Samurai -- Antirootkit Function

This application http://www.geocities.com/turbotramp2/samurai.html purports to "clean" a system which is infected by a rootkit. In order to do this it restores the SDT and thereby cleans any API hooks:

"DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.

This solution hooks system calls to prevent the loading of rootkits and refreshes the kernel’s system call table to clear existing rootkits. This solution also contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished with the Samurai HIPS."

In theory, this should work. In practice, I still can't see the installed Hacker Defender rootkit ...

Can anybody confirm this slightly disappointing result?

 

I would certainly never download nor run something hosted on geocities, especially when it's a so called rootkit detector and probably installs some driver.

 

About this function, should this really be able to delete rootkits from your system? I might test it in VMware but so far I can see that KAV keeps warning me about that almost every process wants to inject code into all other processes, with this feature enabled.

 

Samurai's roootkit function doesnt actually remove rootkits, it just prompt u when something tries installing a driver.

 

I have never tired it but I thought it unhooked everything as you described?

Have you tried ICEsword

 

Surely nobody in their right mind tries to "uninstall" a rootkit? How can you possibly know when it's all removed? How can you tell if anything else on your system has been compromised?

The best you can do is try to detect a rootkit. If one is found, format and start from scratch. There is no other sensible course of action, in my opinion.

 

Yes I agree with you trickyricky but I was just experimenting a bit in VMware because it can be a bit risky to try this on your real machine, it might become unstable or even worse. However Samurai claims it can "Clear existing rootkits", that sounds a bit too good to be true anyway.

 

Indeed it is too good to be true, especially considering that Samurai hasn't been upgraded for quite some time as far as I'm aware and rootkit techniques are constantly being pushed forward. Methinks a pinch of salt is called for when reading that particular claim, good as the other functionality of Samurai is.