Free rootkit detector from Sysinternals

From what I have observed, often when one is misunderstood, it because one does write clearly.

Obivously, I wasn't suggesting that they would deal directly and above board But even covertly, there is a risk of being caught. Internal documents for example. As for using them..... That is even dumber.

My point is at any point in time there are dozens of malware not detectable by any scanner. Collecting them all would be impossible and pointless.

I see you are very hung up about Hacker defender. But if you really think Hackerdefender is the only one that is immune to sysinternal's rootkit detector, you really dont know much. No offence intended.

They might, but how to beat sysinternal rootkit detector is pretty well documented. Technically wise it would be tough for all but the top rank programmers (of which the Authorities have more than enough), but theortically there is nothing interesting to see.

As pointed a billion times , rootkits do not automatically install on the targets. Besides do you really think that the way to a secure network is to download and/or buy every malware on offer and test it against the network? That is really funny.

Another flaw to your theory is that each version of hackerdefender that is undetectable is supposed to be unique to each buyer.

FUD. Not relevant anyway, see above.

Learn to read. I didn't say you can detect rootkits 100%. Rather, when the technical specs of any rootkit is known it can be beaten. And similarly the details of any rootkit detector is known it can be beaten.

The only thing special about the so call gold version of Hacker defender is that it's not publicly available. Sure, the good guys could buy it, analyse it and beat it, but that wouldn't stop yet another rootkit which they didn't buy or isn't for sale.

If the Feds want to play this game, the rootkit writers would become incrediably wealthy quickly.

For research purposes or for real?

As I said you need to work on your logic. If I told you here, it wouldnt be public would it?

-

 

Irony.

Do remember that my inital response was to Spy1 and not to you. And he was suggesting exactly that.

Let me repeat myself a second time. Rootkits don't autoinstall themselves. To prevent them, does not involve researching rootkits, but rather researching avenues and vectors of infection that allow an attacker to gain access. Detecting rootkits is a reactive measure that works only against a given known rootkit. And for every well known hacker defender there are a dozen other undetectables....

I might see that some people would want to research rootkits to scratch a curiousity itch, but for all practical purposes there is no way at all to be 100% sure you are rootkit free by running local software on the computer that is suspect.

Nobody says they dont work. But by themselves they are harmless, unless the attacker is able to exploit some security hole in the system to install them. Even if I had the most undetectable rootkit in the world, it would do me no good if I couldnt get it installed.

I'm not really surprised that you arent aware that there are many antivirus companies that focus only on in the wild viruses. They don't care at all about all the other zoo viruses that are available but are not spreading. Esset NOD is one example. AVG another.

Besides, the FBI,CIA whatever are not antivirus companies! You seem to think that their job involves analyzing every piece of malware out there. That's furthest from the truth.

Here's something to set you thinking. Ever wondered how a vxer can make an offer like that? Clearly it's not that difficult , if he wanted to he could pump thousands of such variants, using various techniques like code permutation and whatnot ,so what?

Well , if I were you, I would focus on reading some of the links you actually put up. It's easy to hit security sites and start aggregating links, but do you actually read them? From many of your posts, I suspect not.

Well it's hard to share when the other guy thinks he is always right. I have followed your posting history here Spanner, and despite claiming you are always learning, in most threads, you always claim you are right, and you never change your position, even when you are clearly outclassed.

That goes for a lot of people here.

 

boy, its getting heated in here, shewwwww!!!!

 

Spanner, as noted in your above post, I have merged it back into this thread and removed the irrelevant posts made discussing the move.

This thread has indeed gone off-topic with personal remarks, which stops now.

If the parties involved cannot be civil towards each other, and agree to disagree without bringing personal attacks into their posts, then this thread won't be open much longer and everyone loses.

Further personal remarks will result in this thread being closed.

 

Re: Root Cause !

If you have ShadowUser or Deep Freeze and reboot each day, then you don't have to worry about it.

-Rmus

 

Re: Root Cause !

True , but that's a general preventive measure. What Spanner is trying to argue is that the Feds or whatnot are interested in studying every rootkit out there that is not detected by scanners to help protect the public. I'm saying this is an inefficient and futile way to handle rootkits.

Now to answer Spanner

You keep assuming I think his stuff don't work. I'm sure they do against known detectors, my point is, he can easily churn out a million variants not detectable, so it makes little sense for anyone to try to get all of them.

So are you saying now that the authorities don't care about viruses and spyware and they are scared of rootkits only? LOL , if you really believe the authorities try to protect us by analysing malware, this means they would have to analysis viruses, trojans etc. When I'm pointed out how absurd such a notion is, you suddenly decide they do it for rootkits only.

Unfortunately for you even if they focused on rootkits, it would be a impossible task.

And the NSA's primary mission btw is code breaking not murking around with rootkits.

I never said you said anything of that sort either . You do seem to be ignoring my point though (until now). That is there is little gains to be gotten from trying to beat indidivual rootkits if the aim is to protect the public. Antivirus and antitrojan companies have to try though, but the authorhities work on a higher level, their solutions will not be so short term.

