Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

Oh ... sorry. Now I got your point. It gets in via the ordinary infection vectors like one of the recent Internet Explorer or MS Windows exploits, filesharing networks, email attachments etc.

If you frequently update your Windows, use a safe browser, do not open email attachments and do not download software from non-trustworthy sources you are almost safe. And you may not need an AV/AT scanner at all ;-)

Cheers ntl

 

not an several ratboards, only two, and i think this is not a crime to be a mod on an other kind of "security" board.
I´m not supporting hf.
And why do you think that i´m not interested in helping other users how to find or remove rootkits ?

 

"And why do you think that i´m not interested in helping other users how to find or remove rootkits ?"

Why not just sending knlps.zip to Paul Wilders or Rokop? This would immediately stop this discussion because you would indeed help users to find or remove rootkits. By contrast, just talking about knlps.zip and posting screenshots will not help.

 

Nautilus - Liked that page you linked to - very well-written.

In regard to your (I assume) tongue-in-cheek comment that I might not even need an AT/AV resident scanner - ha ha.

4A6F4A6F - What are your thoughts on what I stated in my last post? Pete

 

JoJo ... I got your PM @ Rokop board. Thanks.

I will reply there.

___

 

i sent roman a mail with this tool, if i will get an answer from Paul i will also send him a copy.

 

Seems Pest-Patrol is able to detect & delete this ? or is this not true ?

http://pestpatrol.com/PestInfo/h/hacker_defender.asp

Momma

 

In the meantime, I can confirm that the tool mentioned by JoJo works perfectly. Thanks for sharing your knowledge about it ...

Moreover, it seems that there is an official download link for this tool. But it may be premature to post the link before Paul had the possibility to have a look at it.

 

Anyone tried "abtrusion protector" (freeware) against HD V1.00 yet ?

I believe this program will hold off the installing ,and by doing that stopping the infection so the rootkit becomes useless.

Mike

 

oh i´m back sorry for the delay paul but i watched the movie space cowboys in german tv, btw a good movie, ok i tried also to find other stuff from that author who made this program but it seems the other download sites i found are down. There exists also an other similar tool named klister, now available in version 0.3, this is also able to list all processes but is not able to termiante them, but maybe the programmer will at this in other versions.

 

no RTL

 

JoJo

I'm interested in testing ntsysytem's knlps,any help would be gratefully received

fhaze at gmx dot net

 

Ok one more question and then i will shudup and listen

You are talking about a root kit that has been recoded and compressed
with an unknown packer correct?
It has been my understanding that unless you unpack the file, it is harmless.
Are we talking about a self extracting rootkit here?
I can see an AT-AV not detecting it packed with an unknown packer.
that is old news.
1. the rootkit comes onto my machiine as a recoded-packed with unknown packer and my AV-AT does not detect it.

2. How does the file get unpacked unless it is self extracting or a non-detected dropper has been attached?

Thanks

con

 

http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html gives a pretty good explanation as to how rootkits work, con. Pete

* the follow-up article to that one is here: http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html

Actually, just typing "rootkit" into Google could have you reading for hours!

A question I'm really fuzzy on is - if you're not running a server - are rootkits even a threat? IOW, if you're not running a server, do rootkits even have anything to do if you get one or your computer?

(Note: I'm still convinced that anyone getting one on my machine is a near-impossibility given the fact that I'm running ProcessGuard). Pete

 

@controler

we're talking about runtime packing here.. but you would still have to doubleclick the file to get infected, unless you get it via an exploit, or the hacker uses a webdownloader to infect..(you'd have to doubleclick that too)

 

thankyou all

I have expanded my knowledge of rootkits now.
As we know Windows is targeted more then any OS but I have triede Linux and was not happy.
As Windows evolves, it will become harder to break in. Linus on the other hand with go through the same growing pains.
After all rootkits originated with linux.
found a couple good site with some tools for rootkits.
appears checksumming with encryption seesm to work

 

Hi con:

1.
Self-extracting archives (WinRAR, WinZAP) are a completely different thing compared to runtime compressors (like UPX or Armadillo). Please try to compress a copy of your notepad.exe /w WinZIP (SFX archive) and a different copy with UPX. Then you will figure out the difference which is important to understand if you want to discuss AV/AT scanners.

UPX, ASPack, PECompact etc. (unpacking engine required for detection) ---> Memory (Mem Scanner needed for detection)

Armadillo (no unpacking engine can unpack it) ---> Memory (but still encrypted - doh!)

SFX Archive --> temporary harddisk file (unpacked, easy to detect by on-access-scanner, no unpacking engine needed)---> Memory

2.
So far Windows rootkits differ from Linux rootkits. For Windows rootkits, checksumming will generally not work since no files are patched.

 

Anyone have a link for knlps?

 

JoJo is not responding Paul ,I already asked him in my earlier post

 

JSA Please register yourself and send a PM to me. I will reply and tell you about a download link.

EDITED:

I have provided three users with the download link. Please do not send me any additional PMs since I do not frequently check my message box. It may be more effective to request the link in this thread.

 

hi
well Joanna Rutkowska is in action again: "Patchfinder (PF) is a sophisticated diagnostic utility designed to detected system libraries and kernel compromises. Its primary use is to check if the given machine has been attacked with some modern rootkits.

With this tool you should be able to detect even the newest versions of such rootkits like: Hacker Defender, APX, Vaniquish, He4Hook, and many more.. New release (2.x) of PF is the first version which is intended to be not only a proof-of-concept code for developers, but also to be useful tool for administrators. To make a proper use of the PF, every user should read the attached PDF paper."

you know where to get this!