(anti-rootkit) Hidden Process Detection (50+ products compared)

Discussion in 'other anti-malware software' started by inka, Dec 5, 2009.

Thread Status:
Not open for further replies.
  1. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Hidden Process Detection Test
    http://www.ntinternals.org/process_detection_test.php
    the linked page presents the results in a matrix, along with author's methodology notes

    methods tested:
    - PspNotifyRoutine - RECALLING
    - PsActiveProcessLinks - DKOM
    - ObjectTable (HANDLE_TABLE) - DKOM
    - CSRSS ObjectTable (HANDLE_TABLE) - ERASING
    - PspCidTable (HANDLE_TABLE) - ERASING
    - SessionProcessLinks - DKOM
    - WorkingSetExpansionLinks - DKOM
    - ObjectTypeList - DKOM
    - CSR_PROCESS/CSR_THREAD - DKOM
    - PID & IMAGE NAME - CHANGING
    - OBJECT & OBJECT_TYPES - MANIPULATION
    - THREAD OBJECT - MANIPULATION

    products tested:
    ARK2007 1.0
    ATool 1.0021
    Avast! Antirootkit 1.0.0.1
    AVG Anti-Rootkit 1.1.0.42
    Avira AntiRootkit Tool 1.1.0.1
    AVZ 4.32
    BitDefender Rootkit Uncover 1.0
    CMC CodeWalker 0.2.4.500
    CsrWalker 1.0.0.600
    DarkSpy Anti-Rootkit 1.0.5
    DeepMonitor 1.8
    DiamondCS Deep System Explorer 1.0.406
    Dr.Web DwShark 1.0.0.11140
    ESET SysInspector 1.2.021.0
    F-Secure BlackLight 2.2.1092.0
    GMER 1.0.15.15227
    Helios 1.1
    Helios Lite 1.0
    Hidden Finder 1.5.6.7
    IceSword 1.2.2
    Kernel Detective 1.3.0
    KLISTER 0.4
    KsBinSword 1.0.0.1
    kX-Ray 1.0.0.98
    Malware Defender 2.4.4
    McAfee Rootkit Detective 1.1.0.1
    NhsScan 0.9.4
    NIAP Rootkit Detect Tools 1.02
    Panda Anti-Rootkit 1.08.00
    PScanner++ 1.8.3.0
    Process Hunter 1.0
    Process Master 1.1
    Process Walker (EP_X0FF & MP_ART) 1.0.8
    ProcessWalker Express 5.4.1000.10
    RootKit Hook Analyzer 3.02
    Rootkit Unhooker LE 3.8.LE.383.585.SR1
    RootRepeal 1.3.5
    Safe'n'Sec Rootkit Detector 1.0.0.2
    SafetyCheck 1.7
    SanityCheck 2.00
    SnipeSword 1.0.2.2
    Sophos Anti-Rootkit 1.5.0
    SpyDLLRemover 2.5
    Spyware Process Detector 3.20
    SysProt AntiRootkit 1.0.1.0
    SysReveal 1.0.0.7
    System Eyes & Ears Monitor 4.5
    Trend Micro RootkitBuster 2.80.1077 Beta
    USEC Radix 1.0.0.9
    Vba32 AntiRootkit 3.12.4.0
    Wsyscheck 1.68.33
    XueTr 0.30
    Yas Anti RootKit 1.223


    page presenting related testing & results:
    Hidden Dynamic-Link Library Detection Test
    http://www.ntinternals.org/dll_detection_test.php

    methods tested:
    - InLoadOrderModuleList - DKOM
    - InMemoryOrderModuleList - DKOM
    - InInitializationOrderModuleList - DKOM
    - HashLinks - DKOM
    - ProcessObject - MANIPULATION
    - Vad - ERASING

    products tested:
    ArcaVir Process Manager 2010.0.0.6
    ATool 1.0021
    Dr.Web DwShark 1.0.0.11140
    GMER 1.0.15.15163
    HookExplorer 1.0
    HookShark BETA 0.6
    IceSword 1.22
    KernelDetective 1.3.0
    kX-Ray 1.0.0.98
    MalwareDefender 2.4.3
    NhsScan 0.9.5
    ProcessWalker Express 5.4.1000.10
    RkU 3.8.382.584
    RootRepeal 1.3.5
    SEEM 4.5
    SpyDllRemover 2.5
    Spyware Process Detector 3.20
    SysInspector 1.2.021.0
    SysReveal 1.0.0.7
    VMMap 2.4
    XueTr 0.29
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    hey inka cool testing ;) thanks
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    Also here - author is Alex NT Internals:thumb:
     
  4. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    RootRepeal 1.3.5 was on top and Gmer wasnt:D
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    thanks meriadoc for the links i love to play with this kind of tools;)
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    What are top ten?
     
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Jmonge, if I understand, - it's Sunday :D - in the first table GMER is one of the best. Anyway, I always use GMER and RootRepeal too. :)
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    There is no one ark you should use when looking for rootkits.
     
  9. progress

    progress Guest

    Avast! Antirootkit (GMER technology) seems to work fine on Win 7 while GMER doesn't work flawlessly? Very interesting ... :doubt:
     
  10. BG

    BG Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    214
    Isn't Avast Antirootkit built into the main program now?
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Thankfully, the author didn't presume to rank the tested apps.

    Considering that his testing involved a limited (but realistic) number of methods & none of the apps were able to block all methods, "top10" here would amount to "the 10 with least degree of FAIL".
     
