Does anyone know how good Ewido would be at finding rootkits through a manual scan with the program? Either through sigs or heuristics.

If Ewido is not too strong in this area, I think it would be a good thing to add as many rootkit sigs as possible to the defs of Ewido, or incorporate other ways (heuristics?) to find them.

Thanks.

-{ Quote: "Does anyone know how good Ewido would be at finding rootkits through a manual scan with the program? Either through sigs or heuristics.

If Ewido is not too strong in this area, I think it would be a good thing to add as many rootkit sigs as possible to the defs of Ewido, or incorporate other ways (heuristics?) to find them.

Thanks." }-


I think the person that could best answer this is FISH and I happen to know he will probably not be on Wilders for another week or so.

Here is what I do know. It is claimed that the best applications for finding rootkits are rootkit detectors. Most rootkit detectors are fairly good at finding rootkits that are posted publicly on various malware sites.

However, it is claimed by the author of Hacker Defender that the Gold version of the latest Hacker Defender can elude detection from all known rootkit detectors.

The best bet is to not ever get a rootkit on your system.



Starrob

wasn't there some firm in china that made a program that could get the rootkit? i remember there was an article on it a while back here in wilders.

The post by guest warren godin has been removed - as per our TOS (http://www.wilderssecurity.com/TOS-Privacy.html)

Regards;

Steve

I believe that scanning in Safe Mode will improve your chances of detecting the presence of a rootkit with any signature-based scanner. Keep in mind, though, that rootkits can be set to run in Safe Mode as well (which is a good reason to somehow protect the HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot registry keys).

which is a good reason to somehow protect the HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot registry keys)

How would that b dun? thanks MD

-{ Quote: "wasn't there some firm in china that made a program that could get the rootkit? i remember there was an article on it a while back here in wilders." }-
Yeah, IceSword is such app.

One article about it here
http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621

-{ Quote: "Yeah, IceSword is such app.

One article about it here
http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621" }-


Yes, but I have also think I read somewhere that Hacker defender has now been developed that the private versions can also defeat Icesword. I am not sure if it is true or not.

Here is the list that the private version of Hacker defender claims to beat:

Golden Hacker Defender includes

* protection against all AV, unique version and source code for both main module and driver module
* separation between hidden processes and hidden files in inifile
* outbound TCP connection hidding
* Rootkit Detector 0.61, 0.62 antidetection
* modern detectors antidetection engine with antideteciton against
o F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
o F-Secure BlackLight console 1.25.1006.0, 1.28.1006.0
o Sysinternals RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
o RootKit Shark 3.11, 3.22, 3.27
o RegdatXP v1.41
o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
o Flister 0.1
o Find Hidden Service 1.0, 1.1
o Kernel SC 1.3
o Kernel PS 0.4, 1.0
o Klister 0.4
o Process Magic 1.0
o KProcCheck 0.1, 0.2-beta1, 0.2-beta2
o TaskInfo 6.0.1.134
o KHS - kill hide services 0.1


Silver Hacker Defender includes

* protection against all AV, unique version and source code for both main module and driver module
* separation between hidden processes and hidden files in inifile
* outbound TCP connection hidding
* Rootkit Detector 0.61, 0.62 antidetection
* modern detectors antidetection engine with antideteciton against
o F-Secure BlackLight 2.1.1013
o Sysinternals RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
o Flister 0.1
o Find Hidden Service 1.0, 1.1
o Klister 0.4





From the way I understand things, almost as soon as a rootkit detector claims it can detect all rootkits, the rootkit authors begin developing ways to evade that particular rootkit detector.

As the author of F-secure states in that article:

"Rootkit detection is a cat-and-mouse game. Sometimes the rootkit authors are ahead, sometimes the antirootkit authors. We can at the moment detect all rootkit samples that we have access to, but that may change as soon as a new, more advanced rootkit is published. We will naturally respond with improved detection when that happens. There are still no signs that this race will slow down. This makes it even harder to name the best antirootkit tool. ..."

From the little I have read, the best rootkit detector is a private build rootkit detector....One that has not had it's detection methods analyzed. Once the author of a rootkit detector begins bragging that it can detect all rootkits, then it is only a matter of time it before private build versions of rootkits are built that can evade the detection.

