Just reading around about Rootkit detectors. Just from the little that I have read, I am not sure whether they are worth purchasing or NoT.

Apparently, there is a big back and forth battle between the people that detect rootkits and those that make them.

By the time, a rootkit detector maker comes out and makes a claim that it can detect "all rootkits" or even specific rootkits, the people that make the rootkit find ways of evading the detection.

Some rootkit authors are apparently making private builds for pay that are claimed to evade all of the known rootkit detectors out there.

It is also claimed that the only rootkit detector that can truly detect most or all rootkits are "private builds". Hmmm....where have I heard that term before?

Apparently, public rootkit detectors can detect public rootkits. I assume that this makes the uneducated public feel good and puts money into the hands of the rootkit detector authors....Apparently the people that need true protection from rootkits use "private build" rootkit detectors and the "bad" people that need a truly undetectable rootkit will buy one for around $500. The private build rootkit will never be detected apparently, by your favorite AV because the private build is not circulated widely and the AV has no definitions for it or even heuristics to detect it....so forget all the marketing "hype".

Apparently to detect these rootkits you either need a private build rootkit detector.....or have a someone that is a "friend" to the developer of the rootkit.

Maybe the best protection against rootkits is education. There is plenty of information in many publicly available sources that can educate the user in how to avoid being "rooted". Maybe the best protection is don't always believe the hype and investigate things for yourself.



Starrob

-{ Quote: "Maybe the best protection is don't always believe the hype and investigate things for yourself." }-That seems true for just about everything :)

Yeah, as soon as they make a rootkit detector that detects everything, Hacker Defender will target it specfically. I don't think this makes all rootkit detectors worthless, it's just one version of one rootkit that would likely need to be directly targetted at you personally... if someone is going to go to that length, you probably don't have much hope any way, if they released that rootkit publicly then it would be detected shortly after.

I don't know that I'd pay for a rootkit detector, however. Rootkit Revealer is probably one of the best and it's free. Get a good security setup that blocks malware from getting on your machine in the first place and you should be good to go.. I wouldn't expect it to do any more magic than any other trojan to infect your machine. Then, if you're worried, just scan with the freebie tools as soon as they're released, before they have a chance to implement a way around it in the rootkit.

UnHackMe might be one worth paying for, because of it's realtime monitoring. No malware detector claims to have a 100% detection rate, there's no reason to think it would be otherwise with rootkit detectors, and I don't think it's any more worth dismissing than any other malware killer.

I am just a little disturbed about how the whole "security" game is played......there are certain aspects to it that I find.....disturbing... but don't mind me that is just my personal world view. There are two sides to every coin and both sides play it very well.


Starrob

-{ Quote: "Apparently, public rootkit detectors can detect public rootkits." }-
What more do they have to go on? :)

This is why it's important to have a proactive generic (not rootkit-specific) kernel level defence in place such as ProcessGuard which will restrict which kernel-mode drivers can be installed - without any database updates (ie. not having to know about particular rootkits beforehand - all kernel drivers are assumed to be suspicious until authorised by the user). Prevention is better than cure. Secure yourself against the installation of kernel-mode drivers and you secure yourself from kernel-mode rootkits - it's a lot easier saying Yes/No to the installation of a kernel-mode rootkit than it is to disinfect one.

-{ Quote: "What more do they have to go on? :)

Prevention is better than cure. Secure yourself against the installation of kernel-mode drivers and you secure yourself from kernel-mode rootkits - it's a lot easier saying Yes/No to the installation of a kernel-mode rootkit than it is to disinfect one." }-

That's it. Then, it remains for the "bad guys" to figure out if there are any other "entry pathways" into the kernal. If there aren't, then they are locked out (until MS creates a new one, possibly in a new operating system).

Now, I have seen argued, that it is "too difficult" for new users to learn, whether or not to grant permission. This may or may not be true. However, whatever the case they are certainly no worse off with PG, which at least affords a user the opportunity to deny permission. Without this, the user (especially an unsuspecting user) is sunk.

Now, the question is, why doesn't MS get this, since it is quite easy for MS to build such a capability into their own operating system. The worse that can happen is that a user may have to spend a little time learning what a rootkit and driver is. Certainly a fraction of the time that is required to learn their Excel or Word products - not too mention the Windows XP operating system itself.

