo can do some testing hehe....
--
HUH!!! Sekurecom]]> http://www.dslreports.com/forum/remark,16825631 Fri, 01 Sep 2006 23:18:43 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16820404 SpannerITWks : Vampirefo

" BOClean can identify some rootkit as they are installing, but not after installation. "

" Infect a pc with several rootkits, reboot the pc, then install BOClean, not a peep will BOClean make cause it wont be able to detect the rootkits. "

Why do you STATE those things ? Remember you didn't say, you Think X or X etc might not happen, but stated that they would not ! Does this mean you have Actually done ALL the things you mentioned, or ?

I havn't uninstalled BOClean to try what you said, and then reinstall it to see. And i'm Not going to either ! You should try it, if you havn't already, as You're the one making those claims, and tell us Precisely what Malware you installed, and then Exactly what occurred after you installed BOClean.

Looking forward to your tests !

Thanx 4 your kind comments, i appreciate them !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16820404 Fri, 01 Sep 2006 07:58:09 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16818231 Vampirefo : SpannerITWks, you do good work, and help others when you can, I salute you for that keep up the good work.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16818231 Thu, 31 Aug 2006 21:08:59 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16818199 Vampirefo :
said by SpannerITWks See Profile :

Vampirefo

You seem NOT to be Fully aware of BOCleans capabilities ? It doesn't Only rely on what's in its Defs, but is also on alert Memory scanning waiting for traces and devious methods of nasties being executed. When these are Detected it pounces !

Spanner
Yes I know how BOClean works the key is "being executed" As I said early BOClean can identify some rootkit as they are installing, but not after installation.

To be a good detector one has to again have a dirty pc, then install BOClean, you talk about feeding some nasty to BOClean, I am talking about feeding BOClean to the nasties.

Infect a pc with several rootkits, reboot the pc, then install BOClean, not a peep will BOClean make cause it wont be able to detect the rootkits.

said by SpannerITWks See Profile :

Vampirefo

Well i suppose it all boils down to how " someone " defines " Detect " !

Spanner
Yes this is to the point, I define detect as being able to detect, without signatures, these signatures are not for detection they are for matching, if a sample matches a signature in part or in whole a file is flagged, no detection in that process just matching.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16818199 Thu, 31 Aug 2006 21:04:59 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16818116 Vampirefo :
said by controler See Profile :

I guess Vampire missunderstood me.
When I said rootkit free I did not mean a free program. I ment a security program that does not use rootkit technologies.

Does that help Vamp?
Yes, I thought you meant freeware.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16818116 Thu, 31 Aug 2006 20:49:58 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16817728 SpannerITWks : fcukdat

Hey sounds like you musta just missed out on the recent BOClean special offer - »One Week Only!-Special Offer BOClean Software - You coulda netted yourself a very good deal, as it seems quite a number of people did !

1st off just so everyone understands, i'm not an official spokesperson for PSC, so i can't answer directly for them. I can only speak about my experiences from using BOClean, and things i've learnt here n there. Including from others shared experiences and comments on various forums, www's etc, and also the publically freely available info on several pages of PSC's www.

If anyone wishes to read the info on PSC, it's there for all to see. And if they require any further info about BOClean or their many other products, then all they need to do is email them. Friendly helpful answers and info are usually very quick in returning.

Re your Q's -

1 - Yes but not Yank like this -



But like this -



2 - I'm not in a position to 100% answer that, as i'm not the developer. But i will say, as it's a hypothetical RK, " i " think it could be yes or no, depending on what was in it's code etc, which obviously we can't presume !

3 - Similar to 2, but as it's a variant, then " i " would say, it's more likely BOClean could interject, based on pre knowledge of past events etc, and constantly looking for dodgyness etc in Memory.

Well all AT/AV/AS etc are not the same at all actually. They don't/won't all react as quickly to All the possible entry vectors, some need to be nipped in the bud before others. And/or don't/won't all react in exactly the same fashion to whatever nasty. And furthermore, won't/don't clean up afterwards in the same ways either, which is often overlooked when comparing products.

I don't know if Vampirefo has seen my response to his post, but so far he hasn't replied ?

I think most people would agree that nothings perfect, or ever will be. It's just that some things are better than others in all sorts of ways, and have consistantly proven themselves over time, and continue to do so.

