How good is Ewido at detecting rootkits?

Discussion in 'other anti-trojan software' started by serioussam, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. serioussam

    serioussam Guest

    Does anyone know how good Ewido would be at finding rootkits through a manual scan with the program? Either through sigs or heuristics.

    If Ewido is not too strong in this area, I think it would be a good thing to add as many rootkit sigs as possible to the defs of Ewido, or incorporate other ways (heuristics?) to find them.

    Thanks.
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    I think the person that could best answer this is FISH and I happen to know he will probably not be on Wilders for another week or so.

    Here is what I do know. It is claimed that the best applications for finding rootkits are rootkit detectors. Most rootkit detectors are fairly good at finding rootkits that are posted publicly on various malware sites.

    However, it is claimed by the author of Hacker Defender that the Gold version of the latest Hacker Defender can elude detection from all known rootkit detectors.

    The best bet is to not ever get a rootkit on your system.



    Starrob
     
  3. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    wasn't there some firm in china that made a program that could get the rootkit? i remember there was an article on it a while back here in wilders.
     
  4. dog

    dog Guest

    The post by guest warren godin has been removed - as per our TOS

    Regards;

    Steve
     
  5. passing thru

    passing thru Guest

    I believe that scanning in Safe Mode will improve your chances of detecting the presence of a rootkit with any signature-based scanner. Keep in mind, though, that rootkits can be set to run in Safe Mode as well (which is a good reason to somehow protect the HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot registry keys).
     
  6. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,276
    Location:
    Earth
    which is a good reason to somehow protect the HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot registry keys)

    How would that b dun? thanks MD
     
  7. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Yes, but I have also think I read somewhere that Hacker defender has now been developed that the private versions can also defeat Icesword. I am not sure if it is true or not.

    Here is the list that the private version of Hacker defender claims to beat:

    Golden Hacker Defender includes

    * protection against all AV, unique version and source code for both main module and driver module
    * separation between hidden processes and hidden files in inifile
    * outbound TCP connection hidding
    * Rootkit Detector 0.61, 0.62 antidetection
    * modern detectors antidetection engine with antideteciton against
    o F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
    o F-Secure BlackLight console 1.25.1006.0, 1.28.1006.0
    o Sysinternals RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
    o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
    o RootKit Shark 3.11, 3.22, 3.27
    o RegdatXP v1.41
    o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
    o Flister 0.1
    o Find Hidden Service 1.0, 1.1
    o Kernel SC 1.3
    o Kernel PS 0.4, 1.0
    o Klister 0.4
    o Process Magic 1.0
    o KProcCheck 0.1, 0.2-beta1, 0.2-beta2
    o TaskInfo 6.0.1.134
    o KHS - kill hide services 0.1


    Silver Hacker Defender includes

    * protection against all AV, unique version and source code for both main module and driver module
    * separation between hidden processes and hidden files in inifile
    * outbound TCP connection hidding
    * Rootkit Detector 0.61, 0.62 antidetection
    * modern detectors antidetection engine with antideteciton against
    o F-Secure BlackLight 2.1.1013
    o Sysinternals RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
    o UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta 2, 2.5
    o Malicious Software Removal Tool 1.3.586.0, 1.4.639.0, 1.5.661.0, 1.6.710.0, 1.7.755.0
    o Flister 0.1
    o Find Hidden Service 1.0, 1.1
    o Klister 0.4





    From the way I understand things, almost as soon as a rootkit detector claims it can detect all rootkits, the rootkit authors begin developing ways to evade that particular rootkit detector.

    As the author of F-secure states in that article:

    "Rootkit detection is a cat-and-mouse game. Sometimes the rootkit authors are ahead, sometimes the antirootkit authors. We can at the moment detect all rootkit samples that we have access to, but that may change as soon as a new, more advanced rootkit is published. We will naturally respond with improved detection when that happens. There are still no signs that this race will slow down. This makes it even harder to name the best antirootkit tool. ..."

    From the little I have read, the best rootkit detector is a private build rootkit detector....One that has not had it's detection methods analyzed. Once the author of a rootkit detector begins bragging that it can detect all rootkits, then it is only a matter of time it before private build versions of rootkits are built that can evade the detection.

    I think most public rootkit detectors can detect most public rootkits but that is about it.




    Starrob
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    MD,
    To do it properly you would need an application like RegDefend, see the forum here at Wilders.

    This method of protection is the latest "must have" so everyone wants to have one and all the vendors want to be selling one. Its early in the lifecycle of this type of application so you can expect more competing applications.

    It is too early to say what the feature differences will be, but there are bound to be dumbed down versions that "do it all for you" as well as ones that let you do it all yourself. Either way the applications will need to be well optimised, otherwise they have a lot of potential to start slowing down "normal operations"

    Regards
     
  10. ?i?i?