Rich

-{ Quote: "What more do they have to go on? :)

This is why it's important to have a proactive generic (not rootkit-specific) kernel level defence in place such as ProcessGuard which will restrict which kernel-mode drivers can be installed - without any database updates (ie. not having to know about particular rootkits beforehand - all kernel drivers are assumed to be suspicious until authorised by the user). Prevention is better than cure. Secure yourself against the installation of kernel-mode drivers and you secure yourself from kernel-mode rootkits - it's a lot easier saying Yes/No to the installation of a kernel-mode rootkit than it is to disinfect one." }-


If you can give PG a whitelist of allowed programs, a blocklist of disallowed programs and let the user decide in unknown programs then PG would be even more useful then it is now.



Starrob

-{ Quote: "This is why it's important to have a proactive generic (not rootkit-specific)" }-

I think its important to have Root-kit Specific protection in place, as well as proactive Generic protection.

Hi,

I find it very revealing that HF says he doesn't use any AV etc whatsoever !

MS are talking about putting some RK detection into MSAS in the near future, using their Ghostbuster technology.

Pity the average user though faced with making mindnumbing decisions on what to delete and what to keep after a scan. And think of all the errors they could make, including messing up their PC.

Take a look at the problems some people PC with PC knowledge are already having, with just one particular App, out of all the ones that are available at this present time.

RootkitRevealer
http://www.sysinternals.com/Forum/forum_topics.asp?FID=15


StevieO

toadbee, yes - it goes without saying that the more layers of security you apply the better off you'll be (if something manages to get through your first layer it still has layers 2, 3 etc to deal with). :) This is why ProcessGuard has multiple layers of security built in, almost as if it was three or four security programs in one (anti-rootkit, anti-termination, execution protection, anti-keylogger, etc).

-{ Quote: "toadbee, yes - it goes without saying that the more layers of security you apply the better off you'll be (if something manages to get through your first layer it still has layers 2, 3 etc to deal with). :) This is why ProcessGuard has multiple layers of security built in, almost as if it was three or four security programs in one (anti-rootkit, anti-termination, execution protection, anti-keylogger, etc)." }-


Hmm.. all that and more. Then the question begs to be asked..why did anyone need then TDS for all these years even on WinXP if the whole ball of wax answer was as simple as just using process guard ????? or is all that just a wee bit of a sales pitch ?

-{ Quote: "Now, the question is, why doesn't MS get this, since it is quite easy for MS to build such a capability into their own operating system. The worse that can happen is that a user may have to spend a little time learning what a rootkit and driver is. Certainly a fraction of the time that is required to learn their Excel or Word products - not too mention the Windows XP operating system itself.

Rich" }-I suspect that they do get it and it is why they are refining two approaches in Windows Vista: 1) User Account Protection (UAP) also known as Least-Privileged User Account (LUA); and 2) User-Mode Driver Framework (UMDF). After all, if you run with normal user privileges rather than with Administrator level privileges you aren't going to be able to install a kernel mode driver or rootkit either. But the problems are many with nearly all of these various approaches. In my mind, for example, technologies such as Process Guard and UAP/LUA merely move the ball only partially down the field since in either case they require an intelligent & informed decision to be made by the end user: Do I allow this kernel-mode component to install? Do I enter my Administrator password in order to install this app? Sure, both may eliminate somewhat the threat of "drive-by" malware that can automatically and silently install hidden components; but it seems to me that the real threat remains the classic "Trojan", an app with an apparent legitimate use that nevertheless has malware embedded in it. The vast majority of end-users will likely never have the information or skills at their disposal to make a truly wise decision in each and every case. Therefore, rootkit detectors will unfortunately become increasingly necessary.

UMDF, hopefully, will eliminate the need for many peripheral drivers to be installed at the kernel level... both for reliability as well as security concerns. However, it seems to me that there will always be a certain class of drivers and applications that will require kernel mode access in order to provide the necessary functionality.

-{ Quote: "Hmm.. all that and more. Then the question begs to be asked..why did anyone need then TDS for all these years even on WinXP if the whole ball of wax answer was as simple as just using process guard ????? or is all that just a wee bit of a sales pitch ?" }-
Primrose,
TDS and ProcessGuard are two completely different programs. ProcessGuard cannot for example identify trojans - TDS can. On the otherhand, TDS cannot prevent the installation of kernel rootkit drivers - ProcessGuard can. I could go on and on about the various differences of both - there is some overlap because they both have anti-trojan qualities, but they are both two very different programs, just as for example WormGuard is different.

Best regards,
Wayne

-{ Quote: "Apparently, there is a big back and forth battle between the people that detect rootkits and those that make them.

...

