Boclean & Unhackme

jonnypop · Jul 24, 2005

Does anyone know if Boclean covers all the rootkits that Unhackme guards against? Or is worth it to purchase Unhackme in addition to Boclean and run both together.

richrf · Jul 25, 2005

Hi johnnypop,

Both products list the same rootkits as "covered". However, my guess is that they are trying to detect them in different ways. UnHackMe, apparently is using several methods including registry dumps as well as their own driver to detect shadow processes. I am not sure how BOClean detects these processes. But here is a quote from a message that Kevin left on DSLReports:

Heh. They could have bought us, but it's kinda too late for them now.

What I personally find mind-numbing about all this "rootkit" talk is that the FIRST rootkit was something called "Back Orifice" for which "BOClean" was originally named back in 1998. For Win9x, they copied the export tables for kernel32's functions to new locations and pointed everything to those, for NT they diddled the primary tables themselves since NT had no real security at the time and permitted "named pipes" directly from ring 3 to alter the kernel itself. The holes which allow ring 3 to control ring 0 *still* exist after all the bandaids that have been applied over the years of "this NEW Windows is the best and most secure Windows ever" ... but at least the "named pipe" method was shut down. Now, one has to overflow memory in a key component like LSASS or dozens of others to achieve the same result.

I won't give away trade secrets, but rootkits leave very pronounced and visible anomolies in the system that can be easily spotted. Some require more effort than others to remove, but detecting their presence is SIMPLE from ring 3 without the need for a kernel driver. In fact, most rootkits look for kernel drivers poking around looking for them, but they can't change the behaviors at the user level to effectively hide their existence. I too was highly amused at their purchase of probably the worst of the entire "anti-spyware" lot as well.

But I'm pleased to hear that SEVEN YEARS after the first rootkit, Microsoft seems to think there might be a problem that might need fixing. Can't wait to see the "patch."
Click to expand...

As for myself, I prefer ProcessGuard's (licensed version) approach which is to prevent rootkits from installing in the first place, as opposed to detecting them after the fact. However, I did purchase UnHackMe, because I like the company.

Hope this helps,
Rich

Notok · Jul 25, 2005

UnHackMe detects things generically, where BOClean detects them with signatures, so they would be complimentary to eachother.

john2g · Jul 25, 2005

Notok said:

UnHackMe detects things generically, where BOClean detects them with signatures, so they would be complimentary to eachother.
Click to expand...

I think you will find that BOClean detects rootkits both by signatures and heuristics.

Log in or Sign up

Boclean & Unhackme

jonnypop Registered Member

richrf Registered Member

Notok Registered Member

john2g Registered Member

Log in or Sign up

Boclean & Unhackme

jonnypop Registered Member

richrf Registered Member

Notok Registered Member

john2g Registered Member

Useful Searches