dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1156
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

How to discover hidden rootkits



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

1 recommendation

Comment from the article.

quote:
The one and the only offline malware remover (which not only identifies but removes) which I recommend for Win 7 systems is WDO.

I agree. Put Windows Defender Offline on a USB stick or CD/DVD and run it every now and then.

Don't forget to update the WDO Definitions before doing a scan. You can manually download these.

Windows Defender Offline (x64) Definitions
Windows Defender Offline (x86) Definitions

BTW there's also Sysinternals RootkitRevealer although I'm not sure if that's any use on a 64-bit system.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Just don't by your sticks from this guy.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to StuartMW
Good info thanks..got any thought on this one ?

10 best free lightweight security tools
»www.techradar.com/us/news/softwa···-1089715

or these..

10 best free lightweight desktop tools
»www.techradar.com/us/news/softwa···-1085319

been a long time since I have seen a thread about the tools out there which we know work well.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by Name Game:

..got any thought on this one ?

I've only used the two tools above. I've never had (or detected at least) a rootkit.

I perform WDO scan's about once a month when a box is being rebooted anyway.

That said I keep the WDO definitions on my USB drives (one for 32-bit, another for 64-bit) up-to-date in case I need to do a scan.
--
Don't feed trolls--it only makes them grow!


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by StuartMW:

... I've never had (or detected at least) a rootkit. ...

Hmm... "Bob" will be glad to hear that. He was wondering if you'd found it yet...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
Well what I say publicly and what I know/do privately may or may not be the same thing
--
Don't feed trolls--it only makes them grow!


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

2 recommendations

»www.resplendence.com/sanity.htm

What is SanityCheck ?

SanityCheck is an advanced rootkit and malware detection tool for Windows which thoroughly scans your system for threats and irregularities which indicate malware or rootkit behavior.

SanityCheck runs on the following operating systems:

Windows 7
Windows 7 x64 editions
Windows 2008 Server
Windows 2008 Server x64 editions
Windows Vista
Windows Vista x64 editions
Windows XP (Service Pack 2 or greater)
Windows XP x64 edition (all service packs)
Windows Server 2003 (all service packs)
Windows Server 2003 x64 editions (all service packs)
Windows Server 2000 (with Update Rollup 1 and Service Pack 4)


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by Cartel:

What is SanityCheck ?

I'd be worried about failing that one

The computer I'm on right now (not mine) has a note on it,

quote:
I've lost my mind and it's a shame because it's such a little thing to be wandering around by itself.

--
Don't feed trolls--it only makes them grow!


OldGrayWolf

join:2007-10-06

2 edits
reply to Name Game
I have only detected 1 rootkit on a computer. In January 2008 I saw a process in the firewall log that was tyring to connect to the Internet on the family's shared PC. Fortunately no one in the family had allowed it through the firewall; my family was well trained.

I used Windows explorer to search for an executable with the name of the process; however, I could not find it. I booted into Linux and searched the Windows partition for the file and found it. I noted the path to the file; then, rebooted Windows and looked for the file in that location using explorer. Explorer didn't know it was there.

I rebooted into Linux, TARed the file and sent it to someone responding to my post on this forum (see thread at »What is cbpnkrymg.exe). They forwarded my sample to the AV companies and confirmed that it was a new variant of a rootkit (Trojan Horse Rootkit-Pakes). Within 24 hours, many of the AV companies were releasing signatures for it.

No AV product would have detected this rootkit. LOL.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to Name Game
i happened across an article at the mcafee website that talked about a rootkit that, according to mcafee, most rootkit-scanners wouldn't detect because it was designed so that, while it would be hidden from humans, it would not appear to be hidden to rootkit-scanners and, therefore, it wouldn't be flagged by them..

of course, mcafee was boasting that their new super-duper security tool, which, incidentally, was only available for corporate use, that it, alone, was capable of flagging the rootkit..


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by redwolfe_98:

i happened across an article at the mcafee website that talked about a rootkit that, according to mcafee, most rootkit-scanners wouldn't detect because it was designed so that, while it would be hidden....

That is true. Rootkits are designed to hide themselves from the O/S and therefore other programs including A/V scanners. However if you use offline scanners the infected O/S isn't running--another one is (Windows based or other). That is why OldGrayWolf See Profile was able to see the EXE under Linux but not Windows.

WDO is an offline scanner. You boot from a USB/CD/DVD drive so the O/S to be scanned isn't running. A Rootkit can still (attempt) to hide in the filesystem but a good scanner will find it anyway.

Rootkit

quote:
A rootkit is a stealthy type of software, often times, malicious designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.

--
Don't feed trolls--it only makes them grow!


norwegian
Premium
join:2005-02-15
Outback
reply to Name Game
Wouldn't some of the old basic tools that did a file structure comparative still be effective today? I know most vendors produce off-line scanners or boot CD's, which seems to be the best way now, but isn't it all still hit and miss? Detecting it is one thing, cleaning is quite another, what hooks are in place etcetera just as LoPhatPhuud See Profile had troubles with in this topic - »[RESOLVED][Rootkit] rootkit virus? - Nethog Post 1 of 2
(I hope there isn't a forum rule here)

Infections at this depth are best dealt with by reformat and re-install. Back up all pertinent data first.
Then either load the factory recovery program, or boot from your Windows DVD.

Operating System stability is foremost for me. If can't be assured that the removal steps will leave a stable OS, then the only recommendation I can make is reformat.

The integrity of the file structure cannot be guaranteed even if it was cleaned?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by norwegian:

Wouldn't some of the old basic tools that did a file structure comparative still be effective today?

That is what RootkitRevealer (link above) does. It compares filesystem and registry entries using standard (API) and direct accesses and displays any discrepancies. That may indicate Rootkit activity but it won't be able to tell you anything more than that. Since Rootkits, by definition, hide themselves the best way to find them IMO is to use an offline scanner.
--
Don't feed trolls--it only makes them grow!