    ?i?i? Guest

    @Starrob You forgot Brilliant Hacker Defender Forever ... ;-)

    -------------------------

    Brilliant Hacker defender Forever has same features as Brilliant Hacker defender package with addition of Antivirus support and Antidetection engine support - both for 6 months. Only this package comes with support for new detectors not only for new versions of existing detectors. The package contains these features:

    Antivirus protection
    Antivirus support 6 months
    Source code
    Internal inifile
    Logoner
    Antidetection engine
    F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013
    F-Secure BlackLight Console 1.25.1006.0, 1.28.1006.0
    Find Hidden Service 1.0, 1.1
    Flister 0.1
    IceSword 1.04, 1.06, 1.06b, 1.08, 1.10
    Kernel SC 1.3
    Kernel PS 0.4, 1.0
    KHS 0.1
    Klister 0.4
    KProcCheck 0.1, 0.2-beta1, 0.2-beta2
    modGREPER 0.1, 0.2
    Process Magic V1.0 by WinEggDrop
    RegdatXP 1.41
    RootkitRevealer v1.00, v1.01, v1.10, v1.20, v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
    RootKitShark 3.11, 3.22, 3.27
    TaskInfo 6.0.1.134
    UnHackMe 1.0, 2.0, 2.5 beta, 2.5 beta2, 2.5
    Antidetection engine support 6 months

    package price: 900 EUR


    Features:

    Antivirus protection

    This feature is included in every paid versions of Hacker defender. The code of public version is scrambled and properly changed to avoid antivirus detection. Tests for eight antivirus products Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, PC-cillin with the newest upgrades are made always before customer receive the final product. The code is always unique for each customer which means that detection of one customers product should not affect other customers products. If you want extra protection against more antivirus products write your wish in the special wishes box. The price for extra protection is set individually.

    price: 100 EUR


    Antivirus support

    Every paid version is unique for each customer and is not detected by mentioned antivirus products. However, it is possible and it happens from time to time that some antivirus vendor comes with new pattern of Hacker defender detection. This can also affect paid versions. This is why Antivirus support feature is offered. You can choose one of three options that differs only in their length. Prices are valid for standard Antivirus protection pack that consist of eight antivirus products - see above. If support for extra protection is also needed please write this separately in the special wishes box. The price for extra protection support is set individually. All updates are available on demand and the important is the time of receiving the update request. Support starts immediately after the package is sent to a customer. If we are not able to provide the appropriate upgrade you'll get your money paid for this feature back. When the support expires customer can renew the support paying the price for the support feature again.

    Antivirus support 1 month: price: 30 EUR
    Antivirus support 3 months: price: 80 EUR
    Antivirus support 6 months: price: 150 EUR

    Source code

    Those who can code and want to see how paid features work or want to modify their paid version by adding own functionality can buy Source code. Full source code of all parts is included so that customer can recompile whole product without problems. The code is based on the code of public version but new features there are better commented.

    price: 60 EUR


    Internal inifile

    Basic version of Hacker defender rely on external inifile that contains all user settings. This feature consist of external tool that is used to bind valid inifile to main module so that only one file is needed for rootkit installation. This inifile is plain text (except the backdoor password) written in main module overlay. When rootkit is run it checks for the external inifile firstly to read its settings. If there is no external inifile it looks to the overlay for the internal inifile.

    price: 20 EUR


    Logoner

    This feature adds hooking of windows logon API to catch all logon information typed after rootkit installation. The logon information with encrypted passwords are written to the file which name is specified in inifile. Username, password and domain is catched from desktop lock, terminal services logon as well as from standard logon.

    price: 80 EUR


    Antidetection engine

    Antivirus vendors and other security companies as well as single researchers care still more and more about detection of rootkits. There are several applications that specialize on rootkit detection and elimination. Hacker defender as user mode rootkit is not able to hide from the sight of these special, mostly kernel mode based tools. However, special Antidetection engine for Hacker defender was implemented to fight these detectors. This engine works likewise basic antivirus engine with some advanced features. It scans running programs for patterns and behaves by defined entries in its database. The important feature of this engine is that it can't be cheated using packers, encryptors or antidebugging tricks. There is no known rootkit detector today that can't be bypassed with this engine. This feature consist of the engine and its modules (database of detectors). The price for various detectors differs because some detectors can be bypassed very easily but others can't be bypassed without very sophisticated database records.

    price: 75 EUR


    F-Secure BlackLight

    F-Secure is well known antivirus company. Its product for rootkit detection is called BlackLight. It can find hidden processes and files on infected machine and take basic actions to unhide them. It is still under development so there were many versions of this detector released. However, all versions of BlackLight detector are limited and older does not work without patch or setting proper system time.

