Any good free programs to prevent rootkits?

Right now i'm using Prevx free. Does anyone know if it will help to prevent rootkits?

I'm looking for fairly easy to use free programs to either prevent rootkits or help to find them after the fact. I already checked out that free program RootkitRevealer from Sysinternals, but it's not really very easy to use, any others? Blockers or detectors. Thanks for your time.

 

Process Guard and System Safety Monitor can stop rootkit installation, but you need the full version of PG and SSM is supposed to go shareware at some point in the future (PG will block service/driver installs while SSM will prompt you about them).

Abtrusion Protector is another option which is free for home use. It works by blocking any file from running that is not already installed - you therefore have to put it in installation mode when installing any new software. This can block any malware installation but may cause problems with any software which uses continually altered files (TrojanHunter's ThSec.dll springs to mind here).

 

Someone correct me if I am wrong but I think BoClean offers protection against rootkits too.

 

But is it free?

 

Prevx will acutally help with preventing rootkits, as long as they don't try to install themselves on another drive than your primary partition (usually C: ) It's not as complete of protection as ProcessGuard full, but it should counter most of them (if not all current ones.) The next version of Prevx promises to have a lot more protection options, so we'll see where it goes pretty soon.

 

You can also use the trial of UnHackMe (http://www.regrun.com/), the next version of RegRun (not free) promises to have full-time monitoring in the same way as this little utility.

 

Correct me if I'm wrong, but rootkits don't have any special power to install on computers? They are a bitch to detect once they are installed, but pre-installation they can be detected/stopped like any other malware out there.

I guess most of the time they get into your computer via trojans, but i suppose a worm that drops a rootkit is possible as well. Or maybe even a virus with rootkits as payloads.

 

I would love to see a good test done with the different AVs and other scanners and blockers (like Process Guard) that claim to find, remove or block rootkits. That way we would know how good these different programs really are at stopping rootkits, and wouldn't have to just guess. We need a Eric Howes like test- but for rootkits.

Oh, sorry to go off topic... isn't Klister a free rootkit detector.

 

Hi,

It seems that someones have missed an episode:

https://www.wilderssecurity.com/showthread.php?t=67742

For the first question, there's no radical and free soft against rootkits.
Because each rootkit has his own behaviour.

***PG (paid version) and AbtrusionProtector (and others infection system prevention) can prevent many of them.
And if they can't prevent all of them (unknown ones), they can really limit the impact of the infection (it will be difficult for the rootkit to hide a backdoor for instance).

***UnHackme, AVs, ATs and specialized products (RootkitRevealer, RKDetect, RootkitHunter, Chrootkit...) have their own limit: their database!
They can only recognise what they know (signatures).

when a new rootkit is coded, it can stay a long time before his discovery (and permit a new integration in the database).

Finally, the problem is complex.
Even if rootkits are more preavaling on others system like UNIX/LINUX/SOLARIS.

With advanced worms, rootkits are actually the the more undetectable malwares.

Regards

 

I have never heard of Klister software program. Neither, it would seem, has Google.

Got a link?

 

Hi bellgamin,

Here's a link to both KLISTER (works with Windows 2000 only) and FLISTER (2000/XP/2003): invisiblethings.

Nick

 

Here's a listing about RootKit Revealer that may interest some of you. Partial quote from the website...

I forgot to mention...
(1) It's free.
(2) This is from System Internals -- the geniuses who produce Process Explorer & several other superb utilities.

 

Hi,

Take a look at UnHackMe 2 beta (non-public yet).
It the stable version:
http://greatis.com/unhackme200b.exe
Changes since version 1.0:
- Added monitor. It checks the system every specified period. You can choose the period of testing using Options dialog.
- It detects HackerDefender, Vanquish, AFX Rootkit.
UnHackMe doesn't use signature scanning.
It detects rootkits by its behaviour.
I.e. all clones of the rootkits will be detected too.

It works very quickly than RootkitRevealer because UnHackMe looks for the service and driver that are required a rootkit to start and work.
- UnHackMe allows you to kill a rootkit by simply clicking on the Stop button.
After that you only need restart your computer and UnHackMe will clear the rest parts of rootkit.
UnHackMe is simple in use.
UnHackMe is not free. But...
But all users of the previous version will receive the new version for free.
We changed the protection scheme.
You can test UnHackMe 2 for 30 days and it will work without any nag screens. It is not a demo. It's fully funtional version.
After finishing evaluation UnHackMe 2 will still work but it will ask you to register.
If UnHackMe will found a rootkit you will see it and you can remove it in manual mode.

