Any good free programs to prevent rootkits?

Discussion in 'other anti-malware software' started by swinger10, Feb 27, 2005.

Thread Status:
Not open for further replies.
  1. swinger10

    swinger10 Guest

    Right now i'm using Prevx free. Does anyone know if it will help to prevent rootkits?

    I'm looking for fairly easy to use free programs to either prevent rootkits or help to find them after the fact. I already checked out that free program RootkitRevealer from Sysinternals, but it's not really very easy to use, any others? Blockers or detectors. Thanks for your time.
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Process Guard and System Safety Monitor can stop rootkit installation, but you need the full version of PG and SSM is supposed to go shareware at some point in the future (PG will block service/driver installs while SSM will prompt you about them).

    Abtrusion Protector is another option which is free for home use. It works by blocking any file from running that is not already installed - you therefore have to put it in installation mode when installing any new software. This can block any malware installation but may cause problems with any software which uses continually altered files (TrojanHunter's ThSec.dll springs to mind here).
     
  3. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Someone correct me if I am wrong but I think BoClean offers protection against rootkits too. :doubt:
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    But is it free? ;)
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Prevx will acutally help with preventing rootkits, as long as they don't try to install themselves on another drive than your primary partition (usually C: ) It's not as complete of protection as ProcessGuard full, but it should counter most of them (if not all current ones.) The next version of Prevx promises to have a lot more protection options, so we'll see where it goes pretty soon.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You can also use the trial of UnHackMe (http://www.regrun.com/), the next version of RegRun (not free) promises to have full-time monitoring in the same way as this little utility.
     
  7. Correct me if I'm wrong, but rootkits don't have any special power to install on computers? They are a bitch to detect once they are installed, but pre-installation they can be detected/stopped like any other malware out there.

    I guess most of the time they get into your computer via trojans, but i suppose a worm that drops a rootkit is possible as well. Or maybe even a virus with rootkits as payloads.
     
  8. guesshoo

    guesshoo Guest

    I would love to see a good test done with the different AVs and other scanners and blockers (like Process Guard) that claim to find, remove or block rootkits. That way we would know how good these different programs really are at stopping rootkits, and wouldn't have to just guess. We need a Eric Howes like test- but for rootkits. ;)

    Oh, sorry to go off topic... isn't Klister a free rootkit detector.
     
  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    It seems that someones have missed an episode:

    https://www.wilderssecurity.com/showthread.php?t=67742

    For the first question, there's no radical and free soft against rootkits.
    Because each rootkit has his own behaviour.

    ***PG (paid version) and AbtrusionProtector (and others infection system prevention) can prevent many of them.
    And if they can't prevent all of them (unknown ones), they can really limit the impact of the infection (it will be difficult for the rootkit to hide a backdoor for instance).

    ***UnHackme, AVs, ATs and specialized products (RootkitRevealer, RKDetect, RootkitHunter, Chrootkit...) have their own limit: their database!
    They can only recognise what they know (signatures).

    when a new rootkit is coded, it can stay a long time before his discovery (and permit a new integration in the database).

    Finally, the problem is complex.
    Even if rootkits are more preavaling on others system like UNIX/LINUX/SOLARIS.

    With advanced worms, rootkits are actually the the more undetectable malwares.

    Regards
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    I have never heard of Klister software program. Neither, it would seem, has Google.

    Got a link?
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi bellgamin,

    Here's a link to both KLISTER (works with Windows 2000 only) and FLISTER (2000/XP/2003): invisiblethings.

    Nick
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Here's a listing about RootKit Revealer that may interest some of you. Partial quote from the website...
    I forgot to mention...
    (1) It's free.
    (2) This is from System Internals -- the geniuses who produce Process Explorer & several other superb utilities.
     
    Last edited: Mar 1, 2005
  13. Hi,

    Take a look at UnHackMe 2 beta (non-public yet).
    It the stable version:
    http://greatis.com/unhackme200b.exe
    Changes since version 1.0:
    - Added monitor. It checks the system every specified period. You can choose the period of testing using Options dialog.
    - It detects HackerDefender, Vanquish, AFX Rootkit.
    UnHackMe doesn't use signature scanning.
    It detects rootkits by its behaviour.
    I.e. all clones of the rootkits will be detected too.

    It works very quickly than RootkitRevealer because UnHackMe looks for the service and driver that are required a rootkit to start and work.
    - UnHackMe allows you to kill a rootkit by simply clicking on the Stop button.
    After that you only need restart your computer and UnHackMe will clear the rest parts of rootkit.
    UnHackMe is simple in use.
    UnHackMe is not free. But...
    But all users of the previous version will receive the new version for free.
    We changed the protection scheme.
    You can test UnHackMe 2 for 30 days and it will work without any nag screens. It is not a demo. It's fully funtional version.
    After finishing evaluation UnHackMe 2 will still work but it will ask you to register.
    If UnHackMe will found a rootkit you will see it and you can remove it in manual mode.