Apparently, public rootkit detectors can detect public rootkits. I assume that this makes the uneducated public feel good and puts money into the hands of the rootkit detector authors....Apparently the people that need true protection from rootkits use "private build" rootkit detectors and the "bad" people that need a truly undetectable rootkit will buy one for around $500. The private build rootkit will never be detected apparently, by your favorite AV because the private build is not circulated widely and the AV has no definitions for it or even heuristics to detect it....so forget all the marketing "hype"." }-Starrob, I share your concerns... but most of your statements could equally be applied with respect to "anti-virus" software and "anti-spyware" software as well. It's always a back-and-forth battle, and always will be. People will, of course, harbor suspicions about the true nature and interplay that goes on behind the scenes with any of this malware. However, whatever the case may be surrounding all of this malware and anti-malware, the end result is the same... normal consumers have to be increasingly informed, educated, and vigilent when it comes to information security. It just a reality that we have to unfortunately accept.

As far as "complete" effectiveness, or lack thereof, that has never really and truly be a realistic goal of mine when I appraise anti-virus software, anti-spyware software, anti-spam software, or rootkit dectors. There are very few absolutes in the security business. You just aren't going to find a 100% "magic bullet" solution and you just have to accept that. If some really clever hacker wants to get you, there will almost always be a way for him or her to do so. I generally don't deploy anti-malware software to stop the bright, determined, and extremely skilled hackers... but rather to stop the mindless, automated, zombie generated worm attacks and the relatively clueless, bored, teenage script-kiddie attackers.

Wayne....Do you think there is any purpose in having a rootkit detector when almost as soon as a detector is released that can detect the rootkit, rootkit authors design one that can bypass the detector?

Sometimes it seems like the rootkit authors make a public version so all the AV's and AT's and Rootkit detectors can claim to detect it, then the rootkit authors go in and see how the public version is detected and they then make undetectable private versions. The ones that get fooled are the one's that think they have close to 100% protection.

I guess this type of round-robin thing goes on with just regular trojans and viruses too. I am starting not to see the point in this round-robin game.

PG can have a place but hopefully it can be made more user friendly.




Starrob


-{ Quote: "Primrose,
TDS and ProcessGuard are two completely different programs. ProcessGuard cannot for example identify trojans - TDS can. On the otherhand, TDS cannot prevent the installation of kernel rootkit drivers - ProcessGuard can. I could go on and on about the various differences of both - there is some overlap because they both have anti-trojan qualities, but they are both two very different programs, just as for example WormGuard is different.

Best regards,
Wayne" }-

-{ Quote: "Wayne....Do you think there is any purpose in having a rootkit detector when almost as soon as a detector is released that can detect the rootkit, rootkit authors design one that can bypass the detector?" }-
That is essentially the same question as "is there a purpose in having a virus detector when as soon as virus updates are released the virus authors bypass them?" ... the answer is of course yes, such software still has a purpose, especially when you know you've been infected - you need something to try and hunt the infection down, but it's also important to realise that they're not 100% reliable - no single security program is. The anti-virus/anti-rootkit/anti-trojan (etc) industries are cat-and-mouse industries ... every now and then each side will gain the upper hand, albeit for a brief period, but yes the scanners still certainly have a role to play.

Again we get into layered security ... no single layer is going to be 100% bullet-proof on its own, but multiple layers of security will prevent the vast majority of attacks, malware and so on. The more layers of security you arm your system with the better off you'll be when it comes your time to be attacked (and on todays Internet that is only a matter of time), however there is usually a tradeoff in convenience - it's more convenient and easier for the user to have less security software, but it's also more risky. It's up to the individual user to find a balance of security and convenience that they're happy with.

-{ Quote: " However, it seems to me that there will always be a certain class of drivers and applications that will require kernel mode access in order to provide the necessary functionality." }-

Hi Alec,

This is the key question. I certainly have never heard of a good case where an application level piece of software required kernal mode access. Usually, the requirement for this level of access occurs under two conditions:

a) a poorly designed operating system that does not provide necessary functionality at reasonable performance levels.

b) when an application is trying to "modify the operating system" for malicious purposes.

The best way to address a) is to build the functionality and performance into the operating system framework and software APIs. The best way to address b) is to disable kernal access - or at least allow the user to make this decision.

I believe that there are ways to build a substantially better operating system than MS has designed. For, whatever reason, Windows is and will continue to be the primary problem, and the only way I can see to fix it, is unfortunately, to try to plug the holes that MS has made available to the world of "bad guys". Did IE have to be embedded into Windows? Absolutely not. MS decided to do it to suit their own purposes. Ditto for ActiveX, JavaScript and alike.

