swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to daveinpoway
Re: One in Five PC's Infected With Rootkits
This brought up nothing on my XP box. That one is mainly for audio/video and rarely goes online, but it's the "experimental" system where I try out all kinds of software.
Does it bother anyone else that to check for rootkits on Windows, you have to download a closed-source binary, logon as Administrator and let it exchange who-knows-what with a remote server?
I suppose prevx is a reputable company, but that would be against security policy on my main workhorse pc. |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to daveinpoway
GMER and DarkSpy are both very reputable anti-rootkits.
IceSword is also very good.
However, none of these 3 anti-rootkits are very user-friendly. As with RkU, you really need to know what you're looking for.
--
QUAD!!!! |
|
IBK
join:2003-06-20
Austria
| reply to swhx7
last time i was going to test prevx i fortunatly found out what data was submitted and how it was going to be used, and stopped immediatly testing it. Here an example of a scan of a (corrupted) adware sample i let scan half year ago for demo purpose:
»info.prevx.com/aboutprogramtext.···b57b46e1
as more users use prevx csi, as better it is for the prevx database. but i am not going to contribute to the database. |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to Elite
said by Elite  :GMER and DarkSpy are both very reputable anti-rootkits. IceSword is also very good. However, none of these 3 anti-rootkits are very user-friendly. As with RkU, you really need to know what you're looking for. Ok. But, you recognize the problem though (sigh).
As for "really need to know what you're looking for" ... do you have a couple of links you might share where one could attempt rootkit self education, for dummies, like myself? Or, is knowing what to look for beyond the average users ability?
Obviously, too, there must be something inherently difficult associated with anti that I don't understand, else, I would think, some security company would have already created "the" (if not one of "the") program(s) that could reliably, definitively, perform anti while being "user friendly".
I'd certainly purchase such a program.
--
HN7000s | Horizons 1 (127W) | Gateway: 1110Mhz | Dish: .98m 2 Watt | Pro+
"Fast is fine, but accuracy is everything" --Wyatt Earp |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to daveinpoway
Well, they're really not as bad as I've probably made them sound.
For example, RkU is broken down into different tabs (SSDT hooks, Shadow SSDT hooks, ect). It's also got a pretty good manual as well, for help in understanding what everything does.
I'd say grab RkU and play with it (google for RkU 3.7.300.509) As long as you don't unhook anything, you shouldn't BSOD the machine. You can post any questions you have or just PM me.
--
QUAD!!!! |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to daveinpoway
Sorry for the delay folks but as promised yesterday here is are the screenshots/data returned from testing some of the tools mentioned in this thread versus samples from my Zoo collection.
All RK malwares used have been harvested from in the wild infections over the last 18months and there are no proof-of-concept RK's used.These are live malware rootkits 
Testbed1(loaded malware RK's)
1)Rustock B (huy32.sys)
2)Nulprot (asc3550.sys+asc3550p.sys)*
3)Haxdoor (ntio256.sys+protector.exe)
4)Srizbi (Eyvw95.sys)
5)Cutwail/Bulknet (Runtime2.sys)**
*Imports a secondary infection from the WWW that is not hidden.
**Drops other files after installation that are not hidden.
Prev-X CSI= 4/5 Is blind to Nulprot.
AVG AntiRootKit= 4/5 Is blind to Nulprot.
RKU= 4/5 Is blind to Nulprot.
GMER 1.0.14 Beta= 5/5 
Nulprot VT upload today>>>
»www.virustotal.com/resultado.htm···7b697495
Testbed2(loaded malware RK's)
1)Rustock A (lzx32.sys)
2)Wincom32 (Wincom32.sys)
3)TR.inject/allinone(VideoAti0.sys+dll+exe)
4)Haxdoor.sm(Pasksa.dll+p81eskse.sys)
Prev X CSI= 3/4 Blind to Allinone
AVG AntiRootKit= 4/4
RKU =4/4
GMER 1.0.14Beta= 4/4
TR.Inject/Allinone VT report today>>>
»www.virustotal.com/resultado.htm···f327bde6
|
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Bubba17
Although you were replying to someone else...
said by Bubba17 :Obviously, too, there must be something inherently difficult associated with anti that I don't understand, else, I would think, some security company would have already created "the" (if not one of "the") program(s) that could reliably, definitively, perform anti while being "user friendly".
