SpannerITWks
Premium
join:2005-04-22
2 edits | RootKit Detectors - Not all = !
It probably comes as no surprise that not All Anti RK detectors are equal, or will be, for all sorts of reasons.
Right now there are quite a number to choose from, along with other Hidden Stealth Apps too. There are stand alone types and ones included in AV + Suites etc. Recently we've seen a bit of an explosion of ARK tools, and Most of these, including the previously available ones, are FreeWare ! And in the last couple of weeks several more ARK's have appeared on the scene, from well known vendors.
Some are better in other areas than others, and some will both " hopefully " Detect, + Remove what you select.
The trouble is though, how would you Actually Know how effective ANY of these ARK's really are, or would be if you Really did have an RK etc in your PC ? As well as searching for RK's they " should " also find anything else that is hiding from Plain View. For eg, in the ADS of NTFS partitioned HD's, amongst other places.
Well fortunately there is a solution, and a VERY good one too ! Not publicised as widely as it should be, but nonetheless i think you might want to know about it.
Two guys, EP_X0FF + MP_ART have coded one of the best, if not the best ARK App, even if they do say so themselves lol. And also some test RK's to throw at your ARK's to see just how successful, or not, they are at locating anything suspicious, or possibly hiding. They arn't too shy about disclosing All the other ARK's that don't come up to scratch either !
-
Rootkit Unhooker - an advanced rootkit detection utility
Rootkit Unhooker features: Public version
Service Descriptor Table Hooks Detection and Restoring
Ultimate Processes Detection
Ultimate Drivers Detection
Hidden Processes Termination
System Call hook Detection
Drivers Dumping
Report generation
Current Version2.022 from 20 August 2006 USE IT ON YOUR OWN RISK
Supported operation systems:
x86 32 bit Windows 2000 SP4
x86 32 bit Windows XP +SP1, SP2
x86 32 bit Windows 2003 +SP1
-
Rootkit Unhooker Free - »rkunhooker.narod.ru/ -
RkU test rootkit demo v1.1 + v.2 - Rootkit demo (for education purposes only) - Free hxxp://rkunhooker.narod.ru/projects.html
The links are a " little " slow so i've Zipped and uploaded the files to here for you - Your Download-Link #1: »rapidshare.de/files/31059460/RKU.zip.html - Password = Spanner
YES the files are 100% safe, but feel free to check them. So don't be surprised if a scan shows the RK's as positive, because they are RK's and some vendors do have these in their DEFS, even though they are ONLY tests. But remember " USE IT ON YOUR OWN RISK "
Now you can experiment with a couple of real RK's and compare, without having to run one complete with a Real nasty payload included ! I wonder what you'll think of some of the others capabilities after your tests, and how much faith you would have in them ?
Spanner
edit - extra info Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Mr Bluepill
@lechtermann.net
| I think if we have learnt anything from that infamous thread on the sysinternals forum it is that public rootkit detectors will always lose to private rootkits.
That's said, I see the guys at Castlecops have refused to endorse Rootkit Unhooker for use for some undisclosed reason. I would be inclined to follow their lead. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to SpannerITWks
another util offering a glimpse of what is happening under the hood, nice 
Cudni |
|
Psicop
More human than human
Premium
join:2005-12-21
| reply to SpannerITWks
Hmmm...It already looks like a cat and mouse game. Who'll be the winner?
No one. Like the snake that bites its own tail. Or like Karma.
Endless cycle. That's life
Mr. BluePill, which one? There are few. Perhaps this:
»forum.sysinternals.com/forum_pos···003&PN=1 |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| reply to Mr Bluepill
said by Mr Bluepill :
That's said, I see the guys at Castlecops have refused to endorse Rootkit Unhooker for use for some undisclosed reason. I would be inclined to follow their lead.
Not undisclosed anymore
»www.castlecops.com/postlite165478-.html
"...
Too buggy and needs more work.
..."
