A simple question about rootkits and keylogger...

Discussion in 'other security issues & news' started by Zapco_force, Dec 31, 2014.

  1. Zapco_force

    Zapco_force Registered Member

    Joined:
    May 17, 2013
    Posts:
    88
    Location:
    Italy
    Hello guys, sorry for my bad English....
    to be sure to have not rootkits and keyloggers on your system (which are the threats that I fear most!) is enough run a scan with a good antivirus (ex: Bitdefender, Kaspersky, Avira etc) or anti-rootkit dedicated software are needed??....
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Most AVs include rootkit detection but would probably detect only blacklisted rootkits (detected malware). You can still use additional on-demand antirootkit software to check if your AV missed something and to show you possible rootkit activity from legitimate software.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    If you always run sandboxed, rootkits wont install in your system. Six years ago, searching about preventing getting infected by one is how I discovered Sandboxie.

    Bo
     
  4. Zapco_force

    Zapco_force Registered Member

    Joined:
    May 17, 2013
    Posts:
    88
    Location:
    Italy
    I understand! :thumb:..... However. which additional on-demand antirootkit software do you recommend??
    ....In fact there are many such utilities but sometimes it create problems rather than solve them (ex: Combofix)! :doubt:
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've used Gmer in past and was happy with it. At the moment I don't use any dedicated anti-rootkit. Of course you have to know what you're doing when making changes. Wrong decisions can make problems and can break your system or legitimate applications.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    In spite of their abilities to hide, rootkits are like most any other software that integrates into your system. They have to be installed. On any system that doesn't employ the standard default-permit security policy, that install can be detected, prevented, or confined.
     
  7. Zapco_force

    Zapco_force Registered Member

    Joined:
    May 17, 2013
    Posts:
    88
    Location:
    Italy
    Sorry Minimalist if I make you waste time!... but a friend suggested to me to perform a antiviral scan through a rescue disk (freely downloadable) such as Bitdefender Rescue system or Kasperky rescue disk.
    In this way, the SO remains totally inactive, then a possible rootkit (or MBR virus) is easily detectable because it will never activated since SO is "off".....and he also said that a rescue disk works better than
    an additional anti-rootkit software....
    What do you think about it? .... the rescue-disk might be the best solution?
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes the rescue disk has advantage because OS is not loaded and all files are unhidden - visible to AV. If AV detects the file as malicious it can easily remove it. So for removing malicious rootkits rescue cd would be better solution.

    OTOH, if you would like to check if any legitimate (non-malicious) program is using rootkit technology, than you would have to run anti-rootkit scan from inside loaded OS.
     
  9. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
  10. 142395

    142395 Guest

    GMER is good but need quite high knowledge to correctly interpret its results. TDSSKiller is more of the signature-based rootkit detector, but still it's quite efficient to detect them and I myself sometimes use it for 2nd opinion scanner. There're still many options you can use, e.g. Norton Power Eraser, aswMBR, MBAR, etc., and of course boot CD scanners.

    About Keylogger, well, dedicated anti-keylogger can be candidate as well as good AV scanner but whatever many scanner you use, they can't detect hardware keylogger.
     
    Last edited by a moderator: Jan 6, 2015
  11. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
  13. 142395

    142395 Guest

    The first link is just about PoC, not about ITW malware. It's just an example that with enough effort, any security can be bypassed. TDL4 could bypass sandbox as it exploited OS kernel, but still attacker have to be aware that the victim use SBIE, and also the rootkit have to be on system for the first place but SBIE block any driver installation. The 2nd actually don't bypass sandbox.
    Though in the past some rootkit bypassed some virtualization software as they didn't protect MBR, I doubt they could bypass sandbox as sandbox don't accept driver installation from the beginning.
     
    Last edited by a moderator: Jan 6, 2015
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen

    I mean this. And I said generally about sandboxing - and virtualization - softwares. And there is, as you know, all a kind of hardware rootkits that play in RAM, BIOS... And i wonder if sandbox can defende by new very sophisticated rootkit as - only an exemple too ! - Stuxnet or TDL-4.
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Blacknight, I think it would be more interesting if you could come up with at least one real world example of a rootkit that has escaped Sandboxies sandbox. Sandboxie has been around since 2004, that's plenty time to fail at least once, find one.

    The OP poster fears rootkits, Sandboxie is a great tool for preventing getting infected by one. Sandboxie wont detect anything but for protecting yourself against a rootkit infection, it doesn't get much better than SBIE.
    http://www.sandboxie.com/index.php?SBIE2103
    Sandboxies version 4 is even more restricted than before. In version 3, you could set the sandbox to allow sandboxed programs to load drivers into the operating system (Block Drivers setting), now not even that can be done anymore as the setting has been done away with.

    Bo
     
  16. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    May be I wasn't clear :(. My previous posts were not about Sandboxie in particular. They were about sandboxing and virtualization programs in general. I don't believe that any sandboxing software can be the final defense against rootkit, simply because no one security software is final, and in the fight between attackers - malicious - programs and security softwares winners and losers always alternate.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Both of my posts in this thread, including the one that you quoted earlier were about Sandboxie in particular. In its over 10 years of existence, Sandboxie has always come out as a winner in preventing infections, when and if that changes, I ll take it from there. I don't ponder about things that probably will never happen only because there is a remote chance of ever taking place.:)

    Bo
     
  18. 142395

    142395 Guest

    I can relate to it as I also don't put 100% trust on any product. But it is also true that most common malware we can come across are not such sophisticated one and thus we won't see actual bypass at least in a foreseeable future.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.