    Comments or suggestions are appreciated.
    Dmitry
    ateam@greatissoftware.com
     
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    IMO Processguard is perhaps the best program for preventing rootkits.
     
  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    true but it doesn't prevent you when you are allready infected.

    thanx for the heads up Dmitry
     
  16. cluessnobbie

    cluessnobbie Guest

    Heh I'll say, If you are already infected at time t1, you need a time machine to travel back prior to time t1 to "prevent" that from happening. :)
     
  17. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    It there any antispyware that is able to remove rootkit.
    Or antitrojan that can remove it? o_O
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I meant cleaning after infected, you got me...:p

    yes, there are antitrojans that can remove them... tds, ewido, boclean and th do have sigs for them.
     
  19. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    And wat about antispywareo_O?
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    nope I don't think so, but there are antitrojans that have spyware sigs...:)
     
  21. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    ***UnHackme

    A database's behaviour, isn't it a kind of signature?

    I've tried UnHackme: Great soft in order to verify if a PC is infected by well known rootkits.
    Very easy to use, even for a newbie of 12 years old.
    UHme scan the system every minute (so the trial version expires after 9 mn).

    A little regret: more rootkits in the database (NTRootkit, He4Hook...) and more prevention utilities (hidden keys, monitoring/blocking new services, integrity checking etc...) could be very interesting.

    Each soft which transforms complex things (rootkits) on easy things (we just have to click on a button "Check Me Know") is a great soft.

    ***From my special malwares colection, i have (zip files) Hacker Defender, Vanquish, NTRootkit and He4Hook.
    And McAfee and Pest Patrol detects them (see the image).
    But i still believe on a strong integrity defense.


    ***For small busieness and Soho, there is others solutions:

    *Data Sentinel: http://www.ionx.co.uk/html/products/data_sentinel/

    *Veracity: http://www.rocksoft.com/rocksoft/veracity/index.php

    *XIntegrity Pro: http://www.xintegrity.com/

    *Less expensive (for home users): Winalysis: http://www.winalysis.com/

    Regards
     

    Attached Files:

  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Article on Sysinternals tool.


    New Tool Gives the Scoop on Snoops

    Story
     
  23. Hi,

    UnHackMe doesn’t have the rootkit database.
    It knows the ways in which rootkits hides their services and drivers from a user.
    The service is really important thing for rootkit life because it allows a rootkit to start hidden at the early stage of Windows startup. Otherwise the RegRun or other software can allows you to remove rootkit from Windows startup.
    If a rootkit can’t start automatically it will not work after re-starting your computer.
    The rootkit’s authors understand it and they add the new tricks to hide the service and to prevent it to disable.
    The removing rootkit can be even more complex task than detecting it.
    UnHackMe 2 is effective tool to detect and remove rootkits.
    And we will develop it to prevent new rootkits.

    Dmitry
     
  24. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I'd just like to point out, that you don't need a service to be installed to be infected with a rookit. There are undocumented ways to put code into RING 0 which, to me, seems like the direction most rootkits authors will be heading to if they havn't already. However the installation of the rootkit would obviously need to occur each time the system boots which means it would need to be autostarted from somewhere.

    ProcessGuard blocks all KNOWN (from the time of the last version at least) undocumented methods from being used which means if you had one of these rookits on your system, just the installation of PG would stop them.
     
  25. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I can just be agree with Jason_Ro.
    I've already linked a pdf paper from EEYE about the subject:

    https://www.wilderssecurity.com/showpost.php?p=382135

    So we can't summarize rootkits behaviour only with service and registry.

    Advanced malwares like rootkits, worms or network backdoors are in permanet evolution and a soft can't stop them by using only limited kind of behaviour.

    And for the registry, many products of the market are not be able to detected hidden keys for instance.

    Therefore, i will not be definitively explicit about this subject: it's not a scientific way of of thinking.

    In the past, Nicolas Gregoire, a french specialist, has released a test tool called JAB (just an other backdoor).
    JAB was able to bypass firewalls, AVs and even authentication proxies, by using legitimate API OLE in I.E:

    http://www.securityfocus.com/archive/101/349727/2004-01-13-/2004-01-19/2

    According to me, a strong integrity protection of all the system (by many hashes algorythms) is actually an efficient solution: that which is not certified and not recognized is also totally not allowed to integrate the syetem.
    .


    Regards
     
Loading...
Thread Status:
Not open for further replies.