How important is keeping root kits out?

Apparently there are several root kit 'undoers' out there and they are free. How big is this? I mean, I know most of us have a firewall and AV program, but root kit?

I know there was a big stink when Sony did their thing with the CD's but is it still a big deal?

I've seen root kit revealer and Sophos Anti Root kit so far and both are free.

Are this important in a anti-malware arsenal or not?

I don't know, I'm just curious.

 

Very.

Once a rootkit is already on the system, there are only two ways to be ABSOLUTELY sure it's gone: a) reformat, or b) mount the drive on another computer and clean it using the other computer.

Any good scanner will include rootkits in their signature database as well. Still, HIPS/virtualization programs provide the best defense against rootkits.

 

This is the belief(in theories and POC code) but reality i have never encountered a malware rootkit that is undetectable to some degree by RKU and subsequently nuked during my time as a malware hunter.This dose'nt mean that it won't happen but it dose mean if they are about then there are extremely few of them.

I have laid down this challenge to experts in closed malware research forums and i am still awaiting for viable RK malware code to be produced for analysis& confirmation of bypass.

That said the most effective ARK forensic tools are all very complicated and beyond the average user to interpret data and affect action where required.

You miss the point about RK's(Ring0 loaders) once loaded most traditional scanners are blind because data is subverted/filtered at the kernel.If they can't see it then they cannot detect it.

Absolutey true and even if the defenders know the dropper file helps.Don't let them in and they are no consequence,mind you that is the same for all malicious code.

 

I don't know how importante it is, but I just know that F-Secure is one of the best rootkit defenders since it did detect the rootkit in Sony.

 

lol... too funny you ignore consistently the rutkowska game over story.. c) buy another computer (because game is over (board infected, bios infected, firmware of dvd burner, network card, graphic card, sound card, pci.... I know many of yours don´t want to hear this because it is easier to live in illusions then to face the actual and/or upcoming truth)

[Not mentioned polymorphic stealth malware that just need a few attached bytes to be able to survive e.g. in your exe or png files..]

 

nonsense.. they are at the most average .. Choose Ice Sword, Gmer, RkUnhooker or Sysprot.

 

Since my new re-install, rootkits are not a problem anymore, I have :
1. A clean image of my system partition.
2. A clean archive of my 2 permanent snapshots (= system partition)
3. My freeze storage removes any rootkit during each reboot and if it ever fails, I still have 1. and 2. to get rid of rootkits.
I also have my "WD Zero Tool" to zero my harddisk before I restore a clean image.
Rootkits will have a very short life on my computer, including any other infection.

 

Too much hassale just for the poor rootkits.

 

Plus I wonder how many people here at Wilders have actually had a rootkit invade their system.... none maybe?

Ok, I'm sure *somebody* will say it's happened to them...

 

I don't work with malware names, like rootkits, viruses, spywares, adwares, keyloggers, trojans, ...
I call them all BAD CHANGES and I just remove these bad changes. That's all.
I don't even know if I am or was infected after a surf session.
I don't need to know because I remove them anyway during each reboot.
Making a study of these bad objects is not one of my hobbies.

 

If the scanner can detect it, what makes you think it'll get loaded in the first place?

 

Actually based on some definitions of what a rootkit is, pretty much *everyone* here has a rootkit.

 

And you will wait forever. Those who can do it, will have zero incentive to show you.

I'm sure everyone knows this.

Of course if the AV recognises the rootkit sample, the malicious code won't be allowed to run so the whole subvertion of the kernel doesn't come into play. it's the case of, if the AV can't see it anyway, it doesn't matter if it hides...

My question is this though. Say at time x, some antivirus does not detect a certain rootkit, as a result it is run on a user's system. Some time later time y, the antivirus vendors gets a sample of the rootkit and creates a signature of it.

For sure this means that some *other* user who is not infected will be stopped by the AV when he tries to run the rootkit.

But what about the user who already has the rootkit in his system? Do the Avs check to see that the rootkit can be detected and disinfected on systems that already have the rootkit?

One would hope so right?

 

I routinely install rootkits on myself of various forms and then follow their behavior, whatever that is which is designed into them. Rootkits ARE important to keep out yes, but more so when they pack a load of other malicious schemes to enjoin on your system. There are numerous types and like fcukdat pointed out, also Proof-of-Concepts works designed to enter in thru various many methods but ALL with the same purpose, to dive into Ring0 and stack and lodge someplace unbeknowns to common detection means, hence ARK detectors like RKU + IceSword to mention a couple.