I think most public rootkit detectors can detect most public rootkits but that is about it.




Starrob

-{ Quote: "which is a good reason to somehow protect the HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot registry keys)

How would that b dun? thanks MD" }-
MD,
To do it properly you would need an application like RegDefend, see the forum here at Wilders (http://www.wilderssecurity.com/forumdisplay.php?f=72).

This method of protection is the latest "must have" so everyone wants to have one and all the vendors want to be selling one. Its early in the lifecycle of this type of application so you can expect more competing applications.

It is too early to say what the feature differences will be, but there are bound to be dumbed down versions that "do it all for you" as well as ones that let you do it all yourself. Either way the applications will need to be well optimised, otherwise they have a lot of potential to start slowing down "normal operations"

Regards

@Starrob You forgot Brilliant Hacker Defender Forever ... ;-)

-------------------------

Brilliant Hacker defender Forever has same features as Brilliant Hacker defender package with addition of Antivirus support and Antidetection engine support - both for 6 months. Only this package comes with support for new detectors not only for new versions of existing detectors. The package contains these features:

Antivirus protection
Antivirus support 6 months
Source code
Internal inifile
Logoner
Antidetection engine
F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
F-Secure BlackLight Console 1.25.1006.0, 1.28.1006.0
Find Hidden Service 1.0, 1.1
Flister 0.1
IceSword 1.04, 1.06, 1.06b, 1.08, 1.10
Kernel SC 1.3
Kernel PS 0.4, 1.0
KHS 0.1
Klister 0.4
KProcCheck 0.1, 0.2-beta1, 0.2-beta2
modGREPER 0.1, 0.2
Process Magic V1.0 by WinEggDrop
RegdatXP 1.41
RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
RootKitShark 3.11, 3.22, 3.27
TaskInfo 6.0.1.134
UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta2, 2.5
Antidetection engine support 6 months

package price: 900 EUR


Features:

Antivirus protection

This feature is included in every paid versions of Hacker defender. The code of public version is scrambled and properly changed to avoid antivirus detection. Tests for eight antivirus products Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, PC-cillin with the newest upgrades are made always before customer receive the final product. The code is always unique for each customer which means that detection of one customers product should not affect other customers products. If you want extra protection against more antivirus products write your wish in the special wishes box. The price for extra protection is set individually.

price: 100 EUR


Antivirus support

Every paid version is unique for each customer and is not detected by mentioned antivirus products. However, it is possible and it happens from time to time that some antivirus vendor comes with new pattern of Hacker defender detection. This can also affect paid versions. This is why Antivirus support feature is offered. You can choose one of three options that differs only in their length. Prices are valid for standard Antivirus protection pack that consist of eight antivirus products - see above. If support for extra protection is also needed please write this separately in the special wishes box. The price for extra protection support is set individually. All updates are available on demand and the important is the time of receiving the update request. Support starts immediately after the package is sent to a customer. If we are not able to provide the appropriate upgrade you'll get your money paid for this feature back. When the support expires customer can renew the support paying the price for the support feature again.

Antivirus support 1 month: price: 30 EUR
Antivirus support 3 months: price: 80 EUR
Antivirus support 6 months: price: 150 EUR

Source code

Those who can code and want to see how paid features work or want to modify their paid version by adding own functionality can buy Source code. Full source code of all parts is included so that customer can recompile whole product without problems. The code is based on the code of public version but new features there are better commented.

price: 60 EUR


Internal inifile

Basic version of Hacker defender rely on external inifile that contains all user settings. This feature consist of external tool that is used to bind valid inifile to main module so that only one file is needed for rootkit installation. This inifile is plain text (except the backdoor password) written in main module overlay. When rootkit is run it checks for the external inifile firstly to read its settings. If there is no external inifile it looks to the overlay for the internal inifile.

price: 20 EUR


Logoner

This feature adds hooking of windows logon API to catch all logon information typed after rootkit installation. The logon information with encrypted passwords are written to the file which name is specified in inifile. Username, password and domain is catched from desktop lock, terminal services logon as well as from standard logon.