  12. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    just cause they use the GMER technology, doesnt mean they dont do their own developing on top as well and updating it.
     
  13. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    How is it that Root Repeal is in the top of detectors?

    Root Repeal 1.3.5 does well in this area.

    Based on these two tests, the only one who tops both tests is Dr. Web DW Shark.

    Unfortunately though, DW Shark
     
    Last edited: Dec 6, 2009
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    DwShark was DrWeb unofficial tool. I made a few screens, part1...
     

    Attached Files:

    Last edited: Dec 7, 2009
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    part2
    saving the xml report and then Interactive mode screens...
     

    Attached Files:

    Last edited: Dec 7, 2009
  16. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    part3
     

    Attached Files:

  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    hmm interesting MD found none, seen how MD found none would this also mean that MD wouldn't be able to intercept these rootkits from running/installing?

    Also too how come no products detects [-12-] ?
     
  18. devon

    devon Registered Member

    Joined:
    Dec 7, 2009
    Posts:
    1
    Re: (anit-rootkit) Hidden Process Detection (50+ products compared)

    DWShark is not dead it's in development stage now. only for private use. version in this test very very old, first private alpha. i hope public beta released in next year with powerful script language engine and more features. ;)
     
  19. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I would like to know the answer to this too.
     
  20. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    I'm struggling to understand the 'big picture', but the test author seems to be emphasizing that the apps (both antirootkit and HIPS) fail to deal with the newer type(s) of rootkit techniques, e.g.
    http://www.openrce.org/articles/full_view/19
    Instead, they are apparently (apparent, via the test results) myopically targeting 'old hat' malware techniques & are breeding a false sense of security among users.

    I had found the announcement of the test results in a message posted to the sysinternals malware forum
    "Favorite/Custom Rootkit, ARK, HIPS, HIDS Tool(s)" thread:
    http://forum.sysinternals.com/forum_posts.asp?TID=17648
    (explains test author's motivation/rationale for adding MalwareDefender to the test group)

    Someone in that thread (not the ntinternals author) criticized the misdirected efforts of many 'ark' authors:
    As I said above, I'm struggling to understand. From reading (poorly translated) Chinese support forum discussions regarding Malware Defender, the quoted criticism might be well-placed. Like so many other vendor sites, the torchsoft site hypes xyz features. Although MD is touted as offering "low level (keyboard, disk) protection... while trialing MD, I found that it didn't seem to protect against clipboard access. The dev replied "no, it does not". At the moment, providing such protection isn't important to him? Per the Chinese forum threads, he's busy keeping step with another hacker/developer. That competition is steering his agenda? What exactly is the hyped "low level" protection? From the position of the ntinternals author & others critically posting to the sysinternals forum -- doesn't matter what the protection is, what matters is that the protection is incomplete & that the practice of selling (and buying into) a false sense of security based on incomplete and poorly-implemented (or outdated / moot) protections is the current norm.

    Anyhow, I contacted the ntinternals author via email to suggest that MalwareDefender is a policy-based HIPS, not a rootkit. In reply, he linked to the following post, noting "it should clarify my attitude in this case".

    "Actual 2009 Antirootkits" thread:
    http://forum.sysinternals.com/forum_posts.asp?TID=20007
     
  21. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Low level keyboard access is not the same as clipboard protection. Run the AKLT tests and you'll see the difference. MD has not misrepresented itself.

    MD is a classical HIPS. Defensewall, for example, is a policy based HIPS.

    imho, it was right to include MD within these tests, but I do think Xiaolin should either improve the anti-rootkit capabilities of MD or think again about how it is promoted. To me, the features of MD are valuable without being labelled as 'anti-rootkit'.
     
  22. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    I use MD as an hips, not as an antirootkit tool (I prefear using Gmer, Rootrepeal and Rootkit Unhooker to do that).

    I did not read all that article, i had no time...
    But imho if MD was able to alert about driver loading, files creation/execution, and other process comunication... than the test is passed.
    First of all please remember MD is a prevention software, not a removal tool.

    If you want you can test even MD firewall, but i'm simply not interested on it ;)

    BTW maybe i'm misunderstanding the means of this test, in this case i'm sorry...as i said before unfortunately i had no time:)

    Regards
     
  23. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Its not just whether or not MD can intercept these rootkits from running/installing its other HIPS products as well. Personally I"m not to worried
    because firstly the said rootkit would have to get passed sandboxie secondly I have file and folder rules in place by MD, for a rootkit to run and install it first has to have its files created on the OS. with my file and folder rules the creation of new files is denied. But I still would like to know if MD can intercept
    such rootkits from running/installing.??

    some one introduce xiaolin to this thread.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think you people are just confusing it. They tested the ability to detect hidden processes. The process explorer of MD failed to detect any hidden process. That,s my understanding.

    CFP, SSM and EQS all have a ProcessExplorer tab for running processes and as far as I remember EQS probably shows hidden processes in red. I will be interesting if any one can test them in this regard.

    Personally i think the process explorer of all these HIPS are too weak to detect rootkit hidden processes. Their developers must implement such a feature.

    KAV detects hidden processes and so does TF but I am not sure if they are really good in this regard or not.
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    the main idea of a hips program is not to detect but prevent in the first place and all the hips properlly configure and properly read and respond to the pop up before click yes/no are able to prevent the installation of any rootkits
     
    Last edited: Dec 8, 2009
Loading...
Thread Status:
Not open for further replies.