Hi
I've read somewhere that i can scan my Network Router and PC-Connection for Rootkit's.
Because sometimes i got disconnected from my Internet-Connection.
I use a Router and share my Internet-Connection to 1 other PC.
Where can i scan my Network for rootkits?
thanks.

Hi,

In the past, some people (http://cigars.bravepages.com/antispy.htm) took advantage of the rootkit paranoia by providing detection service.
And this is not serious off course: there's no better way than a deep and complete analysis based on human experience.
If you suspect that your network perimeter is compromised, then it requires to make a network and host (each pc) analysis, locally and remotely (from pc 1 to pc 2, and pc 2 to pc 1).

There's forensic free products like Mandiant (http://www.mandiant.com/firstresponse.htm) first response for remote analysis.
Locally, a protocol analyzer is required: i suggest Wireshark (http://www.wireshark.org/)or NetworkMiner (http://networkminer.wiki.sourceforge.net/NetworkMiner?token=460a2a506405e04dcafb3b7480f167ab), both free.
And of course, any good rootkit detector (IceSword, Gmer, RKU etc): this should be the first step for any "classical user".

For scanning pc 2 from pc 1 (and pc 1 to pc 2), there is a lot of open source network scanner like Nmap (http://nmap.org/) for instance.

Regards

{QUOTE-> Hi,

In the past, some people (http://cigars.bravepages.com/antispy.htm) took advantage of the rootkit paranoia by providing detection service.
And this is not serious off course: there's no better way than a deep and complete analysis based on human experience.
If you suspect that your network perimeter is compromised, then it requires to make a network and host (each pc) analysis, locally and remotely (from pc 1 to pc 2, and pc 2 to pc 1).

There's forensic free products like Mandiant (http://www.mandiant.com/firstresponse.htm) first response for remote analysis.
Locally, a protocol analyzer is required: i suggest Wireshark (http://www.wireshark.org/)or NetworkMiner (http://networkminer.wiki.sourceforge.net/NetworkMiner?token=460a2a506405e04dcafb3b7480f167ab), both free.
And of course, any good rootkit detector (IceSword, Gmer, RKU etc): this should be the first step for any "classical user".

For scanning pc 2 from pc 1 (and pc 1 to pc 2), there is a lot of open source network scanner like Nmap (http://nmap.org/) for instance.

Regards <-QUOTE}

I did not understand anything you wrote, nothing at all.
I was just worried that i had some undetected and unhidden rootkit and wanted to scan my Network and LAN and how and with what to do that?

Can anyone else help me with this maybe ?
thnx

{QUOTE-> I did not understand anything you wrote, nothing at all.
I was just worried that i had some undetected and unhidden rootkit and wanted to scan my Network and LAN and how and with what to do that?

Can anyone else help me with this maybe ?
thnx <-QUOTE}

Kaspersky has a rootkit scanner as part of the application. Have you tried that?
Maybe someone else can tell us why that might not be enough.

I also did not understand anything that was posted.

Regards,
Jerry

Hi , Kaspersky = falses positives , and heavy , heavy artillery ! I'd rather do this : AVIRA . And antirootkit = GMER ; also look to ESET SysInspector , Process Explorer . Look to my configuration on Wilders / Other Anti- Malware Forum / thread : What is your security ...Page 105 . Thanks , PROROOTECT:thumb:

{QUOTE-> Hi,

Regards <-QUOTE}

Nice to see Kareldjag wandering around this forum again, NicM occasionally drops by also. Noticed your blogs were not updated much. Any chance of you providing tests and info in the future?

Regards Kees

{QUOTE-> Hi , Kaspersky = falses positives , and heavy , heavy artillery ! I'd rather do this : AVIRA . And antirootkit = GMER ; also look to ESET SysInspector , Process Explorer . Look to my configuration on Wilders / Other Anti- Malware Forum / thread : What is your security ...Page 105 . Thanks , PROROOTECT:thumb: <-QUOTE}
Why do you have a keyboard without return-key ?

{QUOTE-> Hi , Kaspersky = falses positives , and heavy , heavy artillery ! I'd rather do this : AVIRA . And antirootkit = GMER ; also look to ESET SysInspector , Process Explorer . Look to my configuration on Wilders / Other Anti- Malware Forum / thread : What is your security ...Page 105 . Thanks , PROROOTECT:thumb: <-QUOTE}
since when has kaspersky=false positive. the newest version is quite alot lighter than 7.0 was.
much better than most of the alternitives.
i know of other product which has quite alot of fp's but wont mention.

Hello , # ... Jun 2008 : 3.55 Gb : /Documents and settings / All Users / ... / kaspersky Lab / AV ... 7 / Report / eventlog . rpt ! YEAH ! LIGHT : 3.55 Gigabytes , Eventlog . rpt . ??? :argh: :argh: :argh: THANKS.

if u checked the checkbox with "log non-critical events" thats not the product's problem :) otherwise..otherwise the report log won't get that big even after 3 years of use lol..

