RootKit Detection Treasure Trove !

Discussion in 'other security issues & news' started by Spanner intheWorks, Mar 7, 2005.

Thread Status:
Not open for further replies.
  1. Charles Z
    Offline

    Charles Z Guest

    Hey this is such a great read so many avenues of interest to keep us occupied for a very long time.We've been looking for info like this for a time now and all those links and detailed research it led us to was mind blowing.Too much to take in all at once but we intend to go through it all piece by piece.

    Keep up the good work my man and thanks ever so much for all of this it must have taken an age to do but was worth it we can tell you.

    Charles Z
  2. nadirah
    Offline

    nadirah Registered Member

    If you want to block rootkits from even getting into your computer in the first place, get processguard today. Prevention is better than cure!
    www.diamondcs.com.au
  3. mr.cautious
    Offline

    mr.cautious Guest

    Some of those links look somewhat suspicious to me, and being the cautious guy that I am, how do we know some of them are not rootkits themselves or contain a rootkit of some kind?

    I guess I'm saying I don't think I would want to download something unless I'm absolutely sure I'm not downloading a rootkit. I'm sure they all scan for and find rootkits, but what else could they be doing or installing?

    True, they look somewhat safe, but how do we really know what's in these programs? Maybe I'm just paranoid here, but the people who make these tools would probably also know how to slip a rootkit in with the rootkit detector, so all along you think your getting just a detector, but in reality there's a little surprise in the package.

    I do trust sysinternals free detector, but that's about it for me. I just don't really trust many of these other free rootkit detectors and think people should be cautious when downloading this type of free software. Maybe someone could convince me otherwise, but I doubt it.

    I would like to have as many detectors as possible too, knowing how serious a problem rootkits could become, but I won't download any of them because I just don't trust those sources.
  4. kareldjag
    Offline

    kareldjag Registered Member

    Hi,

    ***Mr cautious

    The rootkit's paranoia is a little bit legitimate.
    Because there's no radical solution for detection (known/unknown), and neither for prevention.

    But we have more chance to be infected by a worm/virus/trojan (specially P2P user) than by an advanced rootkit.
    But Mr cautious, i think you're already infected like many of us by the Perfect Rootkit: Windows itself (advpack.dll...). :) :D

    For anything else (trusted source or not), i'll not try to convince you.

    ***Spanner

    Great idea to summarize rootkit's tools on one good post. ;)

    ***To complement the subject:

    *Detection tools:

    -RootkitRevealer,

    -Unhackme: http://greatis.com/unhackme/

    *RKScan (against Knark and Adore) for Linux:

    http://www.hsc.fr/ressources/outils/rkscan/index.html.en

    *Solutions with bootable CD Rom:

    -Microsoft Strider GhostBuster: http://research.microsoft.com/rootkit/

    Important: GhostBuster is not available.It still a project.

    -Alternative: BartPE: available but limited:

    http://www.nu2.nu/pebuilder/

    A little summary: http://www.pcmag.com/article2/0,1759,1747874,00.asp

    For Linux (but there's a possibility to use them on Windows):

    -Knoppix: http://www.knoppix.net/

    -Helix: http://www.e-fense.com/helix/index2.html

    *Emergency solution from Winternals:

    http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp?pid=erd

    *Others emergency solutions: Erase the hard drive, reformat, re-install Windows...

    *Tracker, a little tool to fin any change .diificult to find (see on broadband forums)

    *more tools and informations on the 2 or 3 rootkit's threads.

    Regards
  5. HD rider UK
    Offline

    HD rider UK Registered Member

    Just had a quick look at the "hacking exposed" site. Now maybe I am missing something here and if i am, i apologise, but dont the contents there amount to a detailed hackers guide?

    jock
  6. HD rider UK
    Offline

    HD rider UK Registered Member

    Thanks for that Spanner. I had already read the foreword, but was still concerned over the fact that the info could be used for the very purpose it was meant to defeat, however, after a nights sleep and a good look at the site, i can appreciate your viewpoint.
    It is true of course that in oreder to effectively counter a threat, one has to understand that threat, and i accept that i had lost sight of that . I suppose that it will always be a judgement call as to whether to publish this sort of info in order to strengthen your own defences, and given that the scummers already have extensive reources of their own, in balance i can see the value of it.

