Dilemma. Install Anti-Rootkit application or not

Discussion in 'other anti-malware software' started by Ocky, Mar 10, 2007.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Browsing this forum I am now uncertain whether or not to install an anti-rootkit applcation. I have read somewhere that Sophos is easier to work with than some of the others (eg. items recommended and items not recommended for removal are shown).
    Is such a program overkill in view of what I have already:

    Netgear DG834v3 Router.
    Opera 9.10
    NOD32; Comodo Firewall; AVG AS (Real Time)
    Spybot S&D (BHO only) and SpywareBlaster (both mainly for rare IE usage)
    a2 free; SUPERAntispyware free and AdAware free for on demand only.
    Seconfig XP; Autoruns; Process Explorer...
    Acronis 9.0 Home for imaging.

    Maybe there will be compatibility issues and/or false positives ?
    Silly question I suppose, but would I be aware of a rootkit having sneaked into my system, eg. unusual activities, popups, reboots etc.?

    Any comments appreciated.

    Regards.
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Just add some portable antirootkit scanner like GMER or Rootkit Revealer.
    I think, that NOD32 already contains antirootkit technology for some time.
    So you do not really need it, but it does not hurt to use an other scanner.
    By the way, you have really nice setup, though I would get rid of AdAware.
     
  3. EASTER.2010

    EASTER.2010 Guest

    RKUnhooker 3.20

    A standalone that is quite capable to uncover many hidden drivers, files, hooks etc.

    Very detailed. Hope it helps.
     
  4. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    I agree with Easter.
     
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Right just to add my thoughts/findings:)

    RootKit UnHooker is the most advanced same drive ARK forensic tool available at the moment but it is not an easy tool to use to its purpose unless you know what your doing:thumb:

    If you do not have any experience and knowledge of rootkits both legitmate and malware then it potentially equates to giving a child a loaded gun,sooner or later the trigger gets pulled and the end result is potential for a disaster depending on where the gun was aimed.

    This is not ment to detract from what is the most effective ARK tool but to highlight it is not suitable for beginners unless they are using under instruction from someone who understands it.

    I notice in the first post Ocky mentions false positives(F/P's),there are no false postives with RKU tool as it is reporting what it is programmed to see.

    The nature of these tools are to see hidden process's,drivers,ADS,hooks and so on but the trouble is a lot of legitimate stuff will also produce these values/files etc
    This is where using a good ARK tool becomes more like using HiJackThis as a diagnostic tool,the onus is on the user to differentiate between legitimate and bad stuff by knowing which value's are bad/suspicious/good and taking the prerequisite action.

    Legitimate hooks are not f/p's since they are in fact hooks.

    Ok so RKU will be beyond the average user's ability unless guided so what are the other options.

    None in my eyes since they all miss stuff that RKU can detect and it only takes that one miss to leave you potentially backdoore with a own3d 'puter:mad:

    The 2 ARK's principally being used by malware removal experts at the moment being BlackLight Beta and i will say *cough* Rustock loaded but the system is clean:oops:
    and GMER which produces an even more confusing pool of data from a system when it runs and still is not quite as talented as RKU as a forensic tool.

    TheTOM_SK FYI i have now extensively tested NOD32 ARK properties and can honestly say it has limited capabilities.If a dropper bypass's the AV realtime and loads it payload depending on the trojan involved it's game over and NOD32 is *blind*:'( to 4/6 of my most advanced Rootkit malwares.

    The trend at the moment or at least the advertising hype is that the moment a security software can detect a few malware rootkits/trojans it suddenly has full ARK capability.It a shame about all the rest that it miss's thus sleeps through the whole process and gives a false clean system report at the end:thumbd:
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks to all for your input ! After a few hours of studying the various
    posts from the ultra experienced, i.e. fcukdat, EASTER, others, Castle Cops
    forum and of course visiting Rootkit UnHookers forum and reading some of
    EP_XOFF posts, I realise that I would need a few more hours before
    becoming an expert ... :p :D ;) and being able to appreciate the
    awesome power of Rootkit UnHooker.
    As it is my system is clean and running well, so I don't want to start
    playing 'dangerous' games - at least for now. The limited detection
    provided by NOD32 and SUPERAntispyware is surely better than absolutely
    nothing; but I see your point fcukdat.
    I mentioned Sophos only because it seems more user friendly (for novices
    at this).

    Any hints on the surprises that might be in store if a rootkit should
    sneak in ? :D
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    IME around half the time my 'puter has had a malware rootkit install it has BSoD'ed.This is not to say that BSoD= rootkit activity but it is a sign of something not being well.