The signature of the OP indicates he uses Kaspersky.
I have been using KIS 7, and now KIS 8. I find neither FPs nor heavy.
If the OP already is using Kaspersky why not use it rather than add to the load?

I must admit that if we used everything recommended when we ask "what" we would really have a lot of stuff on our systems. Unless paranoia has one in its clutches a good application like one of the top suites will take care of everything. Of course if one is determined to see if his machine can be infected "all bets are off."

Although I use a couple of AT/AM applications none that I have ever used has found anything but traces and cookies. I become more and more convinced that a good suite will take care of things.
If you disagree fine, but until I get infected I will continue to take that position. In slightly over 9 years my systems have remained clean.

Regards,
Jerry

Hello,

Like kareldjag wrote ... but if you don't understand what he wrote, then there's no point in you trying to find this rootkit, because you prolly won't be able to tell legit from illegit software.

Understanding nmap or Wireshark takes knowledge of network protocols, not sure if you're there ...

I'd suggest a slightly different approach (more mainstream would be like):

Use UBCD4WIN bootable windows CD first, run a tool called RootKitty, once booted in Windows and once from live CD, then run compare and see what files show up in the scan.

Then, google one by one the .sys, .exe and similar files and see if anything interesting comes up.

You can also try a more benign approach running SuperAntiSpyware scanner. No guarantee with in-vivo scanning.

Running anti-rootkit tools is dangerous, if you don't know what you're doing, you can easily kill your system, so be careful.

Mrk

Rootkits might install themselves on my system, if they survive my boot-to-restore and my security, but they won't remain on my system permanently, just temporary.
Besides when anti-rootkit scanners/tools detect a rootkit on my system, it's already too late, but at least, I will be able to remove it. As long rootkits only infect my harddisk, they are nothing but a temporary infection.
I don't use scanners/tools to remove rootkits, I use my restore procedure to remove them, much safer, because I'm too stupid to read and interprete rootkit scanner reports.
I ran a few userfriendly anti-rootkit scanners, they didn't detect anything, but how can I trust these scanners, they certainly don't remove all existing rootkits, while my restore procedure removes all of them.

i think the OP just wanna scan to be sure..and learn..he do not wanna waste time restore in case it is infected...

{QUOTE-> i think the OP just wanna scan to be sure..and learn..he do not wanna waste time restore in case it is infected... <-QUOTE}
If he restores an infected image, it won't help. Infected images are caused by the user himself by doing a backup of his actual system, which is the most easy way of course, but also the wrong way.

yea but to know if his image is infected he gotta know how to detect infections..image cleaning is done by virual mounting it..less probable of snaping something since its not loaded in memory and cannot cause bsod..

you can use your kaspersky to detect known rootkits and then a tool like icesword,gmer rootkitty to look further(to the unkown) :P +google to destinct legitimate items from non legitimate ones..

{QUOTE-> yea but to know if his image is infected he gotta know how to detect infections..image cleaning is done by virual mounting it..less probable of snaping something since its not loaded in memory and cannot cause bsod..

you can use your kaspersky to detect known rootkits and then a tool like icesword,gmer rootkitty to look further(to the unkown) :P +google to destinct legitimate items from non legitimate ones.. <-QUOTE}
Wow. So many tools to run, just for rootkits ?
In that case I prefer to use my clean images to remove rootkits and other threats, that weren't detected.

I think what the OP is seeking though, is that he thinks his router has a rootkit, because he is getting disconnects. There is a good chance, this has nothing to do with rootkits. First, I would check on up to date router firmware, and probably visit the routers support/help/forum to see what others have done about disconnects. I would also check on up to date drivers for the NIC card. The other place a problem may be at is with your isp.

{QUOTE-> I think what the OP is seeking though, is that he thinks his router has a rootkit, because he is getting disconnects. There is a good chance, this has nothing to do with rootkits. First, I would check on up to date router firmware, and probably visit the routers support/help/forum to see what others have done about disconnects. I would also check on up to date drivers for the NIC card. The other place a problem may be at is with your isp. <-QUOTE}
IF it is a hardware (router) rootkit, I would be scared also. I hope it isn't otherwise every router might become vulnerable.

Hello,
How about not spreading baseless sci-fi paranoia scenarios that have nothing to do with reality?
Mrk

i think router rootkits are pretty real...i think a d-link service technician found out the first from a firmware size mismatch..i will provide source as soon as i find it..(bookmarked in another pc)

but i want to scan my Network Internet-Connection, thru Router that i think someone is using my Internet-Connection by putting a rootkit-file, how can i scan Network and not all PC ?