Sure No entry is best of all, always. But a helluva lotta peeps out there need all the help they can get, as they Keep letting **** in daily, and often repeatedly too. And will continue to do so for all sorts of reasons, including stupidity !

Spanner

edit controler stuff moved to other thread - Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16817728 Thu, 31 Aug 2006 19:48:24 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16817665 controler : I guess Vampire missunderstood me.
When I said rootkit free I did not mean a free program. I ment a security program that does not use rootkit technologies.

Does that help Vamp?]]> http://www.dslreports.com/forum/remark,16817665 Thu, 31 Aug 2006 19:36:25 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16815417 fatdcuk : Hey Spanner,

If i hada copy of BOC,i would verify this for myself but maybe you can help bring the information to the fore(hopefully to clarify etc).

Scenario 1(post infection) A typically hosed PC with a rootkit+infection active on it.Boclean is installed after the infection has installed.If both the rootkit&infection are in BOC database would it "yank 'em" or "completely miss them" ?

Scenario 2) A new breed of rootkit appears(not some hex edited variant of known RK) as were seeing every so often.Would BOC want to "yank 'em" if the RK is not in its database yet ?

Scenario 3) New malware variant not some hex edited/repackaged golden oldie not in BOC's database would it "Yank 'em" ? or would BOC be bypassed ?

The obvious reason why i ask these 3 questions with relevence to this topic is because i strongly suspect that BOC is as good/bad as any other def based/def based+heuristic detection based anti whatevers when it comes down to rootkits and are ltd to what they are programmed to do.

Vampirefo has a point with his posts but if anything the information contained in the linked (epic)topic over at Sysinternals forum highlights how even purpose built RK detection&removal softwares are fundementally flawed.

It obvious that anti rootkit brigade are in the same boat as AS/AV/AT industry and are perpetually playing catch up with the malware authors.The scarier thing being that the malware authors are getting better at targeting security software for bypassing and with reference to any security software they become as effective as their weakest point.

With that the best way to deal with a rootkit is not to let it install in the first place :)]]> http://www.dslreports.com/forum/remark,16815417 Thu, 31 Aug 2006 13:21:39 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16810849 SpannerITWks : Vampirefo

Well i suppose it all boils down to how " someone " defines " Detect " !

BOClean is NOT promoted by PSC as an RK detector in the same way as dedicated ARK detectors like for eg RKU or RKR etc are. But clearly, i would have thought, it Sure does detect whatever it does, just by Literal definition. And YES that does include RK's, i should know, as i very recently threw NOT 1 but 3 Real live nasty RK's @ it, all at once, and it DID detect them !!!

In order for BOClean, or any other AT/AV/AS, or for that matter ANY security software, to React to something/anything, it " Obviously " has to Detect some code which it is designed to be on alert for. This could be any kind of Malware/Exploit/Anomaly etc, or indeed a FP, but the FACT is they DO detect whatever they do. Otherwise NO Reaction to a detection would or could Ever take place !

You seem NOT to be Fully aware of BOCleans capabilities ? It doesn't Only rely on what's in its Defs, but is also on alert Memory scanning waiting for traces and devious methods of nasties being executed. When these are Detected it pounces !

Yes Boclean is anti-trojan software, but it does a Lot more than detect + kill just Trojans as well. Also a Rootkit on it's own does absolutely NO harm Whatsoever !!! It's the payload, Real nasty, that comes with it that does the Dirty deeds. These are often Trojans, but could be anything. Also ask yourself, what exactly does a Trojan Horse mean ? If something gets in by stealth, RK or otherwise, then it's a Trojan, again by definition.

Actually another very credible way of detecting RK's + Stealthy stuff, in the dedicated ARK sense, is to do analysis from outside of a suspected " dirty " system as well !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16810849 Wed, 30 Aug 2006 19:42:58 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16809505 Vampirefo :
said by controler See Profile :

The best way to be rootkit free is never install any of the new Av ect that use it. I know of only one product that can compare with rootkit coders and that is BoClean.

Do you have any other rootkit free programs that can do as much? Other then Pg or Appdefend?

