Hypersight Rootkit Detector (http://northsecuritylabs.com/downloads/whitepaper-html/) North Security Labs (http://www.northsecuritylabs.com/)

Virtual Intrusion Prevention Systems (VIPS)
-{ Quote: "Virtual Intrusion Prevention Systems (VIPS) can successfully protect against most kernel-mode rootkits. Hardware virtualization is a powerful technology allowing detecting and blocking malicious actions attempted by rootkits. However, relying on hardware virtualization alone is not enough to completely protect a PC. A complex protection system must harmoniously combine methods implemented in all four types of information security systems." }-

Thanks for sharing, seems to be very interesting. Of course I will wait for some feedback first, because you should be cautious with these kind of tools. And this one seems to be making use of hardware (processor) based virtualization? Sort of like the Blue Pill rootkit? Perhaps the next step is to build a hypervisor HIPS? Or is this VIPS already a HIPS? Exciting stuff! ;D

Yes indeed. (currently cpu must support Intel VT-x Intel VT (Intel Virtualization Technology)) NSL Blog (http://northsecuritylabs.blogspot.com/search?updated-min=2008-01-01T00%3A00%3A00Z&updated-max=2009-01-01T00%3A00%3A00Z&max-results=1)

Would like to try it, but unfortunately I have an AMD processor which is not supported as stated in the last sentence of the home page:

"Due to the requirements of a hardware platform to support virtualization, the current preview release is only compatible with Intel Core 2 family of processors for the time being. We are currently working on adding support for other CPUs."

Brilliant idea to use the virtualisation feature of the CPU

My processor won't support it either. Seems like an interesting concept though.

-{ Quote: "Yes indeed. (currently cpu must support Intel VT-x Intel VT (Intel Virtualization Technology)) NSL Blog" }-I discovered it some days ago but unfortunately also using Amd, seems to be only useful for a smaller circle. But to detect CR0 there are easier ways and these works on all systems.
To detect ShadowWalker maybe one should disable pagefile.sys .. lol..

Genial.... However it cuts out AMD based boxes. That is a large segment of the possible market for such a technology...

Hi,

perhaps, this app is INTEL-sponsored. AMD just has to stay 10 feet away.

Similarly, PEPSI vs COCO cola, or Blu-ray vs HD DVD. Diamond cuts another diamond. Interesting, eh?

I don't think of any reason why this app is incompatible with AMD processors. AMD has virtualization technology built-in in its latest processors which is (AFAIK) compatible with the Intel's technology.

Support for other than Intel Virtualization is being worked on.
-{ Quote: "Hypersight Rootkit Detector supports Windows 2000, Windows XP, and Windows Server 2003. The current version supports Intel Core 2 CPUs, while we are working hard on adding support for AMD processors." }-

I stand corrected, thanks Meriadoc :)

-{ Quote: "Yes indeed. (currently cpu must support Intel VT-x Intel VT (Intel Virtualization Technology)) NSL Blog (http://northsecuritylabs.blogspot.com/search?updated-min=2008-01-01T00%3A00%3A00Z&updated-max=2009-01-01T00%3A00%3A00Z&max-results=1)" }-
Is it true gmer not detecting unreal.A. still?

-{ Quote: "Is it true gmer not detecting unreal.A. still?" }-

Tested version: GMER 1.0.12 (Released in 2006)
Latest version: GMER 1.0.14

-{ Quote: "
Domain Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: NORTHSECURITYLABS.COM
Created on: 09-Nov-07
" }-

-{ Quote: "
2007.06.26
GMER Version 1.0.13.12540 released.
" }-

Be careful with that comparative

I tried this on my laptop which has an Intel Core2 T5500 processor. Here are some impressions:

(1) I went into BIOS and "enabled" Intel Virtualization Technology for the CPU, and then I installed Hypersight.

(2) On the subsequent reboot, I experienced system freeze during the WinXP splash screen, and I did a hard shutdown (power button).

(3)The next boot completed normally, and I received a taskbar pop-up from Hypersight informing me that rootkits were discovered on my system. Opening the GUI revealed that Hypersight considered Online Armor components to be rootkits and was blocking them.

I wonder how Hypersight can conceivably co-exist with any HIPS that touches the kernel. If there are settings in Hypersight to ignore trusted software, I couldn't find them - and therefore decided to uninstall it and reset CPU Virtualization to default setting of "Disabled".

I installed Hypersight and it recognized SSM.

But if given administrative rights in my LUA- eventually it seems to disable the Jetico Firewall HIPs (this could be a good thing or a bad thing).

-{ Quote: "Is it true gmer not detecting unreal.A. still?" }-
Even noadware (rogue antispy) could easily detect unreal.a, don´t know why there is such a hype about this un-real thing.

-{ Quote: "I wonder how Hypersight can conceivably co-exist with any HIPS that touches the kernel. If there are settings in Hypersight to ignore trusted software, I couldn't find them - and therefore decided to uninstall it and reset CPU Virtualization to default setting of "Disabled"." }-Good choice! ;D
And as I said it is very easy to track cr0 changes from user mode you don´t need a hypervisor for it.