price: 80 EUR


Antidetection engine

Antivirus vendors and other security companies as well as single researchers care still more and more about detection of rootkits. There are several applications that specialize on rootkit detection and elimination. Hacker defender as user mode rootkit is not able to hide from the sight of these special, mostly kernel mode based tools. However, special Antidetection engine for Hacker defender was implemented to fight these detectors. This engine works likewise basic antivirus engine with some advanced features. It scans running programs for patterns and behaves by defined entries in its database. The important feature of this engine is that it can't be cheated using packers, encryptors or antidebugging tricks. There is no known rootkit detector today that can't be bypassed with this engine. This feature consist of the engine and its modules (database of detectors). The price for various detectors differs because some detectors can be bypassed very easily but others can't be bypassed without very sophisticated database records.

price: 75 EUR


F-Secure BlackLight

F-Secure is well known antivirus company. Its product for rootkit detection is called BlackLight. It can find hidden processes and files on infected machine and take basic actions to unhide them. It is still under development so there were many versions of this detector released. However, all versions of BlackLight detector are limited and older does not work without patch or setting proper system time.

F-Secure BlackLight 2.1.1013: price: 20 EUR
F-Secure BlackLight 2.1.1012: price: 20 EUR
F-Secure BlackLight 2.1.1010: price: 15 EUR
F-Secure BlackLight 2.0.1008: price: 10 EUR
F-Secure BlackLight 1.5.1002: price: 5 EUR
F-Secure BlackLight 1.4.1003: price: 5 EUR
F-Secure BlackLight 1.3.1015: price: 5 EUR
F-Secure BlackLight 1.0.1017.0, 1.2.1003.0: price: 5 EUR
F-Secure BlackLight Console 1.25.1006.0, 1.28.1006.0: price: 5 EUR

Find Hidden Service 1.0, 1.1

FHS is very tiny implemention of registry hive scanning. Because of reading binary files rather than using common Windows API to read registry keys it can find hidden services.

price: 10 EUR


Flister 0.1

Flister can find hidden files on disk using not-hooked version of native file enumerating API or exploiting bug in rootkit implementations.

price: 15 EUR


IceSword base (version 1.10) (xfocus download mirror)

The most powerful (especially against usermode rootkits) rootkit detector with many features and ways how to reveal hidden stuff on machine. Public version of Hacker defender is can be found in IceSword process list, open ports, active driver list, services list, SSDT list, processes and threads notification, registry browser and file browser. All these are bypassed with this module for antidetection engine. IceSword base includes protection against version 1.10 and it is required for protection against all other available versions but could be used separately too.

price: 100 EUR

IceSword 1.04: price: 10 EUR
IceSword 1.06: price: 15 EUR
IceSword 1.06b: price: 20 EUR
IceSword 1.08: price: 20 EUR


Kernel SC 1.3

Another small program reading registry values without being hooked. This one is able not only to find hidden services but also to disable them.

price: 15 EUR


Kernel PS

Kernel PS uses kernel driver to get information about running processes marking those that are hidden from usermode view.

Kernel PS 1.0: price: 15 EUR
Kernel PS 0.4: price: 15 EUR

KHS 0.1

Just another hidden service detector.

price: 10 EUR


Klister 0.4

Klister is tool for Windows 2000 that reads kernel structures to enumerate all running processes on the machine.

price: 10 EUR


KProcCheck

Smart tool for enumerating running processes. Using several different method in kernel and comparing with usermode lists it can find hidden processes.

KProcCheck 0.2-beta2: price: 15 EUR
KProcCheck 0.2-beta1: price: 10 EUR
KProcCheck 0.1: price: 5 EUR


modGREPER 0.1, 0.2

This tool scans kernel memory to find all installed kernel modules. With public version of Hacker defender this tool can be used to find its driver.

price: 20 EUR


Process Magic V1.0 by WinEggDrop

Tool for enumerating and hiding running processes.

price: 10 EUR


RegdatXP 1.41

Alternative registry browser with many other features that can be used to find hidden registry keys.

price: 10 EUR


RootkitRevealer

Rootkit detector from the famous Sysinternals team. It reads raw file system structure and raw registry hives to find hidden files and registry entries.

RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55: price: 20 EUR

RootkitRevealer v1.00, v1.01, v1.10, v1.20: price: 5 EUR


RootKitShark 3.11, 3.22, 3.27

Yet another detector based on raw registry hive scanning.

price: 10 EUR


TaskInfo 6.0.1.134

Featured Windows information tool with anti-rootkit capabilities that can show hidden processes, files and kernel drivers.

price: 30 EUR


UnHackMe

Commercial detector for rookits, trojan horses, spyware and other malware.

UnHackMe 2.5 beta, 2.5 beta2, 2.5: price: 15 EUR
UnHackMe 1.0, 2.0: price: 10 EUR


Antidetection engine support

There are still new and new detectors and their versions. Adding new detector to engines database can be very easy for almost everyone with little coding skills but can be also very difficult even for the code master. Antidetection engine support is the solution for everyone to keep his/her version protected against the newest detectors. However, this support differs between Hacker defender packages. Firstly the support consist of updates that are available in the list of detectors above. Secondly except the Brilliant packages antidetection updates are available only for the families of detectors supported by package. This means that a smaller package that does not include e.g. IceSword antidetection but with this engine support won't get updates for IceSword when new version of IceSword is released and bypassed. The only packages that also offer protection against new detector products (not just new versions of current detectors) are Brilliant packages. All updates are available on demand and the important is the time of receiving the update request. Support starts immediately after the package is sent to a customer. If we are not able to provide the appropriate upgrade you'll get your money paid for this feature back. When the support expires customer can renew the support paying the price for the support feature again.

Antidetection engine support 1 month: price: 40 EUR
Antidetection engine support 3 months: price: 110 EUR
Antidetection engine support 6 months: price: 200 EUR

All paid versions comes under following licence agreement...

--------------

1.
Just for the record: In my opinion, this is getting ridiculous. I can't see any reason why you shouldn't put the developer/malware vendor into jail. Contrary to a normal remote administration tool / trojan there appears to be no legit reason for using a rootkit.

2.
The above is not only a price list but also a nice summary of most available rootkit detectors.

3.
It seems that malware coders will face similar problems like AV/AT developers: too many malware samples or, respectively, rootkit detectors to handle ;-)

4.
It should be quite interesting to analyze how the anti-detection engine really works: "This engine works likewise basic antivirus engine with some advanced features. It scans running programs for patterns and behaves by defined entries in its database. The important feature of this engine is that it can't be cheated using packers, encryptors or antidebugging tricks."

It seems to me that the anti-detection engine deactivates suspicious rootkit functions in respect of a rootkit detector. Apparently, it is signature-based. Maybe it looks for object handles in memory (because it cannot be outfoxed with the help of a crypter etc.) I am pretty sure that a careful analysis of the anti-detection engine would allow a rootkit detector to use effective countermeasures like polymorphism, combination of file & memory scanning + heuristics etc.

-{ Quote: "
Just for the record: In my opinion, this is getting ridiculous. I can't see any reason why you shouldn't put the developer/malware vendor into jail. Contrary to a normal remote administration tool / trojan there appears to be no legit reason for using a rootkit.
" }-


The author probably hasn't been put into jail because the CIA, FBI and other government agencies (other countries besides the US too) probably use his programs LOL, that way we will never know when their spying on us. ;) ;)

-{ Quote: "The author probably hasn't been put into jail because the CIA, FBI and other government agencies (other countries besides the US too) probably use his programs LOL, that way we will never know when their spying on us. ;) ;)" }-

or possibly because activist groups in the US like the ACLU would cry some sort of violation of the author's "civil rights" was taking place

Governments+AV industry+ Malware authors = a three ring circus!!!!!!

Topic = "How good is Ewido at detecting rootkits?"

Let's get back on it, please.

Ewido is a good trojan scanner but my personal opinion is that there really isn't any scanner that is good against rootkits. Public versions of AV/AT/Rootkit detectors can detect public rootkits.

Any security professional that brags that their software can detect all rootkits will in general have their software analyzed by rootkit authors and the private version of the rootkit will be made that will evade the AV/AT/Rootkit detector that the vendor is hawking.

The best rootkit detector is a private version that have not had their detection methods analyzed......but private versions of rootkit detectors are probably very expensive. Probably only large organizations would be in the market for them.