You don't hear of any of the people over on the famous Sysinternals thread ever mention BoClean. Doesn't that make you wonder?

controler
Well, where do I start lets see BOClean is not free nor is it a RootKit Detector, So that's why it's not mentioned.No more than a bowl of rice or a loaf of bread is mentioned on Sysinternals thread they too are not rootkit detectors.

To be a real or good rootkit detector, you must install your detector on a dirty system, (meaning one that has one or more rootkits on it, and preferable they would be running.

In the above case a rootkit detector, a good one that is would detect and preferably disable the the rootkits, BOClean is unable to do this why? well once again it's not a rootkit detector.

What is Boclean? an anti-trojan software, while BOClean may help prevent some rootkits from installing BOClean in no way should be considered a detector.

Boclean doesn't detect rootkits, again it may stop some rootkits from installing, but in no way does it detect rootkits.

BOClean will do a memory scan and if a rootkit that is in BOCleans signatures tries to install itself BOClean will stopped the rootkit from doing so, but that's all BOClean does, it doesn't detect anything really.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16809505 Wed, 30 Aug 2006 16:07:53 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16806298 ohnoes112 : Simply because as with all def based software,it only takes one thing missing from their database for the software to be bypassed(hence it needs to be part of a layered solution and not a stand alone stopper).Its not a silver bullet!

The best way to stop rootkits & payloads is not to let them install in the first place ;)]]> http://www.dslreports.com/forum/remark,16806298 Wed, 30 Aug 2006 02:22:46 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16805378 Psicop : Simply because it isn't free.]]> http://www.dslreports.com/forum/remark,16805378 Tue, 29 Aug 2006 22:46:03 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16805337 controler : The best way to be rootkit free is never install any of the new Av ect that use it. I know of only one product that can compare with rootkit coders and that is BoClean.

Do you have any other rootkit free programs that can do as much? Other then Pg or Appdefend?

You don't hear of any of the people over on the famous Sysinternals thread ever mention BoClean. Doesn't that make you wonder?

controler]]> http://www.dslreports.com/forum/remark,16805337 Tue, 29 Aug 2006 22:40:05 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16805190 2kmaro :
said by phoneboy2 :

If a Rootkit detector does not boot from it's own CD it will NEVER be trustworthy. Having said that, for a basic perliminary test, I like the no nonsense raw design of sysinternals rootkit revealer. They like to try keep it simple which is usually the best approach.
MY opinion is that once you've been rootkit'd, best thing to do is scrub and rebuild from ground up. I know of no sure and certain way to absolutely assure that things are as they should be once it's happened. You might find one piece of it, or one of several - but how do you KNOW that things are all well again.

Personally, I'd be satisfied with a product that simply provided no-false-positive indication that you'd been rooted and give you an indication of the source/name of the rootkit.
--
...then THINK! again!!]]> http://www.dslreports.com/forum/remark,16805190 Tue, 29 Aug 2006 22:18:33 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799721 bcool :
said by Vampirefo See Profile :

Anyway for those who wish to test Rootkit Unhooker, here is a text file showing what RkUnhooker.exe does to your registry, and where and what driver it sneaks in on you, this will be helpful in removing this garbage from your pc.
Thanks for the info. I'll keep a close eye on this one though surely the developer has only honorable instentions... right? :uhh:
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,16799721 Tue, 29 Aug 2006 08:16:41 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799562 Cudni : thanks for the file. i'll check if the same can be found on my system

Cudni]]> http://www.dslreports.com/forum/remark,16799562 Tue, 29 Aug 2006 07:06:11 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799437 Psicop : Watch your swearing mate. Generally speaking the users at this forum are polite people. So please refrain from that kind of behaviour.]]> http://www.dslreports.com/forum/remark,16799437 Tue, 29 Aug 2006 05:23:07 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799402 controler : Well thank you ross. Seems I have been asking alot of questions lately that go unanswered. Never post after drinking. I should try my own advice. However I won't swear at this time since I have not had as much to drink as you.
What unzipping program did you use?
I like the free 7-zip. With most of them you choose where to unzip the files to. I am sure you already knew that since you have been here for 7 years now?

I am sure spanner will come along soon enough and answer your question.

controler

Thanks VP for the list of reg entries.
Is that file monitor you used been updated since 2000? I think I gave it a try back then.

