Rootkit detectors

Discussion in 'other anti-malware software' started by Starrob, Aug 12, 2005.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It all depends on how much time you invest into the initial setup, which would be mostly done in the group policy editor, which you could then export as a template to make it easy next time. For additional restrictions you can create .inf files to be used with secedit.

    Just to be clear, though, SP2 has "anti-execution" functionality built in; look up 'software restrictions'. With a little setup, you can do everything from blacklisting a single file or file type, to total lock-down, and even creating rules so that any time a particular program is run (IE, for example) it runs under a restricted security context. Pretty much all the concepts that you frequently speak of can be achieved without any additional software, if you so choose. Windows does have many weaknesses, but with some work many can be worked around. It really seems like something you could benefit from, IMHO :)
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    This is a good case in point. For all those who consider the user interfaces of ProcessGuard and RegDefend to difficult to deal with - one should consider the "non-existent" user security interface (unless you consider RegEdit a good interface) that MS provides us. And all they have is a few billion dollars and a few thousand programmes available to do a better job.

    So, the question I ask myself is this .. should I go through the same education process that I went through in the past with all of the other MS operatings sytems, only to see all of the effort dissipate as soon as a new version of DOS and then Windows was released, or should I purchase the expertise from a trusted vendor. For me, purchasing the expertise works better. The few dollars I spend is no more than a few hours (at most) of my time. But, in the past I did spend lots of time learning how operating sytems works - and at the time it seemed like the right thing to do. Times have changed and so have I.

    Rich
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    A quick perusal through the group policy editor would show it's really not that much for someone with moderate computer skills. This is something you should do anyway (if you have XP Pro), as there are some glaringly obvious things you don't want left on default. You could have everything done in probably less than half an hour, after creating the limited user account. The real time would be spent in configuring a very complex setup. Of course there are apps out there that can make this easier, such as XPSecurity (for software restrictions and more common configurations, etc), but the point is that your concerns regarding anything being able to install a driver, etc, have already been addressed.. it's just that most people don't know or don't want to. Looking through the group policy editor can also give you a clue as to why Windows is set up the way it is, realizing that these things are set that way by default because they are often used.

    Of course you can choose to trade convenience for money, just be aware that that's a good part of what you're doing when you buy IPS software, and that there are alternatives already at your disposal. Not that HIPS apps don't cover additional things you can't do with the OS alone, but you could do without, and have a setup with similar, and in some cases maybe better, security. It wouldn't take much effort to set up a very restricted user account that you could surf under in which you cannot execute any new files, install drivers, make any changes to the system, access your sensitive information, or access any potentially insecure components.. many of us just don't for one reason or another. I'm no exception, but I make no effort to rationalize this irrational choice, other than, indeed, some degree of laziness and the (continuing) journey of learning and playing that has made it all worthwhile for me.. a journey that has also left me able to help others in a wider spread of circumstances (with different setups, needs, and wants) than what can be covered by more applications that people may not want, or be able, to run. Heck, there's probably more people out there that would prefer MS' UI for software restrictions than all of DCS' customers put together. You just don't see me talking a lot about it because it's not appropriate for many home users without a lot of computer knowledge, although there is certainly some things that can, and should, still be done.

    Another (easier) alternative is to launch your internet software with DropMyRights. This won't solve the problem of downloaded software, but you can get the context menu launcher to easily right-click and launch the software in question with reduced privileges. It's still not nearly as good as running in a limited user account, but it can help. DropMyRights only requires that you create a shortcut once, and use it to start your browser/email/etc, which should be easy enough for most people. This will at least stop most malware that does not use an exploit to escallate it's privileges, which is a risk you can reduce further by hardening.

    Anyone interested in group policy templates can find out more HERE. It's really not too hard, although there are lots of options to go through :) You may also want to go through the group policy editor alone, without the templates, as there are lots of little things you can do, many of which are covered in parts by different tweaking apps, just Run "gpedit.msc" and take a look.
     
    Last edited: Aug 13, 2005
  4. Why

    Why Guest

    Well if I knew ahead of time it was a kernel-mode rootkit, I wouldn't even run it!

