Anti-rootkits

Testing rootkits is too time-consuming and I'm also not competent for that. My question is: How big percentage of rootkits are still using basic methods easily detected by most tools?
Ie. are eg. Sophos anti-rootkit anf F-secure blacklight usually OK, or does one usually need more advanced tools?

PS. What do you think of Unhackme?

 

replied here

 

Thanks!

 

Sophos is still good as it is fairly regularly updated but I don't use it too much, my favorites to use are RootRepeal and RkU and they work great. The only problem with Sophos is the fact that unless you have Sophos AV then the anti rootkit only does a basic scan, and if you do have the AV it unlocks the extensive scan feature. I think that since most of the anti rootkit tools are not updated regular anymore its best if you have the know how, to use something like RootRepeal, RkU, GMER

 

i use prevx always for rootkits detentions,i clean a very infected pc the other day with tons of malware including 2 rootkits and prevx did the job very well

 

Are there any anti-rootkits for Win 7 except TrendMicro RootkitBuster?

 

Sophos and RkU both run on Win 7 and Prevx of course. RkU and Sophos were both updated recently. As far as the rest, most of them have ended support, Blacklight will not run I think that Mcaffee Rootkit Detective is in beta but I am not sure, and I dont know about Panda. Rootkit Unhooker is definitely the best of those in my opinion.

 

Does MAM check for rootkits?

 

It will detect some but not the more advanced rootkits.

 

Am I right? There are two kinds of rootkits (forget Blue pill and other aliens):

1) MBR-rootkits (these need special treatment, as data is stored on empty disk areas)

2) Others (hidden files can be found eg. with UBCD4win (boot-cd) and Rootkitty (reads files outside and inside of the system) http://www.ubcd4win.com/forum/index.php?showtopic=2424 )

Am I missing something?

How big percentage of rootkits are using basic methods (some basic SSDT-hooking eg.) easily detected by most vendor tools (Avira, Sophos, etc.)? Or is it so, that if rootkits are used, they are usually technically high-level products?

 

Well there is (POCs, Hypervisor) bootkits, kernel, userland, library. So yes basically two with three types that modify kernel or processes, files, connections etc, persistent or memory based.

Sorry I don't have any figures to hand.

 

And on what do you base this claim?

 

Much better to use deeper software as GMER, RootRepeal....OSAM too..

 

what is osam?

 

Online Solutions Autorun Manager

 

thanks

 

No problem. This was clear explanation.

 

Right and all these can be sorted into different levels.
Application level
Kernel level
Library level
Virtualized
Firmware