About PG: yes it is a great program but the support has gone down the tubes and they write that off as they are too busy being a small company.
On the other hand, as far as I know Jason is a small company also and seems to find plenty time for programming and support. Both are good programs but I think AD might do a bit more especialy with Regdefend added with the extra
filters created by some other users.

I have tried most of the other ART's but have not tried rootkitunhooker. I think somebody mentioned in the Sysinternal thread that they did get it to work on Vista.
I see the preRC1 Vista came out today. At present the word is Vista wll not allow any kernel hooking, which BTW is what almost every AV vender is going now. Trying to fight fire with fire so to speak.
Of course this was warned against by Kevin. At first I wrote that off to well he is only saying that because he can't touch the kernel because of his Gov contracts. that is scarry when even the Gov knows messing with the kernel will cause instability. I should say if more then one software does it at the same time it will cause some bad stuff to happen.

controler

]]> http://www.dslreports.com/forum/remark,16799402 Tue, 29 Aug 2006 05:03:07 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799388 SpannerITWks : ross

There are 3 files inside my RKU Zip - RKU2022.rar + rk_demo_v11.zip + rk_demo_v12.zip

RKU2022.rar = RkUnhooker.exe + RKUnHooker.chm -> Help file

rk_demo_v11.zip = rkstart.exe + RKdemo.sys + Readme

rk_demo_v12.zip = rkstart.exe + RKdemo.sys + Readme

rkstart.exe is the usermode part of rootkit. RKdemo.sys is the resident driver.

They go to wherever you want, just create a new folder/s, stick em in + unpack them into there !

Vampirefo

Very helpful of you to post the TXT file for people to peruse, Thanx. As RK's are themselves by nature designed to be " Sneaky ", then i suppose it makes sense for an ARK to be as sneaky, or even more so, to have the best possible chance of detecting them !

If this means doing things in unconventional ways to better achieve it's purpose, then i would say, so be it. I doubt if those Reg entries take up too much space anyway, and if someone actually did have a Real nasty that RKU was able to discover, i don't think they would be overly concerned about the entries RKU created.

-

To ALL, don't forget what it States in both Readme's, which is good advice for any new/experimental/developing App etc -

/////!!!!!WARNING!!!!!/////
USE ONLY ON YOUR OWN RISK
ABSOLUTELY NO WARRANTY

Also they don't proclaim it as the, all time never need updating or require anything else type App. In fact they advocate using other ARK's too, such as Rootkit Revealer for one eg.

If you want to Root things out which may be hiding in all sorts of devious ways, then using a selection of Tools is always recommmended. Some will cover more ground than others, and some will discover/show you things others may not.

Don't be discouraged by " some " peoples views on " Anything " at all. So if you havn't before, and want to experiment, then now's your chance, as there are plenty of ARKs to try out. And now Thanx to the 2some, you have a few Real but safe RK's in which to Actually play with. Furthermore, the vast majority of these Tools, are All FREE !!!

As far as PG/GS/P etc etc goes, well i could mention the " B " word, but this thread isn't about those kind of Apps, as worthwhile as some of them are !

Spanner

edit - I've just seen ross's latest post so -

ross

1st off please see above. Now do a Windows Search/Find for those file names, make Sure you have Show All Files/Folders enabled. You should be able to retrieve them and put them in a new folder etc.

If you did NOT actually RUN those RK's then you ain't got Anything in there ! If you did then all you need to do is run RKU to find them as well.

I might be inclined to edit the naughty words in you last post, in case your whole post gets deleted !
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16799388 Tue, 29 Aug 2006 04:50:31 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799358 ross :
said by controler See Profile :

Why worry about it ross?
I'll give you an account of my ignorant experience with the file SpannerITWks set up for download.

I downloaded the .tar file from the link SITWks gave. When I double clicked it it showed two .zip files, presumably containing test root-kits, and a .tar file labeled RKU2022. I unarchived the RKU2022 file, and the dialogue requested the password. I entered "Spanner" as directed in SITWks post, and the file unzipped itself to an unknown location, and did not leave any trace of its name, directory installed to, or any clue as to the type of file that was extracted.