    A good malware rootkit will not leave any calling cards for your to pick up.The object of a rootkit is to hide itself,payload and activities from being discovered.
    Case example being Rustock-

    Loads as driver ,so no appearance in taskmanager as active process,hides its service entry once loaded and opens a backdoor/dose business whilst all software firewalls/AV's will sleep through its performance.Unless you had the right tools you would never know it was loaded :'(

    In your case SAS will see it if present and affect a clean removal:D
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I would definitely have RkU installed also use IceSword - instructions
    and check for what your antimalware cannot see.
    SAS:thumb:

    Also liveCD.
     
  9. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Ok. Thanks. Maybe I'll start with IceSword, not quite the King here in the forum, but seems to be second favorite.

    After reading the instructions via the link posted by Meriadoc, it seems quite
    manageable. I am reasonably familiar with the Windows registry and use
    Regseeker and jv16 almost daily.
    What's amenable to me is that the program does not use an installer and can
    simply be unzipped to my chosen location. To remove it I can simply delete
    the IceSword folder. (I suppose that's the easiest part of using an anti-rootkit. :D )

    Question: Can anti-rootkits run properly in safe mode ? If not, is it enough to just close all running apps.,
    including firewall, and in my case disabling AMON and IMON etc. in NOD32 and additionally disconnecting router ?

    Question to fcukdat: Please your valued opinion on IceSword (as a start for me to get used to anti-rootkits),
    if you have the time to spare.

    Regards.
     
  10. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    If you can understand IceSword then RKU should be within your sights too.Both tools rely on the user being able to interpret data as good/bad or suspicious and requiring further investigation.

    FWIW I have IceSword in my toolbox but not as an ARK tool but because it has some useful subtools attached.Regedit,forced delete and copy file all in the one software is quite handy for me:thumb:

    Being wholey honest they way i have learnt to use/understand RKU data is with first hand experience of rootkit malwares.The same can be said of HijackThis experts they all become accustomed to seeing known
    or suspicious stuff that needs further research etc hence the training they under go with reallife scenario's.

    I ran a couple of demonstration tests up at CC Rootkit revelations forum when RKU got the hometeam seal of approval with 6 of the most advanced malware rootkits going.The hidden file scan made it seem like a doddle to identify the culprits;)
    http://www.castlecops.com/p901545-Rootkit_Unhooker_v3_20_Approved.html#901545


    Anyway all the best in the learning paths you choose.Learning is a journey not a destination and we are all still learning:)
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I reiterate my appreciation for your, and other members help and guidance which I am sure will benefit all potential or fresh ARK users. :thumb:
    Now, hopefully my last pre-install (of RKU) question taken from my previous post.
    Also please advise whether RKU comes with an uninstaller.

    Regards.
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Ocky

    Yes it dose come with an uninstaller :)

    Right IceSword works in safe mode but not too many others do because of how they go about business.

    I would not suggest switching off your security software when using this tool.Admitebly it will return data on hooks/drivers and process's created by these softwares but then you are getting a peak into the workings of your software.If your security software fires of alerts about RKU starting a service/executable or driver then let them run or else the software will not install & work.

    Do not wipe or dump using the software unless someone gives you a second opinion on what you are doing.If you find anything suspicious the *copy* file will bag you a copy to upload to an online malware checker and also then use of a search engine for a filename sometimes yields good information.

    Alternatively if in doubt post a scan report at sysinternal forums or the RKU support forums and i'm sure someone will help you with support info & advice:thumb:
     
  13. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I am using UnHackMe.

    Best,
    Jerry
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    If you are not sure what anti-rootkits do and how to interpret results, then you should not install any such applications. There's a fair chance you will break your system before real malware does it.
    Mrk
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    You are quite right. I basically want a revealer, and confirmation when uploading reports. Depending on the severity/complexity of the rootkit, I would then decide whether to tackle removal myself or to restore my most recent image of the primary active partition, (including MBR just in case), with Acronis.


    Judging by the Rootkit Unhooker forum and the number of 'log help' entries, most members don't seem to fully understand the scan reports; eg. inline hooks with unknown modules - normal or discrepancy etc.
    So, if I am not mistaken a great reliance is placed on obtaining help from those members, including the developer, who know what they are talking about.
    Given the scenario of being able to image if necessary, and obtaining advice before wiping/deleting/terminating - I think that I will go ahead. If anything the exercise should be interesting. :cool:
     
Loading...
Thread Status:
Not open for further replies.