Well, if MS has decided to allow any programmer to access and modify the kernal, so be it. I am glad PG (and similar programs) are around, so that I can just say NO. :-)

Regards,

Rich

-{ Quote: "People will, of course, harbor suspicions about the true nature and interplay that goes on behind the scenes with any of this malware. However, whatever the case may be surrounding all of this malware and anti-malware, the end result is the same... normal consumers have to be increasingly informed, educated, and vigilent when it comes to information security. It just a reality that we have to unfortunately accept.

." }-


I have big suspicions about what goes on but I won't say them. Let's just say I don't like the whole game and yes knowledge and learning is important.........

Richf and Starrob touch on something that I both find amusing and frustrating, namely the user friendliness of Process Guard.

Partly it is a human nature thing that I also see in a hobby of mine, the futures markets. People think this should be a complex thing, therefore they make it complicated rather then simple. It is simple. Note, I said simple, NOT easy. There is a difference.

I think the same is true with ProcessGuard. First I knew I was starting with a clean machine. Then it was simple and easy.

I installed Process Guard, and rebooted. It was still in learning mode, and I then quickly started up, and closed down every program that I use. This took 5 minutes. This allowed ProcessGuard to set the required settings. Then rebooted again, and then finally rebooted so ProcessGuard turned off learn mode. Simple and easy.

Now have I wrung the absolute max protection PG can offer. NO, but I don't care. My system runs fine, and I have reduced the probablity of a problem significantly. 1000's of percent better than without it.

People want to overcomplicate vs simplify. This is human nature.

Pete

:) It's also worth noting that ProcessGuard, due to its configuration flexibility, can be as complex or as simple as you want it to be. For example you could just install it and turn everything off except "Block Rootkit/Driver/Service Installation" and you'd still have a program which blocks the installation of virtually every kernel-mode rootkit for Windows - a powerhouse of a program in itself just with one option turned on. Rootkit prevention doesn't get any easier or stronger than that, and as they say - prevention is better than cure.

-{ Quote: "I certainly have never heard of a good case where an application level piece of software required kernal mode access." }-
Process guard / Kerio PF etc.

~~~~~
Well I still think you are back to Signatures. Either that or a very boring computing experience.

If a program Isn't checked against known nasties first, then what do I do - simply not install a program I would like to try because its installing a service etc? Or would I need a second opinion - like an online scan or My AV or AT (back to signatures)? Why would I need process protection If I don't allow any thing to run? It's got to go thru signatures first IMO. The other way around makes no sense to me whatsoever.

If I had an AV that uses Heuristics, would I let an exe be checked by the sigs first or the heuristics?

Can I get my AV to scan before PG reacts?

-{ Quote: "Primrose,
TDS and ProcessGuard are two completely different programs. ProcessGuard cannot for example identify trojans - TDS can. On the otherhand, TDS cannot prevent the installation of kernel rootkit drivers - ProcessGuard can. I could go on and on about the various differences of both - there is some overlap because they both have anti-trojan qualities, but they are both two very different programs, just as for example WormGuard is different.

Best regards,
Wayne" }-


Yes, I certainly understood the weakness of TDS..and nice there are things out there called wormguard..since we have these buzz words now of virus, trojans, keyloggers,dll injectors, packer, rootkits, worms, malware (and those etc's) in those multiple layers of Security Approaches..along with the old argument an AT product is not and AV product and vice versa..so ya need both..throw in there "do you want to "find" them on your system or stop them in the first place ?".. YET what the real world has to offer is blended threats..and to piece meal them out for their Qualities with "individual products" installed on a PC to protect an Operating System had been the appoarch for a long time since the days of firewalls.

And what the ANTI market has offered to date..is only products that conflict with another vendors products and that drove many vendors to offer a total solution- your all in one firewall-AV-AT-IDS-sand boxing Application...so they bought up each other and Integrated the Product Lines just to stay alive.

They were at the same time fighting for Space on the users PC in the Startup.

Rootkits don't just appear out of no where.

-{ Quote: "Process guard / Kerio PF etc.

~~~~~
Well I still think you are back to Signatures. Either that or a very boring computing experience." }-

Hi,

As I explained in other threads, the requirement for security products like ProcessGuard and Kerio to work at a low level only exists because malware programs are allowed to execute at these levels. If you take away the ability of any ole' programmer to write at the kernal level, then security level programs to protect at this level (i.e. plug the holes) also goes away.

-{ Quote: "Or would I need a second opinion - like an online scan or My AV or AT (back to signatures)? Why would I need process protection If I don't allow any thing to run? " }-

You don't. That is the DeepFreeze/Anti-Executable model. Nothing new is allowed to run. Period. If this works for you or your organization, it appears to be excellent protection.