I have NO IDEA what I downloaded, what kind of file I opened up, where it copy/installed itself to, what consequences my action in trusting SITWks post will have on my system. I deleted the original .tar file without extracting the other files. It would be nice to know if I inadvertently installed a root-kit on my machine.

So, stupid as I was, your question seems to me to be the dumbest question I've run across in quite awhile.]]> http://www.dslreports.com/forum/remark,16799358 Tue, 29 Aug 2006 04:23:12 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16799226 Psicop : Docchat,

What has got Prevx to do with removing RKs?

Duh!]]> http://www.dslreports.com/forum/remark,16799226 Tue, 29 Aug 2006 02:50:26 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16798976 Telly Boot : In case anyone missed the recent posts on this subject hereabouts, Sophos has released a free and updateable anti-RootKit tool:
»www.sophos.com/products/free-too···kit.html
--
Dawn,n,The time when men of reason go to bed. (Ambrose Bierce.)]]> http://www.dslreports.com/forum/remark,16798976 Tue, 29 Aug 2006 01:22:16 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16798085 docchat : Anyone have any experience with Prevx?]]> http://www.dslreports.com/forum/remark,16798085 Mon, 28 Aug 2006 22:17:24 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797932 Vampirefo : Anyway for those who wish to test Rootkit Unhooker, here is a text file showing what RkUnhooker.exe does to your registry, and where and what driver it sneaks in on you, this will be helpful in removing this garbage from your pc.
--
Best Regards Vampirefo
Rootkit Unhooker.TXT 35,461 bytes
]]> http://www.dslreports.com/forum/remark,16797932 Mon, 28 Aug 2006 21:52:43 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797877 Vampirefo : Ghost Security's ( AppDefend )looks similar to PG, do they work the same?
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16797877 Mon, 28 Aug 2006 21:44:45 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797817 controler : Not going into PG .
Look at the support urself.

I will say the other is Ghost Security. Jason is the developer of PG.

You be the judge.

controler]]> http://www.dslreports.com/forum/remark,16797817 Mon, 28 Aug 2006 21:38:00 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797773 docchat : Vampirefo,

That is what I thought to. From everything that I know about it, it is highly regarded and highly recommended and still supported and updated. I don't use it but have considered it. And now it is "dying?" That's the first I have heard of that and I seriously doubt that. If there is something better out there, I would like to know. With the problem with rootkits, maybe something like PG is a good thing to have. ]]> http://www.dslreports.com/forum/remark,16797773 Mon, 28 Aug 2006 21:30:06 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797688 Vampirefo :
said by docchat See Profile :

And what would you recommend in the place of the "dying" ProcessGuard that works better??
Interesting, I thought they were still developing it, I didn't know it was ending.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16797688 Mon, 28 Aug 2006 21:19:15 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797605 docchat : And what would you recommend in the place of the "dying" ProcessGuard that works better??]]> http://www.dslreports.com/forum/remark,16797605 Mon, 28 Aug 2006 21:06:30 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797603 Vampirefo : Did you remove the registry entries, and the driver that Rootkit Unhooker Dropped on your pc?

This is a sneaky program, not to be trusted, it makes way to many entries in the registry, and dropping the driver, is trojan like.

One should be told what is going to happen when they click RkUnhooker.exe, Other freeware scanners simply scan that's it, but this one has the actions of a Trojan, writing to the registry, dropping a driver, setting itself, up as a service.

None of the above is told to the user nor is it needed to just scan, your pc.
--
Best Regards
Vampirefo

]]> http://www.dslreports.com/forum/remark,16797603 Mon, 28 Aug 2006 21:06:09 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16797163 controler : Bigmike

Choak Cough HUH?

Dieing product]]> http://www.dslreports.com/forum/remark,16797163 Mon, 28 Aug 2006 19:52:32 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16796723 BIGMIKE : DiamondCS ProcessGuard
»www.diamondcs.com.au/processguard/
--
Type "miserable failure" in Google]]> http://www.dslreports.com/forum/remark,16796723 Mon, 28 Aug 2006 18:31:53 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16796719 controler : Why worry about it ross?]]> http://www.dslreports.com/forum/remark,16796719 Mon, 28 Aug 2006 18:30:48 EDT Where did it go? http://www.dslreports.com/forum/remark,16796110 ross : Spanner, how about a list of the files in your tar/zip download, and where they unarchive to...]]> http://www.dslreports.com/forum/remark,16796110 Mon, 28 Aug 2006 16:44:06 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16796108 controler : here is what AVG claims about it's latest Beta

»fileforum.betanews.com/detail/AV···697799/1

It can even remove Trojans and Rootkits that are hiding inside NTFS Alternate Data Streams.

