Rootkit's Detectors

Lowyat.NET Lowyat.NET Rules and Regulations

FAQ Help Search Members Calendar

Outline · [ Standard ] · Linear+

Rootkit's Detectors

Share on

| Track this topic | Email this topic | Print this topic

AsenDURE

Jun 19 2007, 08:37 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #1

je suis desole. je n'y crois pas a ces conneries!!
Group Icon

Group: VIP
Posts: 2,486
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: LowYatDotNet Status:Agast

Rootkits

what are rootkits?
normally only sysadmins are concerned with these, but i'm seeing alot of these crap floating around in the home networking environment. could be coz alot of current Windows version seem to be based on NT/Server platform. a rootkit is program that that allows the a hacker to mask intrusion and gain root or privileged access to the computer. rootkits can then monitor traffic, grab keystrokes, steal passwords, or create a "backdoor" into the system for the hacker to administer the infected system remotely for almost anything he wishes to.

because rootkits can run at the kernel & API level, it can be hidden from the OS the upper layer utils like Explorer (file viewers), does not show up in Task Manager (process viewers), will not leave visible entries in the startup folders or common startup locations mentioned above. It will also not show up on most antivirus scanners & antispyware. rootkits not only take advantage of the vulnerbilities in your OS but even in your antispyware/antivirus detector as well.

rootkits are not themselves not malware programs but ofthen times are used to hide the presence of malware programs/trojans/worms. detecting rootkits requires a specialist rootkit detector.

check rootkit threat alerts from here:
http://www.rootkit.com/board.hot.php

types of rootkit-run levels

QUOTE(M'zoft Technet)

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

rootkit detectors

• M'zoft's Sysinternal RootkitRevealer [from sysinternal, 'nuff said]
http://www.microsoft.com/technet/sysintern...itRevealer.mspx

• X-Focus's Ice Sword [chinese, very good and for experienced users only]
http://www.xfocus.net/tools/200509/

• M'zoft's Malicious Software Removal Tool
http://www.microsoft.com/downloads/details...&displaylang=en

• Blacklight from F-Secure [non-free]
http://www.f-secure.com/blacklight/

• Sophos Anti-Rootkit [Release Candidate 1]
http://sophos.com/products/free-tools/soph...ti-rootkit.html

• RKDetector
http://www.rkdetector.com/

• RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer

Rootkit removal
The difficulty with rootkit removal is lies problem that rootkits work by changing the OS itself at the kernal level, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

For rootkits that are 'bundled' with spyware/malware, removing the malware hidden by the rootkit presents the normal problems of removing any malware but removing the rootkit itself may unstabilize your entire system to the point that the malware can not be completely removed.

Liuism

Jun 19 2007, 09:11 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #2

Regular

Group: Senior Member
Posts: 1,175
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Dec 2006
From: Klang

thanks alot!

havuk

Jun 19 2007, 10:43 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #3

Getting Started

Group: Junior Member
Posts: 121
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Nov 2006

Here's some more:

Panda Anti-Rootkit

GMER

DarkSpy

QUOTE

Knowledge is Power

AsenDURE

Jun 21 2007, 10:26 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #4

je suis desole. je n'y crois pas a ces conneries!!
Group Icon

Group: VIP
Posts: 2,486
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: LowYatDotNet Status:Agast

thanks havuk,

Panda Rootkit cleaner is in Alpha Stage.

Trendmicro's Rootkit Cleaner is in Beta Stage
http://www.trendmicro.com/download/rbuster.asp

McAfee's Rootkit Detective is in Beta Stage
http://vil.nai.com/vil/stinger/rkstinger.aspx

It's good that alot of security/AV companies are taking rootkit seriously

id86

Jul 1 2007, 10:52 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #5

Regular

Group: Senior Member
Posts: 1,043
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Oct 2006
From: Malaysia

AVG also had rootkit.

I lost the link

YuNGSeNG

Sep 4 2007, 08:16 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #6

Regular

Group: Senior Member
Posts: 1,160
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Nov 2006

QUOTE(AsenDURE @ Jun 21 2007, 10:26 AM)

thanks havuk,

Panda Rootkit cleaner is in Alpha Stage.