-{ Quote: "If I had an AV that uses Heuristics, would I let an exe be checked by the sigs first or the heuristics?" }-

I am sure each AV is programmer differently. But if I was to design an AV, I would first check it against signatures, since this is a "positive id", and then heuristics, which is more of a "possible/probably" Id.

-{ Quote: "Can I get my AV to scan before PG reacts?" }-

An AV will usually catch the malware first, since it is scanning the file either as it is being buffered (as it is being sent over the network) or On Access. KAV has always responded first on my machine. Then Ewido. Then ProcessGuard and/or Online Armor (which I am trialing).


Rich

-{ Quote: "only exists because malware programs are allowed to execute at these levels." }-Only if you're running as Administrator. If you're running as a limited user, malware would need to utilize an exploit to do so. It really sounds like this would be one of the better options for you, you may want to look into what all you can do with permissions, as well as hardening.

-{ Quote: "You don't. That is the DeepFreeze/Anti-Executable model. Nothing new is allowed to run. Period. If this works for you or your organization, it appears to be excellent protection." }-I'll bet you didn't know you could do this with XP SP2, as well ;)

-{ Quote: "I'll bet you didn't know you could do this with XP SP2, as well ;)" }-

I believe there are differences between running DeepFreeze (which restores a system to a prior state) and Anti-executable (which stops programs from running, but also allows anti-virus updates), and running XP in non-administration mode. However, ultimately, the general approach to the problem is very similar. The issue is whether either of these approaches, has a negative impact on the daily work flow of the user. In a library/education environment, this clearly works very well, since it enforces the general "rules" of the environment. Not sure what the impact would be in my own environment. But I may try it out.

Rich

-{ Quote: "ProcessGuard and Kerio to work at a low level only exists because malware programs are allowed to execute at these levels. If you take away the ability of any ole' programmer to write at the kernal level, then security level programs to protect at this level (i.e. plug the holes) also goes away." }-

This can be blocked at user level, but i can't verify if Amway understands that. Precisely Why i am amused by process guard.


I am sure each AV is programmer differently. But if I was to design an AV, I would first check it against signatures, since this is a "positive id", and then heuristics, which is more of a "possible/probably" Id.

I think your reasoning - order of effect - is correct in every single incindence
of every sane Av/AT out there. t

-{ Quote: "An AV will usually catch the malware first, since it is scanning the file either as it is being buffered (as it is being sent over the network) or On Access. KAV has always responded first on my machine. Then Ewido. Then ProcessGuard and/or Online Armor (which I am trialing)." }-

So what is the answer? - I have an unknown AV/AT and ProcessGuard barks, What am I reponding to - - the AV has checked it and PG says possible baddy or what? Who came first???? Thanks for pointing this out.

Also, most Av's (by numbers) aren't scanning http yet. And yet as we bust on Avast- THEY are. ooops sales pitch and my bad. It's free is that a sales pitch?

In the same vein I personally think PG is so "dumb" it's already obsolete. I think if perhaps <<------ pg, worm guard, PG and TDS were a single product (TDS4), it might hold a candle to some of the good products that already exist.

-{ Quote: "However, ultimately, the general approach to the problem is very similar. The issue is whether either of these approaches, has a negative impact on the daily work flow of the user." }-It all depends on how much time you invest into the initial setup, which would be mostly done in the group policy editor, which you could then export as a template to make it easy next time. For additional restrictions you can create .inf files to be used with secedit.

Just to be clear, though, SP2 has "anti-execution" functionality built in; look up 'software restrictions'. With a little setup, you can do everything from blacklisting a single file or file type, to total lock-down, and even creating rules so that any time a particular program is run (IE, for example) it runs under a restricted security context. Pretty much all the concepts that you frequently speak of can be achieved without any additional software, if you so choose. Windows does have many weaknesses, but with some work many can be worked around. It really seems like something you could benefit from, IMHO :)

-{ Quote: "Just to be clear, though, SP2 has "anti-execution" functionality built in; look up 'software restrictions'. With a little setup, you can do everything from blacklisting a single file or file type, to total lock-down, and even creating rules so that any time a particular program is run (IE, for example) it runs under a restricted security context. Pretty much all the concepts that you frequently speak of can be achieved without any additional software, if you so choose. Windows does have many weaknesses, but with some work many can be worked around. It really seems like something you could benefit from, IMHO :)" }-

This is a good case in point. For all those who consider the user interfaces of ProcessGuard and RegDefend to difficult to deal with - one should consider the "non-existent" user security interface (unless you consider RegEdit a good interface) that MS provides us. And all they have is a few billion dollars and a few thousand programmes available to do a better job.