How true is this with the hidden driver using ADS on NTFS?

controler]]> http://www.dslreports.com/forum/remark,16796108 Mon, 28 Aug 2006 16:43:52 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16796072 controler : yes I kind of been peeking at the sysinternals thread now and then. Interesting stuff indeed.

here is an old article by Symantec on the rustock.A
Has Symantec doen anymore with it since June 29th?

»www.symantec.com/enterprise/secu···van.html

controler]]> http://www.dslreports.com/forum/remark,16796072 Mon, 28 Aug 2006 16:38:14 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16796046 Vampirefo : Very buggy software you made, any updates in the future right now your program is pretty useless as you already know.

Your program can't even kill itself, very poor programing I might add. Scrape this program and start over, look forward to a bug free program, your program is interesting nothing, I haven't see before though.
--
Best Regards Vampirefo ]]> http://www.dslreports.com/forum/remark,16796046 Mon, 28 Aug 2006 16:34:48 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795965 SpannerITWks : goodquestion

If you take your time to go through the thread in the link that gesc provided, you will discover some Very illuminating results in answer to your questions. And even though EP_X0FF is connected with RKU, the reviews of other vendors ARK's speak volumes ! If anybody doesn't have faith etc in the results, just compare them with yours !

zteardrop

Look forward to you posting your more extensive testing with All RK types, and hopefully not just with GMER.

-

Don't forget, quite a few of the private ARK's are updated/improved a lot more often than the commercial vendors. So always keep a lookout for the latest versions.

Spanner

edit - extra info Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16795965 Mon, 28 Aug 2006 16:23:29 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795695 anon : That's a good question, which anti-rootkit scanners are really the best? Anyone trustworthy and knowledgeable in this area done any decent tests with them? ]]> http://www.dslreports.com/forum/remark,16795695 Mon, 28 Aug 2006 15:46:48 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795220 anon : >>I think if we have learnt anything from that infamous >>thread on the sysinternals forum it is that public >>rootkit detectors will always lose to private rootkits.

lol, not so true. private detectors big myth, tools used by ten-hundren people, very funny, what they will detect? you can always say that your private detector is best, because nobody cant say something else. if you think that this thread is 'infamous' then i dont know what you mean under 'famous'. lying people by saying that all rkdetectors are good is not so 'good' idea. i have a real facts you have nothing.]]> http://www.dslreports.com/forum/remark,16795220 Mon, 28 Aug 2006 14:35:35 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795201 zteardrop : I like GMER from www.GMER.net. Small, fast, works well. Haven't tried it extensively though with all rootkit types.]]> http://www.dslreports.com/forum/remark,16795201 Mon, 28 Aug 2006 14:33:18 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795182 anon : that is very disputable words

fyi next generation of hardwired rootkits will be not detected even from external scanning like boot cd.]]> http://www.dslreports.com/forum/remark,16795182 Mon, 28 Aug 2006 14:30:25 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16795085 anon : Very interesting review from castlecops. Too buggy and need more work, lol. The same I can say about all other rkdetectors as well as about castlecops itself.]]> http://www.dslreports.com/forum/remark,16795085 Mon, 28 Aug 2006 14:16:46 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16794720 anon : If a Rootkit detector does not boot from it's own CD it will NEVER be trustworthy. Having said that, for a basic perliminary test, I like the no nonsense raw design of sysinternals rootkit revealer. They like to try keep it simple which is usually the best approach.]]> http://www.dslreports.com/forum/remark,16794720 Mon, 28 Aug 2006 13:23:50 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16794281 Cudni :
said by Mr Bluepill :

That's said, I see the guys at Castlecops have refused to endorse Rootkit Unhooker for use for some undisclosed reason. I would be inclined to follow their lead.
Not undisclosed anymore :)

»www.castlecops.com/postlite165478-.html
"...
Too buggy and needs more work.
..."