Trendmicro's Rootkit Cleaner is in Beta Stage
http://www.trendmicro.com/download/rbuster.asp

McAfee's Rootkit Detective is in Beta Stage
http://vil.nai.com/vil/stinger/rkstinger.aspx

It's good that alot of security/AV companies are taking rootkit seriously

No Panda Rootkit cleaner download link ?
Alpha Stage mean finish testing and safe to use ?

tan_pang

Sep 4 2007, 08:19 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #7

Look at all my stars!!

Group: Senior Member
Posts: 3,038
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jun 2005

QUOTE(YuNGSeNG @ Sep 4 2007, 08:16 PM)

No Panda Rootkit cleaner download link ?
Alpha Stage mean finish testing and safe to use ?

try look at the post#3...

fiqir

Sep 5 2007, 08:20 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #8

this my new life

Group: Senior Member
Posts: 1,574
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2006
From: malaysia

got a lot of anti-rookit, thank

barry80

Sep 27 2007, 01:51 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #9

Getting Started

Group: Junior Member
Posts: 253
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: Wangsa Maju/Setapak Section 2/KL

i've scan my system using RootKitRevealer & found this:

» Click to show Spoiler - click again to hide... «

what should i remove ??? help .....

eXPeri3nc3

Sep 27 2007, 02:32 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #10

Watashiwa Watashini Nareta

Group: Senior Member
Posts: 8,310
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Aug 2005
From: Lurking In The Forum Status: 1+3+3=7

Don't remove anything as it's legit. Do it and you shall take for your own responsibility.

impreza_2007

Dec 3 2007, 11:54 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #11

Getting Started

Group: Junior Member
Posts: 298
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Dec 2007
From: Seksyen 18, Shah Alam, Selangor

avira rookit..

quintessential

Dec 23 2007, 05:47 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #12

reek of awesomeness

Group: Senior Member
Posts: 2,776
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Feb 2006
From: brickfields

mcafee rootkit detective

http://www.download.com/McAfee-Rootkit-Det...4-10720120.html

super macgyver

Jan 1 2008, 11:43 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #13

★~13k Spam Club~★

Group: Senior Member
Posts: 18,719
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2003
From: Selayang/Lowyat Plaza

UnHackMe 4.6 Build 285
http://forum.lowyat.net/topic/596772

paradox3696

Jan 1 2008, 05:33 PM

Show posts by this member only |This post's rating (0+, 0-) | Post #14

Getting Started

Group: Junior Member
Posts: 216
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Jan 2008

QUOTE(super macgyver @ Jan 1 2008, 11:43 AM)

UnHackMe 4.6 Build 285
http://forum.lowyat.net/topic/596772

Yes i agree this one is among the best if not the best

UnHackMe 4.5 build 282 Final Incl.keygen-REVENGE Crew
Direct Link:Tested On XP{3.61MB}

CODE

My apologies. Just realised that forum rules doesnot allow sharing and testing of fully functional programs before you have decided to buy it, and if u like it, u will buy it in order to compensate the developers for their time and effort.

This post has been edited by paradox3696: Jan 1 2008, 10:16 PM

TechnoDude94

May 27 2008, 11:21 AM

Show posts by this member only |This post's rating (0+, 0-) | Post #15

I'm A Lead Farmer, Motha Fucka!

Group: Senior Member
Posts: 6,081
Ratings earned: 0+, 0-
Ratings given: 0+, 0-

Joined: Dec 2006
From: Bangsar

QUOTE(paradox3696 @ Jan 1 2008, 05:33 PM)

Yes i agree this one is among the best if not the best
UnHackMe 4.5 build 282 Final Incl.keygen-REVENGE Crew
Direct Link:Tested On XP{3.61MB}

CODE

My apologies. Just realised that forum rules doesnot allow sharing and testing of fully functional programs before you have decided to buy it, and if u like it, u will buy it in order to compensate the developers for their time and effort.

Please don't discuss/talk/mention about illegal/pirated stuff in LYN Forum.