Comments or suggestions are appreciated.
Dmitry
ateam@greatissoftware.com

 

IMO Processguard is perhaps the best program for preventing rootkits.

 

true but it doesn't prevent you when you are allready infected.

thanx for the heads up Dmitry

 

Heh I'll say, If you are already infected at time t1, you need a time machine to travel back prior to time t1 to "prevent" that from happening.

 

It there any antispyware that is able to remove rootkit.
Or antitrojan that can remove it?

 

I meant cleaning after infected, you got me...

yes, there are antitrojans that can remove them... tds, ewido, boclean and th do have sigs for them.

 

And wat about antispyware?

 

nope I don't think so, but there are antitrojans that have spyware sigs...

 

Hi,

***UnHackme

A database's behaviour, isn't it a kind of signature?

I've tried UnHackme: Great soft in order to verify if a PC is infected by well known rootkits.
Very easy to use, even for a newbie of 12 years old.
UHme scan the system every minute (so the trial version expires after 9 mn).

A little regret: more rootkits in the database (NTRootkit, He4Hook...) and more prevention utilities (hidden keys, monitoring/blocking new services, integrity checking etc...) could be very interesting.

Each soft which transforms complex things (rootkits) on easy things (we just have to click on a button "Check Me Know") is a great soft.

***From my special malwares colection, i have (zip files) Hacker Defender, Vanquish, NTRootkit and He4Hook.
And McAfee and Pest Patrol detects them (see the image).
But i still believe on a strong integrity defense.


***For small busieness and Soho, there is others solutions:

*Data Sentinel: http://www.ionx.co.uk/html/products/data_sentinel/

*Veracity: http://www.rocksoft.com/rocksoft/veracity/index.php

*XIntegrity Pro: http://www.xintegrity.com/

*Less expensive (for home users): Winalysis: http://www.winalysis.com/

Regards

 

Hi,

UnHackMe doesn’t have the rootkit database.
It knows the ways in which rootkits hides their services and drivers from a user.
The service is really important thing for rootkit life because it allows a rootkit to start hidden at the early stage of Windows startup. Otherwise the RegRun or other software can allows you to remove rootkit from Windows startup.
If a rootkit can’t start automatically it will not work after re-starting your computer.
The rootkit’s authors understand it and they add the new tricks to hide the service and to prevent it to disable.
The removing rootkit can be even more complex task than detecting it.
UnHackMe 2 is effective tool to detect and remove rootkits.
And we will develop it to prevent new rootkits.

Dmitry

 

I'd just like to point out, that you don't need a service to be installed to be infected with a rookit. There are undocumented ways to put code into RING 0 which, to me, seems like the direction most rootkits authors will be heading to if they havn't already. However the installation of the rootkit would obviously need to occur each time the system boots which means it would need to be autostarted from somewhere.

ProcessGuard blocks all KNOWN (from the time of the last version at least) undocumented methods from being used which means if you had one of these rookits on your system, just the installation of PG would stop them.

 

Hi,

I can just be agree with Jason_Ro.
I've already linked a pdf paper from EEYE about the subject:

https://www.wilderssecurity.com/showpost.php?p=382135

So we can't summarize rootkits behaviour only with service and registry.

Advanced malwares like rootkits, worms or network backdoors are in permanet evolution and a soft can't stop them by using only limited kind of behaviour.

And for the registry, many products of the market are not be able to detected hidden keys for instance.

Therefore, i will not be definitively explicit about this subject: it's not a scientific way of of thinking.

In the past, Nicolas Gregoire, a french specialist, has released a test tool called JAB (just an other backdoor).
JAB was able to bypass firewalls, AVs and even authentication proxies, by using legitimate API OLE in I.E:

http://www.securityfocus.com/archive/101/349727/2004-01-13-/2004-01-19/2

According to me, a strong integrity protection of all the system (by many hashes algorythms) is actually an efficient solution: that which is not certified and not recognized is also totally not allowed to integrate the syetem.
.

Regards