I did some testing >AVG free against rootkits< results :

Hacker defender (latest versions) : not detected
AFX 2003 : not detected
FU root : not detected
Vanquisch : not detected
He4 Hook : not detected

Why doesn't Grisoft included strings for this in there database ?

I consider this one of the greatest dangers lurking on the internet (rootkits for NT)

Not even there "so called heuristics" detected anything ?

glad to have Pest-patrol running also (wich does detects them) ,and also Abtrusion protector.

Does this means AVG is no good ? some of these rootkits are found on the net for months, not to say years.

- Fixed the subject line to help with future searches (AVG instead of AGV) - LWM

I'm in no way very knowledgable in the antivirus area, and I usually leave these questions to those that know much more, but I have a side question on this that might lead to better clarification of the issue for us all...

Are these root kits themselves trojans that self install, or are they actually the payload that some other malware delivers once it has obtained access to a system? If they aren't malware in and of themselves, but are installed by malware, then so long as an AV product blocks the "carrying" malware, I'd think it'd be enough.

Again, I don't know so this is a serious question. Are these root kits themselves pieces of malware that infect people's systems directly or are they delivered by something else?

why don't you submit these rootkits to avg? why complain here...
i don't know why fu rootkit for example should be detected, it's just a demo(no backdoor), kav detects it though..it prolly can be used to hide a backdoor process and files

LWM ask gavin about rootkits... i personally think that open source rootkits like haxdef are the most fearsome pieces of malware currently around.. ..

Hi, this is(unfortunately) not a real answer to your question,
rather an extra comment: last month the Dutch Consumentenbond tested a lot of antivirus-programs and they found that AVG was a total failure. This shocked me-used it for months already and assuming to be safe!!!
Immediately un-installed the snip and in its place took another,
AntiVir.That one was tested ok-and free.

edited to keep the language clean - Detox

-{ Quote: " quoting: LowWaterMark link=board=24;threadid=21604;start=0#msg129756 date=1076441446]
I'm in no way very knowledgable in the antivirus area, and I usually leave these questions to those that know much more, but I have a side question on this that might lead to better clarification of the issue for us all...

Are these root kits themselves trojans that self install, or are they actually the payload that some other malware delivers once it has obtained access to a system? If they aren't malware in and of themselves, but are installed by malware, then so long as an AV product blocks the "carrying" malware, I'd think it'd be enough.

Again, I don't know so this is a serious question. Are these root kits themselves pieces of malware that infect people's systems directly or are they delivered by something else?
" }-


Hi LWM :).

Some of this info may help until someone more knowledgeable can reply.


From "A *REAL* NT Rootkit, patching the NT Kernel....by Greg Hoglund"

-{ Quote: "First of all, programs such as Back Orifice and Netbus are NOT rootkits. They
are amateur versions of PC-Anywhere, SMS, or a slew of other commercial
applications that do the same thing. If you want to remote control a
workstation, you could just as easily purchase the incredibly powerful SMS
system from Microsoft. A remote-desktop/administration application is NOT a
rootkit.

What is a rootkit? A rootkit is a set of programs which *PATCH* and *TROJAN*
existing execution paths within the system. This process violates the
*INTEGRITY* of the TRUSTED COMPUTING BASE (TCB). In other words, a rootkit is
something which inserts backdoors into existing programs, and patches or breaks
the existing security system.

- A rootkit may disable auditing when a certain user is logged on.
- A rootkit could allow anyone to log in if a certain "backdoor" password is
used.
- A rootkit could patch the kernel itself, allowing anyone to run privileged
code if they use a special filename.

The possibilities are endless, but the point is that the "rootkit" involves
itself in pre-existing architecture, so that it goes un-noticed. A remote
administration application such as PC Anywhere is exactly that, an application.
A rootkit, on the other hand, patches the already existing paths within the
target operating system." }-


and,

From the DCS Process Guard help file.

-{ Quote: "Rootkits are a special class of trojan. Particularly insidious by nature, rootkits actually modify parts of the operating system (such as Windows kernel API functions) to alter the nature of the operating system itself. For example, a rootkit may patch the functions that enumerate processes so that its own process isn't shown. Windows rootkits such as "fu", "Hacker Defender", "He4Hook", "NT Rootkit", "Vanquish" and others all obtain their low-level capabilities by using kernel-mode device drivers (.sys files) which need to be installed by a 'dropper' trojan before the rootkit can go stealth." }-


Rootkits can also infect (for want of a better word) a system via exploits, worms etc.


Regards,
Jade.