If I a rootkit was installed on my system and I am unable to access my SafeMode how will I go about scanning for it? Does TDS-3 comes with DOS Shell ability? Or a low level loading? Since once Windows loads it's too late.

Thank You

How about using exec protection disabling the thing to execute at all and stopping it in it's traces?

Yes that would solve one of the problems but what if the rootkit loads before TDS-3? Also what if rootkit got installed before TDS-3 did? Some rootkits can redirect requests to that specific file thus appearing as if the file never existed. For example if you try to scan for subseven 2.2 and a rootkit is installed with that given trojan defined then it is possible that any scan made to find subseven 2.2 will come out clean since the data will go from user level to rootkit to os.
I dont know just a thought.
It would be nice if one could scan the system before actually loading windows.

can you scan from a session booted from some other place? I don't think DOS boot disk will do (although NOD f.ex. has a dos scanner that should be possible to put on a (set of) boot disks as well - and it uses the same sig. database as the win version), but maybe you can scan over a network or maybe even take out your hdd of the pc case and build it into another PC that boots from its own hdd and has tds available... (There are people who always have two installations of the same OS in one system just for that purpose (one backup boot system) - i had when i had NT4)

Andreas

Hi, If you check the primary list, you will find that TDS3 has many root kit detection entries. (Help, Primary list)
So I think that TDS will detect even one that redirects by it's signature + heuristics will catch new variations. Sub-seven detection is probably better in TDS than any other scanner.
So exec protection will still catch it & if you do regular scans with the latest updates there should not be a problem.

Andreas, Pilli, would this mean scanning with online scanners would help as well?
I understood from some discussions in the private TDS forum the rootkits are transported and activated mainly via trojans, is that correct?
So those trojans would be stopped in their traces in the first place already with the exec protection.
Are they not remotely controlled in most cases, so we would see unexplained netstat connections and with Port Explorer or the TDS > Network > Port listen function be able to see what kind of packets would be involved?

Can imagine the question with a possible infection before TDS was installed because of the hiding functions of the rootkits. In the discussions mentioned is spoken about several tests which are still possible to detect them.
I think others and the DCS team can explain much better what we can do with TDS-3 exactly for cleaning out such former infections.
Very good reasons to look forward to the TDS-4 families and other new DCS tools in near future too!

Isn't this where (if TDS isn't already installed) you d/l TDS, re-name the exe before installing and install it to a non-standard directory? Pete

Hey Baby :)

What OS are you running?

If it is NT/2K/XP then I think Andreas' suggestion of a parallel install is the best option.

A good means (though not perfect) of combatting against the rootkits would be to regularly run MD5 or SHA1 hashes on critical system files and compare later runs against your earlier baselines to see what gets changed. (THis is the basic principle behind the Tripwire product. Tripwire is an expensive commercial product but I know there are some less expensive or free products that would provide the hash collection/comparison functionality. This is rather pointless in this instance as you have a suspicion that there is a rootkit present but no previous baselines of md5 hashes to test against.

You might want to consider adopting the hash compare routine once you get things settled.

Dan

Rootkits are a fundamental problem of any OS, and we hope by TDS-4 we can have some super strong protection. It's just another thing delaying TDS-4 release, we want to do some serious research on the matter.

Scanning from another system is possible, plugging the hard drive in so its not booted from, Safe Mode, but hopefully there will be better options soon :)

We're researching other means of detecting rootkits, and while you will have to wait for TDS-4, the results are already promising. I'm working on and anticipating :

- generic rootkit detection, it seems possible
- rootkit blocking, a way of immunising your system when TDS installs
- rootkit disabling, similar to above, once you reboot the rootkit doesnt work anymore :)
- rootkit removal, proper detection after either of the above, perhaps more detection possibilities too :)

Lots to research, so I cant promise everything will work out yet :)

Glad that hammering on the subject and continually providing new links about the subject in the private DCS forum led to all the brainstorms! :) Pete