What program do you all consider to be the best anti-rootkit?

Yeah i know that

Throw in the fact of a Power Shadow in shadow-mode and i don't concern about anything possibly devised by the highest minds in that cyber-world field of dreams.

I am mainly puzzled since this is first time i ever experience such ongoing issue with any ARK but i have had some trouble testing Helios because it requires SP2 you see and i believe in leaving things alone that work just fine. I understand ARK's is in past been somewhat in infancy but is maturing quickly now.

 

EP_XOFF - I have v 3.20.130.388

The Hidden Files - Scan is only function that doesn't work properly but not until the end of the scan. When I got the error in my screenshot, I could see the hidden files displayed, but the RKU GUI closed as soon as I hit the OK button to close the error window. After copying (not moving) the DLL to the RKU folder - I no longer got the error but now the GUI closes automatically at the end of the Hidden Files scan.

All other functions (pages) work perfectly - the data is displayed and can saved to a file. What else can I try and have you heard of this same occurence before?

 

@Zorra
Symantec wrote long time ago:

I tested Rustock.B on VISTA and even though it has a lot of BUGS most of it worked:

Code:

GMER 1.0.12.12067 - http://www.gmer.net
Rootkit scan 2007-02-23 00:56:32
Windows 6.0.6000 


---- System - GMER 1.0.12 ----

SYSENTER  \SystemRoot\system32:lzx32.sys                   8F40BFAF

---- Devices - GMER 1.0.12 ----

Device    \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE             [8F40A886] system32:lzx32.sys
Device    \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION  [8F40A62A] system32:lzx32.sys

---- Services - GMER 1.0.12 ----

Service   C:\Windows\system32:lzx32.sys (*** hidden *** )  [MANUAL] pe386                               <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----

Short movie:

http://www.gmer.net/pe386vista.wmv

Regards
-Gmer

 

Try to test it on normal x64 Vista, frieeend.

 

This could be related to disk errors, check your harddrive with chkdsk /f /r /x

 

Not happening here in this camp ever! Vista is nothing more to us then a cheap imitation of things already past and a sour reminder of how lousy M$ can be to it's loyal constituents/consumers/users.
Anyone smell the smell of fresh dollars anywhere behind their marketing doors?

In reality and in all honesty this camp over here will never touch it BUT, when Vienna or whatever lame name microsloww comes out with for that one arrives, then there might become some interest, not before & not untill.

 

100% agree EASTER.2010

 

@EASTER
Who cares that a few guys will stay on XP . There are millions of new clients/victims ( of Microsoft's business )

 

Gmer, stop spreading your panic all around the web. There are no rootkits for x64 Vista, which are supersides XP in all cases. But I do not say that Vista is good operation system, I just trying to say that x86 Vista is not a point to test rootkits LOL.

"Millions of victums" - absurdity.

 

Show me one (at least) working non-PoC (or even PoC) malware (or not) rootkit that works fine on every (or almost every) x64 Windows Vista.

Pills and other sci-fi currently are only words (by Joanna and not only). Malware writers always will use more simplest ways to hide from security tools.

What about GMER it is more advanced monitoring system tool with scope of non-fixeable bugs.

 

Granted but there is one that works on a high degree in my experience whilst malware collecting.

I have one same drive tool onboard that has at worst part degree or in most cases to a total degree detected all known malware rootkit's that i have found out in the wild.Not only does it detect all samples that i have,it can recover them for analysis or kill them on the hosed system.

With that i would be very interested in seeing either the droppers or component files of anything that has bypassed RootKit Unhooker so i can upload them to malware listserve at MIRT for widespread distribution as i have with alll others collected

Added bonus being if you can give these missed samples to EP i'm sure he will update his tool to an even higher level of capability.Maybe the best can get a little better ?

Of course nothing will be as reliable as slaving the infected drive or booting in from a live CD(Bart PEetc) but all said and done in 5 months of harvesting i've yet to find one single malware rootkit that bypass's RKU latest evo when it is loaded

 

I think Gmer is just saying that though Rustock can be installed on Vista 32 bit, it is not functional, so unless author refines it - it is still not a threat as of yet.

EP_XOFF - I'll try that - the error seems to be related to the GUI or report function because the hidden file scan detection works fine.

Everybody has their favorite rootkit apps. There are definitely a few that have risen to the top because they are highly effective. I'll continue to use a variety of detectors. When new rootkits arise, POC or otherwise, most of the authors the top ARKs respond by making sure their program can detect them. So good job both Gmer and EP_XOFF. There is room for both of your programs!