Cudni
--
Some are born to failure, others achieve it, all deserve it.Help yourself so God can help you.MVP, Microsoft Windows Security 2006 |
|
phoneboy2
@shawcable.net
| reply to SpannerITWks
If a Rootkit detector does not boot from it's own CD it will NEVER be trustworthy. Having said that, for a basic perliminary test, I like the no nonsense raw design of sysinternals rootkit revealer. They like to try keep it simple which is usually the best approach. |
|
EP_X0FF
@rol.ru | reply to Cudni
Very interesting review from castlecops. Too buggy and need more work, lol. The same I can say about all other rkdetectors as well as about castlecops itself. |
|
EP_X0FF
@rol.ru | reply to phoneboy2
that is very disputable words
fyi next generation of hardwired rootkits will be not detected even from external scanning like boot cd. |
|
zteardrop
join:2005-12-20
Brooklyn, NY | reply to SpannerITWks
I like GMER from www.GMER.net. Small, fast, works well. Haven't tried it extensively though with all rootkit types. |
|
EP_X0FF
@rol.ru
| reply to Mr Bluepill
>>I think if we have learnt anything from that infamous >>thread on the sysinternals forum it is that public >>rootkit detectors will always lose to private rootkits.
lol, not so true. private detectors big myth, tools used by ten-hundren people, very funny, what they will detect? you can always say that your private detector is best, because nobody cant say something else. if you think that this thread is 'infamous' then i dont know what you mean under 'famous'. lying people by saying that all rkdetectors are good is not so 'good' idea. i have a real facts you have nothing. |
|
goodquestion
@co.uk | reply to SpannerITWks
That's a good question, which anti-rootkit scanners are really the best? Anyone trustworthy and knowledgeable in this area done any decent tests with them? |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | reply to SpannerITWks
goodquestion
If you take your time to go through the thread in the link that gesc provided, you will discover some Very illuminating results in answer to your questions. And even though EP_X0FF is connected with RKU, the reviews of other vendors ARK's speak volumes ! If anybody doesn't have faith etc in the results, just compare them with yours !
zteardrop
Look forward to you posting your more extensive testing with All RK types, and hopefully not just with GMER.
-
Don't forget, quite a few of the private ARK's are updated/improved a lot more often than the commercial vendors. So always keep a lookout for the latest versions.
Spanner
edit - extra info Only
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
 ·Comcast
| reply to EP_X0FF
Very buggy software you made, any updates in the future right now your program is pretty useless as you already know.
Your program can't even kill itself, very poor programing I might add. Scrape this program and start over, look forward to a bug free program, your program is interesting nothing, I haven't see before though.
--
Best RegardsVampirefo |
|
controler
join:2003-11-02
| reply to SpannerITWks
yes I kind of been peeking at the sysinternals thread now and then. Interesting stuff indeed.
here is an old article by Symantec on the rustock.A
Has Symantec doen anymore with it since June 29th?
»www.symantec.com/enterprise/secu···van.html
controler |
|
controler
join:2003-11-02
| reply to SpannerITWks
here is what AVG claims about it's latest Beta
»fileforum.betanews.com/detail/AV···697799/1
It can even remove Trojans and Rootkits that are hiding inside NTFS Alternate Data Streams.
How true is this with the hidden driver using ADS on NTFS?
controler |
|
ross
join:2000-08-16 | reply to SpannerITWks
Where did it go?
Spanner, how about a list of the files in your tar/zip download, and where they unarchive to... |
|
controler
join:2003-11-02 | reply to SpannerITWks
Re: RootKit Detectors - Not all = !
Why worry about it ross? |
|
BIGMIKE
Premium
join:2002-06-07
Westminster, CA | reply to SpannerITWks
DiamondCS ProcessGuard
»www.diamondcs.com.au/processguard/
--
Type "miserable failure" in Google |
|
controler
join:2003-11-02 | reply to SpannerITWks
Bigmike
Choak Cough HUH?
Dieing product |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
·Comcast
1 edit | reply to Cudni
Did you remove the registry entries, and the driver that Rootkit Unhooker Dropped on your pc?
This is a sneaky program, not to be trusted, it makes way to many entries in the registry, and dropping the driver, is trojan like.
One should be told what is going to happen when they click RkUnhooker.exe, Other freeware scanners simply scan that's it, but this one has the actions of a Trojan, writing to the registry, dropping a driver, setting itself, up as a service.
None of the above is told to the user nor is it needed to just scan, your pc.
--
Best Regards
Vampirefo
|
|