    PG tells me the program i'm installing wants to install a driver, which isn't that helpful in most cases, since in the end it comes down to whether I trust the program.

    But isn't this true even if I didn't have PG?

    Starrob, you are probably thinking of the old urban legend of virueses being written by antivirus people right?
     
  5. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    No, I am not......
     
  6. controler

    controler Guest

    Oh dear, I beg to differ

    some new rootkits can be installed from ring 3.

    Right?

    I agree, running in with ADMIM privies is not a good thing but still won't stop the newest rootkits.

    Starrob is right about looking at both sides. I am sure most of you know, you can't learn everything about rootkits here, unless some others posts links to rootkits sites.

    At one time the moderators here wouldn't allow links to sites where nasties could be downloaded.

    Now, since some of those same sites host both detection and infection, the mods seem of with posting links in some cases.

    controler
     
  7. Why

    Why Guest

    Okay let me phrase it properly then, you are thinking of something similar.
     
  8. StevieO

    StevieO Guest

    I found an interesting paper on RK's the other day, and thought i'd share it with you, and see what you think about it.

    . . .

    Defeating Kernel Native API Hookers by Direct KiServiceTable Restoration.


    Security Tools
    – Sebek Win32
    – DiamondCS Process Guard
    – Kerio Personal Firewall 4


    Restoring KiServiceTable will disable Process Guard’s process termination protection.

    Restoring KiServiceTable will disable Kerio’s process spawn protection.

    Native API Hooking Security Tools
    • Security Tools that relies on native API
    hooking in kernel-space can be disabled by
    KiServiceTable restoration.
    • Need to implement addition protection to
    prevent this from happening.

    http://www.security.org.sg/code/SIG2_DefeatingNativeAPIHookers.pdf


    StevieO
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Interesting, but a year old - much was discussed on the rootkit site by the authors credited in this paper.

    The key sentence in all of these papers is something similar to what's in this paper:

    ----------------------------
    To hide processes, a Win2K kernel-space rootkit, which is loaded as a driver,...
    ----------------------------

    Well, how is it going to load? Many ways today to prevent the loading of a driver or .dll, etc.

    I would be more concerned with preventing the loading of the driver than worrying about what the rootkit (or any trojan) will do if installed.

    These papers are useful, in that the computing world keeps up with what's going on, and following the cat & mouse game. But they shouldn't instill fear, thinking, aaggh - - my computer's just waiting to be hooked.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Nothing is foolproof, but it's a good start. User-mode rootkits are generally considered inferior from what I've seen at the rootkit site. It would still need to execute a file, however, so if you used software restrictions it wouldn't be able to run.
     
    Last edited: Aug 13, 2005
  11. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Got it all wrong. I have theories and I have not elaborated on them.
     
    Last edited: Aug 13, 2005
  12. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    What do you consider the best ways to prevent the loading of a driver?


    Starrob
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Process Guard:

    PG Rootkit Test


    Anti-Executable

    I ran a test to attempt to copy fu.exe and its driver, msdirectx.sys across a network:

    AE Rootkit Test

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  14. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    A little info on Hacker Defender gold and Silver:

    Golden Hacker Defender includes

    * protection against all AV, unique version and source code for both main module and driver module
    * separation between hidden processes and hidden files in inifile
    * outbound TCP connection hidding
    * Rootkit Detector 0.61, 0.62 antidetection
    * modern detectors antidetection engine with antideteciton against
    o F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
    o F-Secure BlackLight console 1.25.1006.0, 1.28.1006.0
    o Sysinternals RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
    o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
    o RootKit Shark 3.11, 3.22, 3.27
    o RegdatXP v1.41
    o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
    o Flister 0.1
    o Find Hidden Service 1.0, 1.1
    o Kernel SC 1.3
    o Kernel PS 0.4, 1.0
    o Klister 0.4
    o Process Magic 1.0
    o KProcCheck 0.1, 0.2-beta1, 0.2-beta2
    o TaskInfo 6.0.1.134
    o KHS - kill hide services 0.1