 

Of course, Zorra, everybody have their favourite programs

 

Zorra, you are reading my minds .

Like I said before. There is much more room for such programs: RootkitRevealer, BlackLight, IceSword, ...
Their authors worked hard and these programs are still able to detect most of stealth malware .
Few POC RK "toys" will not disparage them.

 

Hey EP & freinds

RKU has finally got the royal seal of approval over at CastleCops,long overdue in my opinion but still better late than never

http://www.castlecops.com/t180887-Rootkit_Unhooker_v3_20_Approved.html

So Congrats to you guys and keep up the great work.

 

There is even better room i think and more appreciation for ARK authors who add new improvements with frequency and quickly make "BUG FIXES" on regular basis as similarily as commercial Anti-Spyware programs . Would you like to name "one" that matches that description exactly for us?

Proof-Of-Concept also comes in 2 flavors, the RK and ARK of course and can lead to better developments or don't you agree.

Also is of importance not to become complacent wouldn't you agree?
Modgreper & System Virginity Verifier courtesy Joanna Rutkowska are a finished project now? Ice Sword and the others are not needed to update either?

I beg to differ with that philosophy. Look into the 98/Me transition into XP. Is XP been a waste of time or been so reduced now or as error laden as was 98/Me?
What makes you think Vista is so much more refined or improved an O/S over the XP system as as you seem to allude to in that statement?

Well Deserved! Congrats!

 

PoCs, rootkits and others

No, Gmer. If you speaking this you should know that:

- Rootkit Revealer are PoC
- Blacklight doesn't been updated (really updated) since release, so it's a PoC from AV-company
- IceSword stopped in evolution about year ago (author creates stupid plugins, nothing more)
- All creatures from Joanna are pure (in some times completely unworkable) PoC's
- DarkSpy is PoC, it was un-updated since release. And it very very unstable and unfriendly rootkit detector, sorry but this is true.
- All mainstreams AV-rkdetectors was made by copy-paste technology from rootkit.com old sources, if some rootkit bypasses for example Avira it will also easy bypass any others from this company.

Proof-Of-Concept rootkits shows actually technology, not a malicious evolution stage. They are containers for real - malware rootkits. For example, if you talking that PoC's are not a point here, then you should know that NtRootkit (famous SSDT hooker) are also PoC, but currently almost 70% of all malware rootkits uses the same technology as in "your useless" PoC rootkit

When peoples talking such things - they need to think twice before do that. Only if your tool always easy bypassable by PoC rootkits it is not a reasons to speak such nonsense. It is reasons to review all your architecture and (like for example nonsense random generation of ctl codes, flickering and ugly UI) do the evolution.

@fcuktdat

Thanks for information. We do the best.

 

Congrats ! Guys - KUTGW !

 

Along time coming - good decision!
At the moment I consider RkU as no1 ARK program.

 

@dvk01
Derek: have you specifically used RkU yet.?
Even pwalker?

Be very interested to hear your comments.

You mention other progs: still V.effective but no real change for some time with Ice Sword and DarkSpy.
Even mainstream media have recognised RkU as One of if not the best.

RkU under constant review and devt.
Subject to harsh criticisms recently and close analysis of results.
The more exposure the better. The Developers have responded each time in record time.
The move by CC is a leap forward in terms of exposure and experience.

Heh EP and MP e-mail will be running hot !!
Popularity might be a curse.

( LOL EP-XOFF the belle of the ball )

 

I'm a bit at odds with your findings Derek on several fronts

RKU dose not remove files....

Correct but incorrect after analysis it overwrites them with 0's thus killing the file,no chance of restoration of file without fresh infection.

RKU removes reg entries....
Where does it do that


Fwiw HiJackThis can do damage if used incorrectly but that has'nt stopped being widely used as a tool under direction

In a nutshell maybe you should try the tools *hidden file* scan against any malware rootkits you have and see if it produce's a confused report.
I have done it last night with 6 advanced and recent malware rootkits last night to produce illustration of how simplified it is

http://www.castlecops.com/p901545-Rootkit_Unhooker_v3_20_Approved.html#901545

Have you tried this tool in its latest encarnation at all ?

 

Afterthoughts following the last 2 posts...

Hey EP Just an idea if you would like your tool more usuable across a wider scope of users then maybe have an advanced tab(option) where all scans are accessible and a basis(detect hidden file)only scan with wipe/copy still available by default ?