So, the question I ask myself is this .. should I go through the same education process that I went through in the past with all of the other MS operatings sytems, only to see all of the effort dissipate as soon as a new version of DOS and then Windows was released, or should I purchase the expertise from a trusted vendor. For me, purchasing the expertise works better. The few dollars I spend is no more than a few hours (at most) of my time. But, in the past I did spend lots of time learning how operating sytems works - and at the time it seemed like the right thing to do. Times have changed and so have I.

Rich

A quick perusal through the group policy editor would show it's really not that much for someone with moderate computer skills. This is something you should do anyway (if you have XP Pro), as there are some glaringly obvious things you don't want left on default. You could have everything done in probably less than half an hour, after creating the limited user account. The real time would be spent in configuring a very complex setup. Of course there are apps out there that can make this easier, such as XPSecurity (for software restrictions and more common configurations, etc), but the point is that your concerns regarding anything being able to install a driver, etc, have already been addressed.. it's just that most people don't know or don't want to. Looking through the group policy editor can also give you a clue as to why Windows is set up the way it is, realizing that these things are set that way by default because they are often used.

Of course you can choose to trade convenience for money, just be aware that that's a good part of what you're doing when you buy IPS software, and that there are alternatives already at your disposal. Not that HIPS apps don't cover additional things you can't do with the OS alone, but you could do without, and have a setup with similar, and in some cases maybe better, security. It wouldn't take much effort to set up a very restricted user account that you could surf under in which you cannot execute any new files, install drivers, make any changes to the system, access your sensitive information, or access any potentially insecure components.. many of us just don't for one reason or another. I'm no exception, but I make no effort to rationalize this irrational choice, other than, indeed, some degree of laziness and the (continuing) journey of learning and playing that has made it all worthwhile for me.. a journey that has also left me able to help others in a wider spread of circumstances (with different setups, needs, and wants) than what can be covered by more applications that people may not want, or be able, to run. Heck, there's probably more people out there that would prefer MS' UI for software restrictions than all of DCS' customers put together. You just don't see me talking a lot about it because it's not appropriate for many home users without a lot of computer knowledge, although there is certainly some things that can, and should, still be done.

Another (easier) alternative is to launch your internet software with DropMyRights. This won't solve the problem of downloaded software, but you can get the context menu launcher to easily right-click and launch the software in question with reduced privileges. It's still not nearly as good as running in a limited user account, but it can help. DropMyRights only requires that you create a shortcut once, and use it to start your browser/email/etc, which should be easy enough for most people. This will at least stop most malware that does not use an exploit to escallate it's privileges, which is a risk you can reduce further by hardening.

Anyone interested in group policy templates can find out more HERE (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_lqvj.asp). It's really not too hard, although there are lots of options to go through :) You may also want to go through the group policy editor alone, without the templates, as there are lots of little things you can do, many of which are covered in parts by different tweaking apps, just Run "gpedit.msc" and take a look.

-{ Quote: "What more do they have to go on? :)
Secure yourself against the installation of kernel-mode drivers and you secure yourself from kernel-mode rootkits - it's a lot easier saying Yes/No to the installation of a kernel-mode rootkit than it is to disinfect one." }-

Well if I knew ahead of time it was a kernel-mode rootkit, I wouldn't even run it!

PG tells me the program i'm installing wants to install a driver, which isn't that helpful in most cases, since in the end it comes down to whether I trust the program.

But isn't this true even if I didn't have PG?

Starrob, you are probably thinking of the old urban legend of virueses being written by antivirus people right?

-{ Quote: "

Starrob, you are probably thinking of the old urban legend of virueses being written by antivirus people right?" }-


No, I am not......

Oh dear, I beg to differ

some new rootkits can be installed from ring 3.

Right?

I agree, running in with ADMIM privies is not a good thing but still won't stop the newest rootkits.

Starrob is right about looking at both sides. I am sure most of you know, you can't learn everything about rootkits here, unless some others posts links to rootkits sites.

At one time the moderators here wouldn't allow links to sites where nasties could be downloaded.

Now, since some of those same sites host both detection and infection, the mods seem of with posting links in some cases.

controler

-{ Quote: "No, I am not......" }-

Okay let me phrase it properly then, you are thinking of something similar.

I found an interesting paper on RK's the other day, and thought i'd share it with you, and see what you think about it.

. . .

Defeating Kernel Native API Hookers by Direct KiServiceTable Restoration.


Security Tools
– Sebek Win32
– DiamondCS Process Guard
– Kerio Personal Firewall 4


Restoring KiServiceTable will disable Process Guard’s process termination protection.

Restoring KiServiceTable will disable Kerio’s process spawn protection.