Sounds interresting. It didnt work well with sandboxie though. Rebooting after the install got me self a BSOD, sbiedrv.sys was the culprit according to the bluescreen. But I guess that is no surprise, one can only have so many softwares living that close to the kernel :)

But the question is how long will it take before security tools start to act like hypervisors? Is this even technically possible? You would sure hope so. Picture this: your favorite anti malware tool still monitoring everything as usual, but now completely immune to attacks from other stealthy software, and of course with the ability to protect the whole system from all kinds of attacks flawlessy. Yes this may be science fiction, but it sure is very exciting. ;D

-{ Quote: "
And as I said it is very easy to track cr0 changes from user mode you don´t need a hypervisor for it." }-

If I´m correct, KAV/KIS can protect against "R0-R3 gateway handler modification". But will this stop all (or most) rootkits, or just rootkits using this method?

I sent a feedback message via their website and I think they are a Russian company.

They are a russian company and most think that EP is behind this project but that doesn´t seems so. Who are these guys?

Has anyone tried this yet? Has it been proven successful at removing anything? I am a little scared to test it on my system. But I have a friend's laptop for a few days now that is infected with a DOOZIE of a rootkit and I am desperate to get it fixed.

I doubt it will help you to wipe this DOOZIE out of your system.

hmm ok. what do you suggest Ilya? I have tried Mcafee rootkit detective, avg anti spyware, nod32 3.0, malwarebytes, fixmbr, and its still seems to be infected... :'(

Reformat it and get a peace of mind.

-{ Quote: "I have tried Mcafee rootkit detective, avg anti spyware, nod32 3.0, malwarebytes, fixmbr, and its still seems to be infected... :'(" }-
- SAS, CureIt, Prevx CSI.
- Hijackthis log at a malware cleaning forum.
- Full wipe and reinstall.

-{ Quote: "
- Full wipe and reinstall." }-

As last option I suppose :D

-{ Quote: "what do you suggest Ilya?" }-
I use following tools when I cure my friend's computers: Gmer, RootkitUnhooker, AVZ. But those tools are, mostly, rely on the brains&experience of their driver.:D If I were not really techy user I would use an anti-malware helpers forums from the ASAP list.

I will not trust cleaning of a heavily infected PC esp rootkits. Few malwares are other story.

-{ Quote: "I will not trust cleaning of a heavily infected PC esp rootkits" }-
I never met a rootkit that could resists me more then a half an hour :)

But I can,t find u each time i have to clean the rootkits.;D
BTW have u ever met Rustock C?;D ;D

-{ Quote: "But I can,t find u each time i have to clean the rootkits.;D" }-
You bet! ;D

Ilya, I edited my post.:)

-{ Quote: "BTW have u ever met Rustock C?" }-
No, I don't.

May be it was there!:doubt:

-{ Quote: "May be it was there!:doubt:" }-
Or maybe it never existed :doubt:

May be, may be, mayyyyy be!
Who knows?::)

-{ Quote: "Who knows?::)" }-
SystemJunkie ;D

lol, right said!

-{ Quote: "SystemJunkie " }-I met Rustock.C, I was live experiment I guess. ;D ;D ;) ;) ;) I got used to cyberwar. Most massive spam attacks were around june 2007, but where rooted this indian spam nonsense?

Indian spam?

Yes the latest spam attacks were filled with indian names and contents as mark. I created a pretty effective spam filter during this time so probably they lost interest.

Strange :doubt:

They mainly use these Mailers
in 2008: X-Mailer: The Bat and
in 2007: Eudora 7.x.

Spambot killer India (http://41clubsofindia.in/community/modules.php?name=Spambot_Killer&count=&salt=1nhck6frpoq0wni8ottwaxzk0rhi2y)

-{ Quote: "If I´m correct, KAV/KIS can protect against "R0-R3 gateway handler modification". But will this stop all (or most) rootkits, or just rootkits using this method?" }-

@ System Junkie, can you (or someone else) perhaps answer this question? Nothing personal but it´s just that some guys act like they know a lot, but when more technical questions are asked, it stays awfully quited. Or even funnier, you get to hear things like, "well, you woulnd´t understand it anyway"! ;D

http://en.wikipedia.org/wiki/Ring_(computer_security)

Anyone else tried the virtual machine capacity of their CPU? With Securable you can check whether yor CPU has teh capacity, often a bios setup is needed to enable it.

Ilya what is your opnion on this HIPS. From a marketing standpoint it is always good to tell people that they have a feature they do not use at the moment (digs deep into european/american christian believes that you should not waist things) and that for only (small amount say 15 dollars) you can be secured.

Regards K

I would say:
1. It is not a HIPS as it can't resists against regular malware.
2. It has very limited capabilities.
3. The main feature of it is to catch new hipervisor's installation.

-{ Quote: "@ System Junkie, can you (or someone else) perhaps answer this question?" }-I think there are by far too many attack ranges to say this protection will help you against all malware/rootkits.

-{ Quote: " I would say:
1. It is not a HIPS as it can't resists against regular malware.
2. It has very limited capabilities.
3. The main feature of it is to catch new hipervisor's installation." }-
It seems so, but is it really able to catch hypervisors? This tool stands on very thin legs actually.. lets wait and see.