Cudni
--
Some are born to failure, others achieve it, all deserve it.
Help yourself so God can help you.
MVP, Microsoft Windows Security 2006]]> http://www.dslreports.com/forum/remark,16794281 Mon, 28 Aug 2006 12:05:49 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16794020 Psicop : Hmmm...It already looks like a cat and mouse game. Who'll be the winner?

No one. Like the snake that bites its own tail. Or like Karma.

Endless cycle. That's life :)

Mr. BluePill, which one? There are few. Perhaps this:

»forum.sysinternals.com/forum_pos···003&PN=1]]> http://www.dslreports.com/forum/remark,16794020 Mon, 28 Aug 2006 11:09:59 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16793778 Cudni : another util offering a glimpse of what is happening under the hood, nice :)

Cudni]]> http://www.dslreports.com/forum/remark,16793778 Mon, 28 Aug 2006 10:22:30 EDT Re: RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16793762 anon : I think if we have learnt anything from that infamous thread on the sysinternals forum it is that public rootkit detectors will always lose to private rootkits.

That's said, I see the guys at Castlecops have refused to endorse Rootkit Unhooker for use for some undisclosed reason. I would be inclined to follow their lead. ]]> http://www.dslreports.com/forum/remark,16793762 Mon, 28 Aug 2006 10:18:58 EDT RootKit Detectors - Not all = ! http://www.dslreports.com/forum/remark,16793501 SpannerITWks : It probably comes as no surprise that not All Anti RK detectors are equal, or will be, for all sorts of reasons.

Right now there are quite a number to choose from, along with other Hidden Stealth Apps too. There are stand alone types and ones included in AV + Suites etc. Recently we've seen a bit of an explosion of ARK tools, and Most of these, including the previously available ones, are FreeWare ! And in the last couple of weeks several more ARK's have appeared on the scene, from well known vendors.

Some are better in other areas than others, and some will both " hopefully " Detect, + Remove what you select.

The trouble is though, how would you Actually Know how effective ANY of these ARK's really are, or would be if you Really did have an RK etc in your PC ? As well as searching for RK's they " should " also find anything else that is hiding from Plain View. For eg, in the ADS of NTFS partitioned HD's, amongst other places.

Well fortunately there is a solution, and a VERY good one too ! Not publicised as widely as it should be, but nonetheless i think you might want to know about it.

Two guys, EP_X0FF + MP_ART have coded one of the best, if not the best ARK App, even if they do say so themselves lol. And also some test RK's to throw at your ARK's to see just how successful, or not, they are at locating anything suspicious, or possibly hiding. They arn't too shy about disclosing All the other ARK's that don't come up to scratch either !

-

Rootkit Unhooker - an advanced rootkit detection utility

Rootkit Unhooker features: Public version

Service Descriptor Table Hooks Detection and Restoring
Ultimate Processes Detection
Ultimate Drivers Detection
Hidden Processes Termination
System Call hook Detection
Drivers Dumping
Report generation

Current Version2.022 from 20 August 2006 USE IT ON YOUR OWN RISK

Supported operation systems:

x86 32 bit Windows 2000 SP4
x86 32 bit Windows XP +SP1, SP2
x86 32 bit Windows 2003 +SP1

-

Rootkit Unhooker Free - »rkunhooker.narod.ru/ -

RkU test rootkit demo v1.1 + v.2 - Rootkit demo (for education purposes only) - Free hxxp://rkunhooker.narod.ru/projects.html

The links are a " little " slow so i've Zipped and uploaded the files to here for you - Your Download-Link #1: »rapidshare.de/files/31059460/RKU.zip.html - Password = Spanner

YES the files are 100% safe, but feel free to check them. So don't be surprised if a scan shows the RK's as positive, because they are RK's and some vendors do have these in their DEFS, even though they are ONLY tests. But remember " USE IT ON YOUR OWN RISK "

Now you can experiment with a couple of real RK's and compare, without having to run one complete with a Real nasty payload included ! I wonder what you'll think of some of the others capabilities after your tests, and how much faith you would have in them ?

Spanner

edit - extra info Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks]]> http://www.dslreports.com/forum/remark,16793501 Mon, 28 Aug 2006 09:20:45 EDT