Native API Hooking Security Tools
• Security Tools that relies on native API
hooking in kernel-space can be disabled by
KiServiceTable restoration.
• Need to implement addition protection to
prevent this from happening.

http://www.security.org.sg/code/SIG2_DefeatingNativeAPIHookers.pdf


StevieO

-{ Quote: "I found an interesting paper on RK's the other day,..." }-Interesting, but a year old - much was discussed on the rootkit site by the authors credited in this paper.

The key sentence in all of these papers is something similar to what's in this paper:

----------------------------
To hide processes, a Win2K kernel-space rootkit, which is loaded as a driver,...
----------------------------

Well, how is it going to load? Many ways today to prevent the loading of a driver or .dll, etc.

I would be more concerned with preventing the loading of the driver than worrying about what the rootkit (or any trojan) will do if installed.

These papers are useful, in that the computing world keeps up with what's going on, and following the cat & mouse game. But they shouldn't instill fear, thinking, aaggh - - my computer's just waiting to be hooked.

regards,

-rich
________________
~~Be ALERT!!! ~~

-{ Quote: "Oh dear, I beg to differ

some new rootkits can be installed from ring 3.

Right? " }-Nothing is foolproof, but it's a good start. User-mode rootkits are generally considered inferior from what I've seen at the rootkit site. It would still need to execute a file, however, so if you used software restrictions it wouldn't be able to run.

-{ Quote: "Okay let me phrase it properly then, you are thinking of something similar." }-

Got it all wrong. I have theories and I have not elaborated on them.

-{ Quote: "
----------------------------

Well, how is it going to load? Many ways today to prevent the loading of a driver or .dll, etc.

I would be more concerned with preventing the loading of the driver than worrying about what the rootkit (or any trojan) will do if installed.

These papers are useful, in that the computing world keeps up with what's going on, and following the cat & mouse game. But they shouldn't instill fear, thinking, aaggh - - my computer's just waiting to be hooked.

regards,

-rich
________________
~~Be ALERT!!! ~~" }-


What do you consider the best ways to prevent the loading of a driver?


Starrob

-{ Quote: "What do you consider the best ways to prevent the loading of a driver? " }-Process Guard:

PG Rootkit Test (http://diamondcs.com.au/processguard/index.php?page=attack-rootkits)


Anti-Executable

I ran a test to attempt to copy fu.exe and its driver, msdirectx.sys across a network:

AE Rootkit Test (http://www.rsjones.net/AE_fu)

regards,

-rich
________________
~~Be ALERT!!! ~~

A little info on Hacker Defender gold and Silver:

Golden Hacker Defender includes

* protection against all AV, unique version and source code for both main module and driver module
* separation between hidden processes and hidden files in inifile
* outbound TCP connection hidding
* Rootkit Detector 0.61, 0.62 antidetection
* modern detectors antidetection engine with antideteciton against
o F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
o F-Secure BlackLight console 1.25.1006.0, 1.28.1006.0
o Sysinternals RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
o RootKit Shark 3.11, 3.22, 3.27
o RegdatXP v1.41
o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
o Flister 0.1
o Find Hidden Service 1.0, 1.1
o Kernel SC 1.3
o Kernel PS 0.4, 1.0
o Klister 0.4
o Process Magic 1.0
o KProcCheck 0.1, 0.2-beta1, 0.2-beta2
o TaskInfo 6.0.1.134
o KHS - kill hide services 0.1


Silver Hacker Defender includes

* protection against all AV, unique version and source code for both main module and driver module
* separation between hidden processes and hidden files in inifile
* outbound TCP connection hidding
* Rootkit Detector 0.61, 0.62 antidetection
* modern detectors antidetection engine with antideteciton against
o F-Secure BlackLight 2.1.1013
o Sysinternals RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
o Flister 0.1
o Find Hidden Service 1.0, 1.1
o Klister 0.4

I still want him to list ProcessGuard also ;D

If that is possiable

-{ Quote: "I still want him to list ProcessGuard also ;D

If that is possiable" }-

LOL perhaps when PG starts detecting rootkits.

-{ Quote: "LOL perhaps when PG starts detecting rootkits." }-

PG does better than that mate, it prevents rootkits.

-{ Quote: "PG does better than that mate, it prevents rootkits." }-


Has anyone ever investigated the claim made here by ch0pper http://www.wilderssecurity.com/showthread.php?t=92178 :

"the answser is no my friend !!! there are ways around this with the gold version !!!


ch0pper

hacker defender team"


Is the claim fear mongering? Or is it true? Seems all the "experts" have gone quiet on this one....LOL but this amateur is only asking questions that need to be asked. We don't want anyone thinking they are 100% secure do we?? LOL


Starrob

perhaps it's the same person creating the poison and the antidote. Why not? It's good for business.