-{ Quote: "I would say:
1. It is not a HIPS as it can't resists against regular malware.
2. It has very limited capabilities.
3. The main feature of it is to catch new hipervisor's installation." }-

Yes the main function seems to be to protect Windows/security tool from rootkits, so in a way it is a HIPS. My question is, do you think it´s possible to make classical HIPS or sandbox work as hypervisor? Can you control all system calls (file system + registry) as hypervisor?

-{ Quote: "
I think there are by far too many attack ranges to say this protection will help you against all malware/rootkits.
" }-

Yes probably, but I just wondered why KAV is monitoring this, in theory it should be able to monitor and stop even the most nasty rootkits from modifying the system, or perhaps this is only possible for hypervisors?

-{ Quote: "
It seems so, but is it really able to catch hypervisors? This tool stands on very thin legs actually.. lets wait and see." }-

I don´t see why not? Of course it will become the main target for hackers.

-{ Quote: "Yes the main function seems to be to protect Windows/security tool from rootkits" }-
It can't protect against rootkits.

-{ Quote: "
My question is, do you think it´s possible to make classical HIPS or sandbox work as hypervisor? Can you control all system calls (file system + registry) as hypervisor?" }-
Both questions- no.

I had yesterday the possibility to test it on a intel core laptop.
After installation and some reboots I could see: nothing.
The tool had no reaction, I guess it can´t prevent rootkits.

-{ Quote: "The tool had no reaction, I guess it can´t prevent rootkits." }-

SystemJunkie, can you clarify? How did you test it?

-{ Quote: "
It can't protect against rootkits." }-

What do you mean, that it can´t stop rootkits from modifying the kernel? Or perhaps that it can not even spot rootkit behavior? :what:

-{ Quote: "Both questions- no." }-

But it must be able to do at least something? Because it´s a bit confusing, if it can´t control the OS, then how can they claim to be able to protect Windows?

Hypersight is a rootkit detector , it's up to you to find other way to clean infections.

This tool although a good concept in theory and maybe someday practice is AFAIK rather impractical. Rootkits are not viruses per-say but more or less sneakers/hiders. The real problem lies in wait that if or when destructive virus writers find it to their advantage to use them to commute their vicious payloads onto users PC, IMO.

This is taking it to the extreme and almost like chasing ghosts when viruses are more AGGRESSIVE and infinitely more DESTRUCTIVE!

But it remains to be seen if such a concept of this nature takes off or not, besides, the odds are not really (right now) so much in favor with these threats as much as viruses IMO.

-{ Quote: "Hypersight is a rootkit detector , it's up to you to find other way to clean infections." }-

Well this kind of sucks, I became excited because I thought that it could actually stop rootkits from being installed. This is in fact what I´m looking for, I wonder if it´s possible for HIPS to act sort of like Vista´s PatchGuard, and that they could simply deny an already loaded driver from modifying the kernel. Now that would be cool. 8)

Hypersight can detect and block. The protection can be configured in preferences.

Security Through Virtualization Obscurity
(http://www.rootkit.com/newsread.php?newsid=889)
-{ Quote: "Mostly rumored at the beginning this unknown North Security Lab was immediately linked with our UG North as a continuing of the RKU project..." }-
a post from June at rootkitdotcom. Did anyone else test this from NSL, I too pretty much had no reaction from this detector.

Well this sort of sucks, because you would think that hypervisor based security tools are the future. And if you read their blog, they now even claim to be able to stop Blue Pill rootkits. I would sure like to see this thing getting a professional review. Is it crap or does it got potential?

http://northsecuritylabs.blogspot.com/

In fact, it's a bit of over-marketed. All is simple. From the ring -1 level you can trace following activity- system registry modifications including MSR ones, memory and system ports access. Nothing more and nothing less. It is always possible to write a rootkit that won't cause hypervisor-based "security" software to signal. At all.

Also, such the software should be extremely OS-dependent and, even, hardware-dependent, especially in case of non-standard RAID controllers requires driver.

Its security capabilities are really limited and can't provide more security that, for example, HIPS solutions. Ah, and one more thing- have you ever seen BluePill-based malware ITW?

-{ Quote: "In fact, it's a bit of over-marketed." }-

Hi,

I´ve done some reading, and perhaps you´re right. It´s perhaps not the silver bullet against rootkits, but it seems to be yet another layer. I still think (and hope) that these hypervisor based HIPS can/will be useful. On BlackHat 2008 someone else came with a tool based on the same concept, it´s called Viton. From what I´ve read this tool can protect against Type 1 and Type 3 rootkits. It´s more difficult to protect against Type 2 rootkits.

-{ Quote: "Type 1: IDT, SSDT, Code patching
Type 2: DKOM/KOH manipulation
Type 3: Bluepill/Vitriol" }-

So the question remains, how to protect the OS kernel from Type 2 attacks. Btw, there is also another interesting project which is backed by Intel, it´s called HyperArmor, let me know what you think about it. :)

http://hypervisor.com/our_products.html

I don't understand: it's only a project ? If I wanted to try it, should I contact them ?