You don't have to make a hobby of it but it can prove very useful and educational in testing your reboot-to-clean techniques. Rootkits are easily displaced or dismissed completely using that FREEZE method unless one would happen to be laced with some destructive and/or time-delayed virus code which might possibly disappoint that type of methodology IF gained access to a low level (Ring0) level, specifically targeted at either FD-ISR itself or it's Windows system dependencies. And as an application analysist yourself, you have to already know that each and every application no matter what type does tether in someway to a Windows function, rootkits included.

With that said, FD-ISR is a great recovery mechanism in that so long as you can isolate it's archives and even export snapshots if you so choose, the program can be reinstalled again to a freshly zeroed and re-formatted (formerly infected disc) and rebuild anew EVERYTHING to perfect precision.

For me that's the leading prevention against forced stealth intrusion aside from a complete clean (duplicate) image restore.

 

As an observent person your probaly aware of the anti RKU sentiment in the wider security establishment so you underplay the fact that folks would love to get 1 over EP& freinds by shouting from the highest peak,your tool just got own3d....still waiting

Now that is some messed up logic for sure
Case example try telling that to victims of DDos by Nuwar(Storm)botnets,not all though's compromised machines are running without resident protection so just because the resident AV cannot see the resident malware rootkit dose not mean it is doing no harm.....and what about the folks getting ISP notifications of mass-spam origininating from their PC's and threatening to pull the plug....and finally its always a real good thing (not!) to be backdoored by a bot that your AV cannot see that is hooking system drivers so your firewall sleeps through it all.

Most target databases in time will catch up with most threats,speed of target update is one thing that illustrates a signature based database current effectivense but when a software is *blind* to a particular RK until the software is updated no amount of sigs updates are going to catch that particular malicious RK code.

Ulrieka finally you are getting somewhere...

In the most effective malware rk's,just knowing the code is not enough.Its no good if the data reported at kernel level is being subverted by the malware RK that is *live*.

The data returned to the AV has been filtered and there now is nothing for the AV to report

I have tested a wide range of AV's/AT's & ASW's versus my zoo collection of malware RK's over the last year and a half and can conclude that some softwares are keeping pace in the devo department where as others are still back in the stoneage.Raw disk reading is the latest under the hood enhancements to bust some of these RK's but even that can be subverted(Bypassed) in theory at the moment.

FWIW I have used Rustock B in the past as a prime example,virtually all softwares can identify the file when it is inert being held in a holding folder but when it is loaded(Live) only a few can see it inorder to affect a removal of this malware.
Now we have the likes of Srizbi evolving(quite possibly a newer evolution of the Rustock series)and still a high majority of softwares are bypassed.

So just to summarise,are RK's widespread yet....Nuwar botnet(s) would suggest they are gathering market share for compromised machines(figures in the millions have been banded about in reports ).

How effective is ARK technology currently,it is improving but still software dev is a perpetual cycle of playing catchup.The defenders are always trailing as with all malicious code

HTH

 

More and more exotic packers are being seen in the wild as a further attempt at bypassing AV sniffing techniques.
Net result known malicious code can be repacked into something unknown
Z-lob installers are current example of this

 

Being an "observant person", I notice the braggerts are the one who have the least ability. The ones who are not boasting are the ones you should look out for... And they won't show you anything.... given the rise of profit motive...

So no, I don't think your challenge in "closed forums" is close to proving anything, to think otherwise is pretty naive.

Messed up logic, or your lack of ability to read the whole post before responding?

This is messed up comprehension reading skills....

Tell us something we don't know .....

 

Er... re-read my post? The relevent parts are bolded for your convenience.

And if not, it's kind of self-evident to say "you're screwed" when the scanner fails to detect the malware, don't you think, Captain Obvious?

 

This is nice and good so far but if e.g. you buy a computer which already is infected in hardware (bios, hd ...) do you think your strategy will be enough?

Probably.

Well written.

Fully agree.

 

It's not a bad idea to make sure you have a scanner or two that can detect rootkits.
But it's a better idea to prevent them in the first place.
Layer your security to this idea and you will stand a better chance.

 

If this page is anything to go by about RKU then you can't even trust the authors of rootkit cleaners. http://www.greatis.com/security/Warning_Rootkit_Unhooker.htm

If you successfully removed a rootkit. Theres no way to know what else has been changed or tampered with, so the best cleaner is a format.

 

..................................................................

 

Could you be so kind as to name one of these types of malware, so that others of us can verify what you're saying?

 

U are talking of BIOS rootkits etc now.
Is there any working piece of such a malware? I am much interested to know!

 

Oh brother.