Let's summarise again the reasons why you think the Feds might want to acquire a copy of a rootkit that I'm selling.

1) For use against other people - offensive role. - You already agree this isn't likely. I suppose though, for a very interesting piece of rootkit, they might reverse engineer it, and use the technique and incorporate it in a rootkit they have written themselves.

2) To protect the public - I've already pointed out that and you have agreed that it is pointless and inefficient to beat rootkits on a indidivual basis. The very nature of rootkit means that they can be engineered to beat any known specific rootkit detector.

3) To protect themselves - The same thing goes as 2), though they might create their own custom solution but keep it quiet.

 

Hello!!!!!!!!! I am back, only with coffeeeeee this time

Once thing we shouldn't forget is Magic Lantern ok?
Was this a trojan-Keylogger? From what I understand the early version was installed manualy by agents, which went into the home while nobody was there.

This program kinda worked but not as well as they wanted it to.
They then tried to get some of the well known AT coders to help them re-do it.
I am not sure if we will ever know how it turned out but you really don't hear much about it anymore.

So you see, I would have to say yes, the GOV do use Whatever they can get their hands on and more so now after 911.

I like to think AV-AT makers would not agree to not flag the GOV's software also.
We heard rumors of some AT-AV makers that were asked NOt to detect Gov keyloggers.

I do agree that without ptograms like PG, you can change the entry point ect
to make it undetectable very easly. Just with a simple PE editor.

AT-AV makers are trying to keep up and in some cases stay ahead of the game but I am not so sure they can.

Now, if I even see someone posting the word format, I have to run right over to my computer & do it LOL

Hope everyone is having a nice spring

Bruce

 

well guys the last weeks or so has been fun for rookits,


http://www.infoworld.com/article/05/04/11/...itattack_1.html
http://www.pcworld.com/news/article/0,aid,120392,00.asp

http://www.f-secure.com/weblog/


these are are the guys who doses ~link removed~ and hacker defender

you can read the emails on there website you may ahve to reg a username

to read it

~link removed~

Admin Note: - links to site where rootkits are offered for download is against this forum's TOS. - snapdragin.

 

I am sure you all know by know that if there is ever another World War
Much more massive hacking will take place as a line of offence & defence.

As we type countries are using cyber war against each other.
Look how it soared during the Iraq invasion.

This was just a side not to remember.

bruce

 

Hi,

The last removed link is well known for his trojan keylogger...

Here's another article about the story:

http://security.itworld.com/4339/050411rootkitddos/page_1.html

Regards

 

sorry admin did not know of your!

Wilders Security Forums Terms Of Service

any way the hosting has suspended the page

Visitors
We are sorry but this site is experiencing difficulties at this time.
Please return shortly!
Thank you for your patience.


Webmaster - please contact support as soon as possible.

 

Hi, I scanned with the free "Rootkit Detector" from Systernals.
It found 31 discrepancies.
What differences should I be seeing on my computer, because there is little difference between now and when purchased almost 3 years ago.

 

Hi manOFpeace,

Given the protection listed in your sig, I would suspect false positives ususally caused by registry changes while the scan is in progress. Regarding the differences that you might see, you should understand that a rootkit is only a "wrapper" that is designed to stealth other "tools of the trade". You may notice degraded performance, missing disk space, slow browsing, or you may notice nothing.

Nick

 

Thank-you nick s, a very detailed and satisfactory reply.

 

Well after seeing this post, I decided to check out the sysinternals rookit revealer.

It only found one thing in my registry, and Im not sure if its ok or not.

Could someone please give me there thoughts. I will attach a screenshot.

TIA,

Jag

 

Hi Jaguar,

The key in question, ...\CurrentVersion\Reinstall points to driver reinstall folders and files located in C:\WINDOWS\system32\ReinstallBackups. There should be a matching folder name with the same strange characters. Take a look in that folder and see if the drivers look familiar. Keep in mind that a rootkit installation involves much more than one registry entry. I would not be concerned.

Nick

 

Jaguar,

I have the same odd registry entry as you have. In looking in the registry, this is for the ATI Catalyst driver. There is no folder to match this in C:\Windows\System32\Reinstallbackups.

I "think" this odd registry entry is coming from using Driver Cleaner during the upgrade process for the ATI drivers. I cannot see where it is causing any problems.

 

Siliconman01,

Thanks for your reply as well as nick s.

You are correct, I do not even have the folder at C:\Windows\System32\Reinstallbackups as well.

I peeked at the registry as well and yes I do see something in there for the ATI drivers. I use the Catlyst 5.2 ATI drivers (with Control Panel) and use Driver Cleaner regularly when upgrading. So that must be it.

Thanks again to you both for the quick responses.

Regards,

Jag

 

Hi folks,

Used the rootkitrevealer & blbeta today. Saw some entries that made me curious. Googling on them brought me here. You guys answered all my questions.

I see a couple of queries about reinstall. I have a Dell m/c and listed reinstall entries pointed to some dell drivers, at locations that I probably deleted \dell\drivers or \temp. Must have stopped using the associated hw or windows includes drivers(or updates) for them by default as I see no "driver not found" complaints.

Cheers!