(anti-rootkit) Hidden Process Detection (50+ products compared)

Yes but if a HIPS program can't detect how would it be able to Intercept it from
running?

Lets say for argument sake a HIPS does manage to intercept and you click allow on the popup, after this are you saying that it then completely disappears from the HIPS system monitoring radar?

Unlikely if a HIPS can intercept then it can detect the same thing that it has allowed to run.

 

when i said detect i meant rootkit already present when you install MD

 

With this in mind, that's why I had contacted the author to suggest that MD doesn't belong in the test group.

and that's where I've been confused. I was skeptical toward believing that MD would have failed to raise popup(s) in response to the test executables. I couldn't find links to the test items, else I would have tried to reproduce (verify/refute) the test results. So, the test scenario seemed only representative of me having MD installed... but sitting here stone drunk and happily clicking 'allow' to every popup.

Yes, I think you've accurately summarized the tester's result, and his outlook.

The author is highlighting the misdirected, and ineffectual, focus of the current system monitoring radar.

During the past two days, what I've read (numerous sources) has really shaken my confidence in security apps. Increasingly, since 2006, malware has begun operating outside the bounds of what the current security apps can reasonably hope to detect. Hidden drivers (loaded before winlogon) which lack PIDs... and code injected into native service drivers or nt kernel, without using Win API calls (so any security app 'hooking' whichever APIs sees nothing).

 

Sounds like just another victim of ARK ballyhoo.
As far as I know, my computer has never had an undetected rootkit.

Cheers

 

Do you not believe these tested methods are in use, in the wild?

His choice of tests struck a chord with me because I'm fairly sure I've seen a couple of these methods put to practical use (even though I've not regularly 'gone looking' for such things) in game cheats (winject alternatives).

 

because of the possibility that HIPS can't intercept said rootkits from running/installing, denying the creation of new files on the OS is really the only guarantee we have available to us.

Using things like deepfreeze or returnil doesn't help either because A. they maybe able to bypass deepfreeze or returnil which has happened before with other malware samples. or B. because a rootkit can install and run during your session until your next reboot with a clean image.

 

Is it possible for a malware to:

Write to or create its own private or protected memory address?
Persist in RAM through reboot?
Exist in the RAM of a router, either as malware re-infecter or as a web redirector to a malicious site?

How would the ARKs deal with these situations?

 

The tester has to give evidence of the in the wild relevance, not me.

However, in first place my intention is prevention.

If an ARK detects these methods on my system it's already too late.
That's why all these ARK tools and the comments of their authors have only very little practical value for me.
Because they hardly ever offer anything for prevention, only for (partly) detection and (partly) removal if you are already owned.

Apart from that some of these guys just try to square the circle with self-developed squares and circles, respectively ARKs and POCs.

Cheers

 

kernel detective is created by GamingMasteR (AT4RE). AT4RE = arab team 4 reverse engineering= software cracking team. should we trust them or not?

 

subset, thanks for the clarification. well said!

 

From my point of view that are 2 different things...

If I allow malware to load its driver, i will not be so astonished when i cannot detect it, bacause i gave it the opportunity to unhook and be hidden.
Hips programs have to intercept it from running, after that I execute malware (and allowed its driver) it's able to do what it wants in most cases...and it is right, cause I allowed it.

Using hips to cure and analyze is improper imho.

Regards

 

agree to Kronos

 

Do not be paranoid over words, yes they are trustworthy. GMs KD is a very nice tool even more so with improvements and additions in recent update, also easier to use I find with multilined tabs

edit : changed KD download to woodmanndotcom

Sont les mots qui vont très bien ensemble,Très bien ensemble.

 

I don't see OSAM Autorun in the test group. OSAM author claims rootkit discovery.
Alex could possibly add it to the testing?
Then we can see where it lays within the group.