The best thing for the average home user is to keep rootkits off of their computer in the first place


Starrob

O.k....let's talk about Ewido:

I picked the new Hacker Defender Revisited (hxdef100r) rootkit. Ewido's file scanner (latest sigs) detects it. If you execute the rootkit file Ewido's guard detects and blocks it.

If you allow the rootkit to start the entire installation folder (including the rootkit files) will get invisible. Consequently, Ewido's file scanner (or any other AV/AT file scanner) will be unable to detect it.

If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)

There will be a new generation of rootkits that will also support memory cloaking. A special demo variant of FU has already been developed. Further information can be found in the "uncensored" forum's malware section (you may know where). I do not post the information here because it would probably violate the TOS.

-{ Quote: "O.k....let's talk about Ewido:

I picked the new Hacker Defender Revisited (hxdef100r) rootkit. Ewido's file scanner (latest sigs) detects it. If you execute the rootkit file Ewido's guard detects and blocks it.

If you allow the rootkit to start the entire installation folder (including the rootkit files) will get invisible. Consequently, Ewido's file scanner (or any other AV/AT file scanner) will be unable to detect it.

If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)

There will be a new generation of rootkits that will also support memory cloaking. A special demo variant of FU has already been developed. Further information can be found in the "uncensored" forum's malware section (you may know where). I do not post the information here because it would probably violate the TOS." }-



Thanks for the info. I'll take a look at the uncensored forum.


Starrob

-{ Quote: "

There will be a new generation of rootkits that will also support memory cloaking. " }-

Do you mean this one: http://www.eweek.com/article2/0,1895,1841266,00.asp

I also found this link from Kaspersky:

http://www.viruslist.com/en/analysis?pubid=168740859


At the end it states:

"All the methods for detecting active rootkits depend on the fact that they disrupt system functioning in one way or another. Kaspersky Lab products exploit this, which also makes them able to detect unknown rootkits.It will be more difficult to write rootkits for future versions of Windows, where it is impossible to modify system code and the system architecture. This step taken by the developers of the operating system should reduce, if only temporarily, the number of new rootkits for new versions of Windows."

I think I read that article before that the link refers to on that uncensored website. I don't think I could link directly to it here.

Here are some quotes from the article titled Shadow Walker - Raising The Bar For Windows Rootkit Detectiont:

"There are public rootkits which illustrate all of these various techniques,
but even the most sophisticated Windows kernel rootkits, like FU, possess
an inherent flaw. They subvert essentially all of the operating system's
subsystems with one exception: memory management. Kernel rootkits can
control the execution path of kernel code, alter kernel data, and fake
system call return values, but they have not (yet) demonstrated the
capability to 'hook' or fake the contents of memory seen by other running
applications. In other words, public kernel rootkits are sitting ducks for
in memory signature scans. Only now are security companies beginning to
think of implementing memory signature scans. "

This is where AT's like Ewido excel....catching the rootkit in memory.


Another quote:

"One method to detect the presence of a rootkit is to detect how it alters
other parameters on the computer system."

This is basically heuristics which what I will assume is one method that most AT's detect rootkits in memory.

It appears also that Kevin from BoClean might be correct in saying that it is not necesarry to have kernel driven programs to combat kernel driven rootkits. From the article I am reading, it might even be more advantageous to detect the current crop of rootkits in memory.

Another quote:

"Although file system scans and loading detection are needed, perhaps the
last layer of detection is scanning memory itself. This provides an added
layer of security if the rootkit has bypassed the previous checks. Memory
signatures are more reliable because the rootkit must unpack or unencrypt
in order to execute. Not only can scanning memory be used to find a
rootkit, it can be used to verify the integrity of the kernel itself since
it has a known signature. Scanning kernel memory is also much faster than
scanning everything on disk. Arbaugh et. al. [11] have taken this technique
to the next level by implementing the scanner on a separate card with its
own CPU. "

Last but not least:


"Memory Cloaking Concept

One goal of an advanced rootkit is to hide its changes to executable code
(i.e. the placement of an inline patch, for example). Obviously, it may
also wish to hide its own code from view. Code, like data, sits in memory
and we may define the basic forms of memory access as:

- EXECUTE
- READ
- WRITE

Technically speaking, we know that each virtual page maps to a physical
page frame defined by a certain number of bits in the page table entry.
What if we could filter memory accesses such that EXECUTE accesses mapped
to a different physical frame than READ / WRITE accesses? From a rootkit's
perspective, this would be highly advantageous. Consider the case of an
inline hook. The modified code would run normally, but any attempts to read
(i.e. detect) changes to the code would be diverted to a 'virgin' physical
frame that contained a view of the original, unaltered code. Similarly, a
rootkit driver might hide itself by diverting READ accesses within its
memory range off to a page containing random garbage or to a page
containing a view of code from another 'innocent' driver. This would imply
that it is possible to spoof both signature scanners and integrity
monitors. Indeed, an architectural feature of the Pentium architecture
makes it possible for a rootkit to perform this little trick with a minimal
impact on overall system performance."

Yes, it will be interesting to see what AV's and AT's come up with to combat memory cloaking. I have read this article before. It is interesting.

Maybe I'll also read the book from Greg Hoglund and James Butler if I get the time.



Starrob

Last post removed pending admin review.

-{ Quote: "Yes, but I have also think I read somewhere that Hacker defender has now been developed that the private versions can also defeat Icesword. I am not sure if it is true or not.

From the little I have read, the best rootkit detector is a private build rootkit detector....One that has not had it's detection methods analyzed. Once the author of a rootkit detector begins bragging that it can detect all rootkits, then it is only a matter of time it before private build versions of rootkits are built that can evade the detection.
" }-

That is indeed true. I purchased a copy of Hackdefender gold and I have written my own private ring 0 , kernel based rootkit detector to detect it. If you want a copy send me an email <removed> and i will tell you where to download it....

And if you believed all that and really installed it , you just got nailed by a rootkit. :)

-{ Quote: ":

"Although file system scans and loading detection are needed, perhaps the
last layer of detection is scanning memory itself. This provides an added
layer of security if the rootkit has bypassed the previous checks. Memory
signatures are more reliable because the rootkit must unpack or unencrypt
in order to execute. Not only can scanning memory be used to find a
rootkit, it can be used to verify the integrity of the kernel itself since
it has a known signature. Scanning kernel memory is also much faster than
scanning everything on disk. Arbaugh et. al. [11] have taken this technique
to the next level by implementing the scanner on a separate card with its
own CPU. " " }-

Too late me thinks. If the rogue is not stopped before it enters the labyrinth, then all is lost - for it cannot be found.

Rich

-{ Quote: "Too late me thinks. If the rogue is not stopped before it enters the labyrinth, then all is lost - for it cannot be found.

Rich" }-


Do you know that for sure by expirementation or otherwise?

Nautilus happens to conclude as follows:

"O.k....let's talk about Ewido:

I picked the new Hacker Defender Revisited (hxdef100r) rootkit. Ewido's file scanner (latest sigs) detects it. If you execute the rootkit file Ewido's guard detects and blocks it.

If you allow the rootkit to start the entire installation folder (including the rootkit files) will get invisible. Consequently, Ewido's file scanner (or any other AV/AT file scanner) will be unable to detect it.

If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)"



Starrob

-{ Quote: "If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)"Starrob" }-

Yes, but the fiend that hides beneath the root has had opportunity to do no good. The only way to prevent the Trojans from laying the city to waste, is to stop them at the gates.

Rich

-{ Quote: "Yes, but the fiend that hides beneath the root has had opportunity to do no good. The only way to prevent the Trojans from laying the city to waste, is to stop them at the gates.

Rich" }-


From what Nautilus has written, it can do that. I think he states the Ewido guard can stop it. Just from the little reading that I have done, I think it may be possible that both Ewido and BoClean might be able to stop many rootkits before they activate.



Starrob

-{ Quote: "From what Nautilus has written, it can do that. I think he states the Ewido guard can stop it. Just from the little reading that I have done, I think it may be possible that both Ewido and BoClean might be able to stop many rootkits before they activate. Starrob" }-

If it is processing within memory, it has passed the gate. To be sure, the moment it enters the computer, it has passed the outer gates (the hardware router firewall), but we are given a second chance, an inner gate if you will. It would be nice if MS would close the gates for us, but since they are too busy to take notice, I think we will have to close them for ourselves - if we choose to.