-{ Quote: "perhaps it's the same person creating the poison and the antidote. Why not? It's good for business." }-


So if PG is not the antidote, what is then?

search wilders for keen sence still 1 of the best process control programes and root kit dectors i have used 8)

quote:: I finally found my copy of Keen Sense (version 1.2.3.1) buried in a disk image made in April 2005. I believe there is at least one later version. I ran it on a test system with PG, Outpost, and Hacker Defender 1.0.0 "revisited" already installed. While it is indeed able to terminate PG-protected processes, I was more impressed with the way Keen Sense handled Hacker Defender. It not only detects and terminates the rootkit process (and hidden sub-processes), it also unloads the driver, so that you can immediately see what was previously hidden (files, registry entries, etc.)

BTW, PG did occasionally "see" and block some of the rootkit's behavior (in about 1 in 5 restarts). On my test system, Hacker Defender had been installed in Safe Mode to get around PG. From PG's log:

---Process Guard Log Started---
Sun 28 - 19:41:53 [DRIVER/SERVICE] g:\documents and settings\****\desktop\new folder\hxdef100.exe [1444] Tried to modify an existing driver/service named hackerdefenderdrv100

So far, Keen Sense is a tool I will hold on to. Hopefully, it will be further developed.
Reply With Quote

Not seen any more mention of Keen Sense since September in that Topic you referenced.

In fact looks like the attachment was posted then pulled by Bubba.

I done a brief Google with 0 results with exception of Wilder's Forum so it must either be not recommended or else just passed over?

Im not sure what your asking, if you cant find it ill upload a copy for you to test it yourself and see what you think. Google is oftern of little help when trying to find programes that are not very well known ;D

-{ Quote: "Im not sure what your asking, if you cant find it ill upload a copy for you to test it yourself and see what you think. Google is oftern of little help when trying to find programes that are not very well known ;D" }-

Sure, go ahead because it's no where that i find it plus i'm a bit surprised it wasn't left in the other topic for others to review.

So yeah, i for one wouldn't mind taking it around the circuit for a spin.

The situation is becoming so complicated that only the nerds and power users will be able understand enough to navigate the internet and protect themselves. The rest of us will eventually say to hell with it; it's not worth the time, effort, and expense and just quit. There are already a large number of people who have computers that are not connected and don't intend to. This will be unfortunate because there won't be enough power users left to sustain the thing so it may eventually collapse. So all the hackers and malware producers will have accomplished would be to shoot themselves in the foot, so to speak, because there won't be anyone left to hack. Maybe I'm naive but I can't understand why they [hackers] can't understand this.

-{ Quote: "Im not sure what your asking, if you cant find it ill upload a copy for you to test it yourself and see what you think. Google is oftern of little help when trying to find programes that are not very well known ;D" }-

Sorry to say, but no upload allowed. Please exchange info by email in case of need.

regards,

paul

-{ Quote: "The situation is becoming so complicated that only the nerds and power users will be able understand enough to navigate the internet and protect themselves. The rest of us will eventually say to hell with it; it's not worth the time, effort, and expense and just quit. There are already a large number of people who have computers that are not connected and don't intend to. This will be unfortunate because there won't be enough power users left to sustain the thing so it may eventually collapse. So all the hackers and malware producers will have accomplished would be to shoot themselves in the foot, so to speak, because there won't be anyone left to hack. Maybe I'm naive but I can't understand why they [hackers] can't understand this." }-

That's a very true statement Chas666. It's likely to continue to prove even more complicated for everyone as things go along. Whether we like it or not that's just the nature of the way it is.
Most users just want to be able to comb internet URL's and not have to suffer distractions or interruptions.
Not only that, but consider this. When you buy a Windows disc and install it or buy a PC with OEM installation you would expect to not have to add anything more than perhaps a dependable Anti-Virus and MalDetector and just set it up to run a schedule.
As things now stand that alone will never be enough. It's difficult enough for the common average internet user that they have to educate themselves in basic Windows settings alone. It's reached a point anymore that you almost need to be a technician yourself if you hope to be able to use your own machine in confidence and safety that you expect from this communication service.

-{ Quote: "The situation is becoming so complicated that only the nerds and power users will be able understand enough to navigate the internet and protect themselves." }-I can't accept such a fatalistic conclusion. If users are educated in the right way, internet use will be a safe and pleasant experience. I've had success with many home users who have never had any malware infections.

---