    Jock

    ps
    in fact, it wouldnt hurt me to know more about how these sh..s go about their trade so that i can be more informed in countering them....
  7. nick s
    Offline

    nick s Registered Member

    Hi Spanner intheWorks,

    Thanks for the effort you have put into this. Much appreciated :).

    Nick
  8. vulcannightbird
    Offline

    vulcannightbird Guest

    @spanner

    well done thread - next to robert hensing's blog my most important information source...

    keep up the great work!
  9. Arup
    Offline

    Arup Guest

    Nice reading, many thanks.
  10. iceni60
    Offline

    iceni60 ( ^o^)

    i think if you want to find out if you have a rootkit on your PC you can ask a friend to use their PC to look on your computer as the process is only hidden on the target computer. :)
    Last edited: Mar 16, 2005
  11. Marja
    Offline

    Marja Honestly, I'm not a bot!!

    Ice, So, do you use that remote desktop thing or .....? Can you give more detail? Do they have to be the same as far as well, guess it would have to be same program, what else?
  12. iceni60
    Offline

    iceni60 ( ^o^)

    hi, Marja :) when a rootkit is installed it is only hidden from the computer it is installed on, so any other computer can connect to the infected PC and probably have a look in Task Manager and see the rootkit there.

    one of the first things a hacker will do is try and work out the topography (Star, Tree, Bus, Ring) of the network they have accessed. so, i'm not sure, but i'd guess that that would mean there's a chance anyone of the computers could have rootkits on them, and again, i'd guess that would mean the PCs on that network wouldn't be able to see rootkits installed on the other PCs. so to check for a rootkit it would be best to use a PC that isn't apart of that network - a friend's.

    i have my remote desktop disabled, i think it is disabled by default now with SP2
  13. Robert Hensing
    Offline

    Robert Hensing Guest

    Unfortunately all these posts where people are like 'just connect to the possibly rootkit'd machine from a clean remote machine and then scan the <filesystem/registry/running processes> and you'll see any hidden <files/registry entries/processes> are dead wrong.

    This may work TODAY - but it is not a long term solution.
    How do you think the clean remote machine is getting the file / registry / process information from the rootkit'd machine? It's making API calls across the network - the API calls are run on the rootkit'd machine.

    It's only a matter of time before the miscreants shut the door on this approach and 'fix the glitch' (Office Space).

    Don't get me wrong - it's a good idea, and it works against kits like Hacker Defender - but it should not be relied upon as the ultimate solution becuase it's not.

    The best approach I've seen is the method that MSR came up with and used by their Ghostbuster tools (which sadly aren't released yet) in which they dump the registry / file system while the machine is online and then they boot off a boot CD and mount the file system and registry and dump them again while the suspect system is offline. Then they diff the two sets of output looking for things that show up offline that didn't show up online. This IMHO is a great way to detect persistent rootkits - but even it can be defeated in a variety of ways. In fact any solution can be defeated - there is no bullet proof way of detecting rootkits.
  14. FanJ
    Offline

    FanJ Guest

    I saw several file integrity checkers mentioned.
    I would like to add those:
    - NIS File Check (no longer maintained; see archived forum)
    - File Change Alarm (no longer maintained; see archived forum)
    - FileChecker from Javacool
    - Inspector in KAV Pers Pro (more or less like ADinf32)
    - Alfa File Monitor and Alfa File Protector (very expensive)

    A useful tool : RegDefend from Jason

    A useful tool for comparing files, registry, etc, might be Beyond Compare

    Useful tools might be PortExplorer from DiamondCS and AtelierWeb Ports Traffic Analyzer
  15. H. Carvey
    Offline

    H. Carvey Guest

    iceni60,

    you said:
    "...so any other computer can connect to the infected PC and probably have a look in Task Manager..."

    Could you elaborate on that one? I don't see any functionality within TM (I'm currently on XP Pro) that would allow me to run it remotely against another system that I'm connected to.

    And to the (in)famous Robert van Hensing,

    I agree with your comments, but for the nounce, accessing and checking the system remotely *does* work. So, why not put that in our toolkit for now, and keep working on other methods?

    I think that important thing to point out (as you did) is that GhostBuster, while great in concept, is not yet available. Also, it requires taking the system down, which is something that cannot always be done.

    I, for one, would like to see (and be involved in) efforts to come up with Windows incident response solutions, in general.

    H. Carvey
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
Thread Status:
Not open for further replies.