Stop RKUnhooker incompatibility to gmer

That post just shows bugs and leaks in that _product_

 

@Old Monk

Just because you paid for this. It is understandable, but that is true. They can't answer nothing on that, because that is not fake.

They think that if they money they have everything else. We showed that they have nothing and their "technology" is dead-end with malware-like behaviour.

 

Unhack Me on my test computer it is not capable of detecting Agony and Odysse Rootkits, it´s a weak tool.

 

Hi EP_X0FF

No, not just becuase I paid for it. Free or paid, I want, sorry need, to know the integrity of the company who's software I'm using.

Are you questioning the integrity of SSM or just saying that in your opinion it is poor software ?

I.e are you saying malware or malware-like ?

 

Yes, UnHackMe intended mostly to Hacker Defender/AFX/Vanquish detection. It's useless for almost all others rootkits.

Hi, OldMonk.

I thinked that I made everything pretty clean on page 3 of that topic.

My opinions about SSM and other HIPS:

- malware-like behaviour, backdoor friendly
- too much advertising with lie
- dead-end technology with out-of-date methods

You paid for it and it is your choice, if SSM helps you then probably you have nothing to worry about

What about me: I will not recommend this software to anyone. More, I will erase it where I will find it.

Sorry for some misunderstooding, that is my poor English.

 

Damn, this UnhackMe is a joke, they want to grab 20 bucks for a license and give such insufficient protection.

Again, I have to fully agree with that opinion.

 

Based on others opinions or your own experience. If so please give examples to the 3 points metioned.

P.S. Which security setup do you have?

 

Are you talking about ALL kinds of HIPS(community-based, behaviour blockers, sandboxes, virtualization, etc) or only the likes of SSM/PG/PS?

 

Probably this is related to most, maybe he considers also subvirt and rustock variants. Don´t forget anything is possible, if your mind is creative enough and if you have damn enough time to breed about the problems and their solutions.

 

Hi, lucas1985.

I'm talking about SSM-like SSDT lovers. They setting up their driver as filter on the all system functions. It is dangerous, slow and shows only one thing - they do not know how to defend system. There are exists much much better solutions not based on "screaming" about everything working in the system.

- malware-like behaviour, backdoor friendly
nothing will stop this program if it start to do something malware-like

e.g. You have your SSM registration key. Some peoples outside your computer steals this key. SSM HQ makes decision to block all stolen registry keys. To do that they sent remote command on all computers with installed SSM. You will even don't know about that, because SSM can protect it connection from listing. They getting your registration key and decides - it is one of stolens. Immediately to your computer have been sent commands for blocking SSM. Poorly coded blocking (remember whole SSDT are hooked) leads to BSOD while some disk operation, for example writing to MBR by some legit program. You restarts your computer and watching the following message -> "Replace the disk and try again"

- too much advertising with lie

phide_ex, futo, fu detection. They are preventors not detectors. But that string is very well looking on main page, isn't it?

- dead-end technology with out-of-date methods
If SSDT will be unreachable for that tools they will die.

For example I do not have any security tools, but that is because I can solve any problem (well, excluding trojan.encoder =) )

 

/TOTAL OT ON
Which method is ProSecurity using; same as SSM or something else? Which leads than to the question what method, if different, is better/safer?
/OT OFF

 

Thanks for the answer.
Unfortunately, most PC users(including the security-aware people) don´t have the necessary skills to remove nasty threads so they choose prevention measures. An AV, a firewall and a HIPS that they can manage is the usual setup.

 

This is what I often thought, most av/fw companies use Talion principles, which is in fact very primitive method, not always you can beat anything with the same weapons.

It´s only a matter of time when police starts using all these kinds of trojans, rootkits, exploits from hackers.. silently maybe a bit modified... who knows, how far insanity will come. In germany they really plan to do things like that, yesterday were news around the internet that police wants to start with trojan and exploit attacks, checking suspicious pcs, as anti-terror methods using unknown software from switzerland.

 

My opinion: SSM is totally useless if you are System Administrator in wide network with many old and slow PC's, so I agree with EP_X0FF.

 

Now we are getting biblical

 

Hi,

Gmer and RKU like any other detector are not absolutely necessary for rootkit detection...since the user is able to make a detection via a forensic physical memory analysis.
A piece of code can theorically be bypassed and broken by another piece of code: reverse engineering the detector or the rootkit= cat and mouse game.
But it's currently very difficult for a rootkit to hide from a phisical memory image.

Most rootkits detectors, hips, avs hooks the SSDT: since a program or tool play with the Windows kernel, incompatibilities are difficult to avoid in advance.

Regarding HIPS, this is not an end-technology.
That's true that's virtualization solutions are certainly the future of security, but as threats become more and more sophisticated, real-time threat/attack detection is necessary (Buffer overflow etc).
Avoiding malwares and keeping the hard drive clean is easy; counter all possible attacks is currently impossible, with or without virtualization.

For information, i've published an article about the Oddysee rootkit: http://security.over-blog.com/article-4066034.html

The goal was to show that it's better to trust in know-how, than in detectors: without a minimum of knowledge, many rookits detectors are not always helpful...
I've posted this article on Sysinternals forums and sent a sample of this rootkit (and other ones) to RKU team (EP_XOFF) : it seems that RKU was improved...under RingO inspiration

At the state of technology, Darkspy, Gmer and RKU are enough to detect and recover from about 90% of avalaibale rootkits.

regards

 

Great to see you here kareldjag I like to check your forensic blogs.
Recently played a lot with winobj, Panda seems to have a big lack to not detect odyssee :-D

I must also say that Gmer has actually most potential of all scanners so it´s no surprise that it was the only one
and the emphasis is focussed on clear identification.

PS: Archon scanner is really cheap, UnhackMe so damn bad, when I make a scanner it must find Odysseee!!!!!!!!!!

Uh, uh svv from rutkowska quality leaks... I like the criticism to Prevx Damn so much waste of system ressources.

 

I disagree. I was following for RkUnhooker proect from the very first versions (2.0b4) and even with it I can detect SSDT hooks of Oddyssee. I agree that it is very primitive rootkit. If SSDT entries been unhooked it is becomes removable.

Hm. What if rootkit will not be a driver. What if it will be a simple thread in memory pool allocated inside ntoskrnl? I can say that even with physical memory scanning you will be unable to detect such things.

 

I see that it's features are not tested and giving me more questions than answers. With the same success we can speak that RAIDE is very stable and perspective project.

 

yep, this is the main problem of gmer, more questions than answers! It´s weakpoint.

Like bodyless sql slammer worm, a bad thing if you find no file... Z0mbienation, scary.

hahaha, why don´t you tell that to the guys @ r00tkit com :-D

 

beside there is a crash info from rku3

CrashLogVersion 2
Date 06/12/04 23:00:47
Module: RS3.exe
Version: R.2.00.016
Infos: Unknown language -

Exception "Acces Violation" (address 00000000 is unreadable) at :
0051969F

EAX 00000001
EBX 00E38304
ECX 00000000
EDX 00000033
ESI 00000000
EDI 00E38250
EIP 0051969F
FLG 00010212
EBP 00000000
ESP 0006FDF4

 

Thank you for bug report, we will look what we can do.

 

Hello, Z0mBie.

So you are the same Z0mBie... or?

 

no problem

 

Why would an anti-malware company deliberatley make it's product incompatible with another anti-malware product?