    Silver Hacker Defender includes

    * protection against all AV, unique version and source code for both main module and driver module
    * separation between hidden processes and hidden files in inifile
    * outbound TCP connection hidding
    * Rootkit Detector 0.61, 0.62 antidetection
    * modern detectors antidetection engine with antideteciton against
    o F-Secure BlackLight 2.1.1013
    o Sysinternals RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
    o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
    o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
    o Flister 0.1
    o Find Hidden Service 1.0, 1.1
    o Klister 0.4
     
    Last edited: Aug 14, 2005
  15. controler

    controler Guest

    I still want him to list ProcessGuard also :D

    If that is possiable
     
  16. ---

    --- Guest

    LOL perhaps when PG starts detecting rootkits.
     
  17. someone else

    someone else Guest

    PG does better than that mate, it prevents rootkits.
     
  18. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Has anyone ever investigated the claim made here by ch0pper https://www.wilderssecurity.com/showthread.php?t=92178 :

    "the answser is no my friend !!! there are ways around this with the gold version !!!


    ch0pper

    hacker defender team"


    Is the claim fear mongering? Or is it true? Seems all the "experts" have gone quiet on this one....LOL but this amateur is only asking questions that need to be asked. We don't want anyone thinking they are 100% secure do we?? LOL


    Starrob
     
  19. real world

    real world Guest

    perhaps it's the same person creating the poison and the antidote. Why not? It's good for business.
     
  20. axeman500

    axeman500 Guest


    So if PG is not the antidote, what is then?
     
  21. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    search wilders for keen sence still 1 of the best process control programes and root kit dectors i have used :cool:

    quote:: I finally found my copy of Keen Sense (version 1.2.3.1) buried in a disk image made in April 2005. I believe there is at least one later version. I ran it on a test system with PG, Outpost, and Hacker Defender 1.0.0 "revisited" already installed. While it is indeed able to terminate PG-protected processes, I was more impressed with the way Keen Sense handled Hacker Defender. It not only detects and terminates the rootkit process (and hidden sub-processes), it also unloads the driver, so that you can immediately see what was previously hidden (files, registry entries, etc.)

    BTW, PG did occasionally "see" and block some of the rootkit's behavior (in about 1 in 5 restarts). On my test system, Hacker Defender had been installed in Safe Mode to get around PG. From PG's log:

    ---Process Guard Log Started---
    Sun 28 - 19:41:53 [DRIVER/SERVICE] g:\documents and settings\****\desktop\new folder\hxdef100.exe [1444] Tried to modify an existing driver/service named hackerdefenderdrv100

    So far, Keen Sense is a tool I will hold on to. Hopefully, it will be further developed.
    Reply With Quote
     
  22. EASTER.2010

    EASTER.2010 Guest

    Not seen any more mention of Keen Sense since September in that Topic you referenced.

    In fact looks like the attachment was posted then pulled by Bubba.

    I done a brief Google with 0 results with exception of Wilder's Forum so it must either be not recommended or else just passed over?
     
  23. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    Im not sure what your asking, if you cant find it ill upload a copy for you to test it yourself and see what you think. Google is oftern of little help when trying to find programes that are not very well known :D
     
  24. EASTER.2010

    EASTER.2010 Guest

    Sure, go ahead because it's no where that i find it plus i'm a bit surprised it wasn't left in the other topic for others to review.

    So yeah, i for one wouldn't mind taking it around the circuit for a spin.
     
    Last edited by a moderator: Feb 18, 2006
  25. Chas666

    Chas666 Registered Member

    Joined:
    Jul 11, 2005
    Posts:
    2
    Location:
    Hagerstown, MD
    The situation is becoming so complicated that only the nerds and power users will be able understand enough to navigate the internet and protect themselves. The rest of us will eventually say to hell with it; it's not worth the time, effort, and expense and just quit. There are already a large number of people who have computers that are not connected and don't intend to. This will be unfortunate because there won't be enough power users left to sustain the thing so it may eventually collapse. So all the hackers and malware producers will have accomplished would be to shoot themselves in the foot, so to speak, because there won't be anyone left to hack. Maybe I'm naive but I can't understand why they [hackers] can't understand this.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.