Rich

-{ Quote: "If it is processing within memory, it has passed the gate. To be sure, the moment it enters the computer, it has passed the outer gates (the hardware router firewall), but we are given a second chance, an inner gate if you will. It would be nice if MS would close the gates for us, but since they are too busy to take notice, I think we will have to close them for ourselves - if we choose to.

Rich" }-


I am not so certain about the "if it is processing in memory it is too late" part. People have done tests that have actually stopped malware as it enters memory. I have yet to see any tests that proves in memory scanning is not a adequate feature.

I do find it interesting that Kevin of BoClean has said that Memory scanning techniques might not be as effective in the future. I think the Shadow
Walker concept shows why that might be true.

However, there are brilliant coders at Ewido, BoClean and many AV's. They may come up with a solution or solutions for concepts such as Shadow Walker.

If the Memory scanning method was totally invalid, I doubt major corporations or governments would pay BoClean for that type of service but that is neither here nor there.

What I do believe is that different people have different philosophies on security. Some use a AT, some use "HIPS", some use both, some use neither. It doesn't make any one way right or wrong. It just may be the best solution for a person at a certain point in time. There are weaknesses in all products just as there are strenghts. What a person decides to use is a individual decision....everyone should decide for themselves because not everything that is written on Wilders is necesarrily right.

Sometimes, even information from the most knowledgable can be incorrect. That is why i like looking for information both pro and con. If there is any information showing how ineffective in memory scanning is then I would like to see it.



Starrob

-{ Quote: "
Sometimes, even information from the most knowledgable can be incorrect. That is why i like looking for information both pro and con.

Starrob" }-


This is true in every area of life, and has been shown to be so over and over again. All so-called experts, in every field, have their limits, and areas they have not thought of or discovered yet.

Anything any so-called experts claim should be viewed cautiously, until it is proven through tests. And even MORE so if the so-called experts insists they are correct above others. The more someone gives you a one sided view on something, trying to convince you they are correct above all others, the more sceptical you should be about what that person is telling you.

Sadly most peolpe seem to not be aware of this and go right on their merry little way, believing everything the so-called experts tell them to be fact. Not even aware in many cases the so-called experts have been proven wrong. The smartest people in the world are amazingly dumb. ;)

This is not to say that mem scanning is ineffective. But we should bear in mind that mem scanning is generally still based on signatures. Therefore, you can create a modified malware sample which is not detected by such sigs. (In particular, scanners using weak signatures are affected by such modifications.)

-{ Quote: "This is not to say that mem scanning is ineffective. But we should bear in mind that mem scanning is generally still based on signatures. Therefore, you can create a modified malware sample which is not detected by such sigs. (In particular, scanners using weak signatures are affected by such modifications.)" }-

Ewido claims to use strong signatures. It would be interesting to know exactly how effective their use of strong signatures is in a memory scan. I know that type of test would probably be very time consuming (most especially if it included spyware also).



Starrob

-{ Quote: "

Sadly most peolpe seem to not be aware of this and go right on their merry little way, believing everything the so-called experts tell them to be fact. Not even aware in many cases the so-called experts have been proven wrong. The smartest people in the world are amazingly dumb. ;)" }-

Even Edison was proven "wrong" by Nikola Tesla. Edison said power distribution should be using DC current. Tesla said AC current. A majority of the world today uses AC current. It was proven DC current was too inefficient for widespread use.


Starrob

I guess another question I could ask is if Ewido uses heuristics in it's memory scan to dtect things like rootkits?



Starrob

-{ Quote: "If it is processing within memory, it has passed the gate. To be sure, the moment it enters the computer, it has passed the outer gates (the hardware router firewall), but we are given a second chance, an inner gate if you will. It would be nice if MS would close the gates for us, but since they are too busy to take notice, I think we will have to close them for ourselves - if we choose to.

Rich" }-

Agreed. Choose not to install/run software from dubious sources. That is the only way to be sure against trojans. If you do trip up, and your AV/AT fails to ID it, you are dead, no matter what you run. All the HIPS in the world can't save you.