Some of them are very good. The problem is that malware authors - and especially rootkit authors - are constantly coming up with new techniques. Among other things, they examine all the detection software and code specifically to evade them.
So you always have to have the latest, and it still may not be enough. What's more important is not allowing the opportunity for infection in the first place.
User-friendliness is a different issue.
said by Bubba17 :As for "really need to know what you're looking for" ... do you have a couple of links you might share where one could attempt rootkit self education, for dummies, like myself? Or, is knowing what to look for beyond the average users ability? »en.wikipedia.org/wiki/Rootkit has general info. rootkit.com is an in-depth source, but you have to be a programmer to follow much of it. |
|
Bubba17
Less is More
Premium
join:2006-09-21 | Thanks, swhx7 (and to you fcukdat and Elite also!)
Very much appreciate you all. |
|
Theomega
join:2002-10-18
Mesquite, TX | reply to daveinpoway
Thanks for making me aware of this. I'm clean. |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to daveinpoway
I'm clean.
There is very high odds you are not infected with malware rootkit(s) but what i would like to know based on all these all clean posts is what tools or methods you have used to confirm this to be the case beyond doubt ?
BTW if anyone would like to have their chosen ARK tools(same drive) versus my Zoo collection i would be happy to return data as long as it dose'nt cost me for the priviledge  |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| The Prevx linked in this thread...
AVG AR
Blacklight
McAfee AR
RKR
Sophos AR
... just for starters.
It's an odd hobby of mine. 
--
Think outside the Fox... Opera |
|
youveshutmedown
@sbcglobal.net
 from:
dadkins
| reply to fatdcuk
Just for kicks and giggles, how does F-Secure's blacklight app perform against your zoo?
You can grab it here:
»www.f-secure.com/security_center/
Download link near the bottom |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
Oh poor F-Secure...
I don't think the results are going to be that great. LOL.
--
QUAD!!!! |
|
youveshutmedown
@sbcglobal.net
| said by Elite :Oh poor F-Secure... I don't think the results are going to be that great. LOL. Which is why it would be nice to have a back-to-back real world comparison. |
|
fatdcuk
Premium
join:2005-02-20
England
2 edits | reply to daveinpoway
Oh brother is this going to be a bag of fun
Both Rootkit Revealer and Blacklight BSoD'ed when executed versus testbed 1.Gees i had been spoilt so far for lack of fatals on Sunday
This will take longer then first planned as I now have to break the test group down into individual RK's versus software/scantimes if BSoD's occur 
For the test's sake BSoD's don't count as positive detections. |
|
spy1
Welcome to Amerika
Premium
join:2002-06-24
Charlotte, NC
| reply to fatdcuk
RKR - IceSword - BlackLight (although I admit that with IceSword, a bad result would have to jump off the screen and bitchslap me before I'd recognize it for what it was...).
I would think that my AV (NOD32) would also be doing its' very best to prevent me from ever getting root-kitted to start with, but as far as detection of a pre-existing one....I really don't know. Pete |
|
Elite
join:2002-10-03
Orange, CT | NOD32 has poor rootkit detection. Limited to usermode at most.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to youveshutmedown
said by youveshutmedown :Which is why it would be nice to have a back-to-back real world comparison. I picked up a sick one yesterday. I have not had many kits lately, so I'm not up to date on the newest tools. This PC became infected while using Exaspery 7 with web and e-mail scan set to delete anything bad with out asking. It got kitted anyway, and then Exaspery finds the root kit infection and said to scan in safe mode to repair. Safe mode gets up to about 10 files while loading and the pc reboots. I downloaded AVG antikit and Blacklight. AVG deletes all infected files, and then they all come back immediately, with even more files. Blacklight did not find as many files as AVG, but has the same results. This previx program found 1 file and wanted a license key to fix it. Here are some screenies. I'm gonna try some of the other tools mentioned here, and am open for suggestions other than DBAN (which I think is coming soon, oh, and Exaspery is gone now too ! ) |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
I'm not familiar with that particular infection, but it looks weak.
Get RkU, erase process VM, wipe all hidden files, reboot.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| said by Elite :Get RkU, erase process VM, wipe all hidden files, reboot. I've been Googling for it for half an hour. All I seem to find is a russian site with a 404 error where the file link should be. |
|