    F-Secure BlackLight 2.1.1013: price: 20 EUR
    F-Secure BlackLight 2.1.1012: price: 20 EUR
    F-Secure BlackLight 2.1.1010: price: 15 EUR
    F-Secure BlackLight 2.0.1008: price: 10 EUR
    F-Secure BlackLight 1.5.1002: price: 5 EUR
    F-Secure BlackLight 1.4.1003: price: 5 EUR
    F-Secure BlackLight 1.3.1015: price: 5 EUR
    F-Secure BlackLight 1.0.1017.0, 1.2.1003.0: price: 5 EUR
    F-Secure BlackLight Console 1.25.1006.0, 1.28.1006.0: price: 5 EUR

    Find Hidden Service 1.0, 1.1

    FHS is very tiny implemention of registry hive scanning. Because of reading binary files rather than using common Windows API to read registry keys it can find hidden services.

    price: 10 EUR


    Flister 0.1

    Flister can find hidden files on disk using not-hooked version of native file enumerating API or exploiting bug in rootkit implementations.

    price: 15 EUR


    IceSword base (version 1.10) (xfocus download mirror)

    The most powerful (especially against usermode rootkits) rootkit detector with many features and ways how to reveal hidden stuff on machine. Public version of Hacker defender is can be found in IceSword process list, open ports, active driver list, services list, SSDT list, processes and threads notification, registry browser and file browser. All these are bypassed with this module for antidetection engine. IceSword base includes protection against version 1.10 and it is required for protection against all other available versions but could be used separately too.

    price: 100 EUR

    IceSword 1.04: price: 10 EUR
    IceSword 1.06: price: 15 EUR
    IceSword 1.06b: price: 20 EUR
    IceSword 1.08: price: 20 EUR


    Kernel SC 1.3

    Another small program reading registry values without being hooked. This one is able not only to find hidden services but also to disable them.

    price: 15 EUR


    Kernel PS

    Kernel PS uses kernel driver to get information about running processes marking those that are hidden from usermode view.

    Kernel PS 1.0: price: 15 EUR
    Kernel PS 0.4: price: 15 EUR

    KHS 0.1

    Just another hidden service detector.

    price: 10 EUR


    Klister 0.4

    Klister is tool for Windows 2000 that reads kernel structures to enumerate all running processes on the machine.

    price: 10 EUR


    KProcCheck

    Smart tool for enumerating running processes. Using several different method in kernel and comparing with usermode lists it can find hidden processes.

    KProcCheck 0.2-beta2: price: 15 EUR
    KProcCheck 0.2-beta1: price: 10 EUR
    KProcCheck 0.1: price: 5 EUR


    modGREPER 0.1, 0.2

    This tool scans kernel memory to find all installed kernel modules. With public version of Hacker defender this tool can be used to find its driver.

    price: 20 EUR


    Process Magic V1.0 by WinEggDrop

    Tool for enumerating and hiding running processes.

    price: 10 EUR


    RegdatXP 1.41

    Alternative registry browser with many other features that can be used to find hidden registry keys.

    price: 10 EUR


    RootkitRevealer

    Rootkit detector from the famous Sysinternals team. It reads raw file system structure and raw registry hives to find hidden files and registry entries.

    RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55: price: 20 EUR

    RootkitRevealer v1.00, v1.01, v1.10, v1.20: price: 5 EUR


    RootKitShark 3.11, 3.22, 3.27

    Yet another detector based on raw registry hive scanning.

    price: 10 EUR


    TaskInfo 6.0.1.134

    Featured Windows information tool with anti-rootkit capabilities that can show hidden processes, files and kernel drivers.

    price: 30 EUR


    UnHackMe

    Commercial detector for rookits, trojan horses, spyware and other malware.

    UnHackMe 2.5 beta, 2.5 beta2, 2.5: price: 15 EUR
    UnHackMe 1.0, 2.0: price: 10 EUR


    Antidetection engine support

    There are still new and new detectors and their versions. Adding new detector to engines database can be very easy for almost everyone with little coding skills but can be also very difficult even for the code master. Antidetection engine support is the solution for everyone to keep his/her version protected against the newest detectors. However, this support differs between Hacker defender packages. Firstly the support consist of updates that are available in the list of detectors above. Secondly except the Brilliant packages antidetection updates are available only for the families of detectors supported by package. This means that a smaller package that does not include e.g. IceSword antidetection but with this engine support won't get updates for IceSword when new version of IceSword is released and bypassed. The only packages that also offer protection against new detector products (not just new versions of current detectors) are Brilliant packages. All updates are available on demand and the important is the time of receiving the update request. Support starts immediately after the package is sent to a customer. If we are not able to provide the appropriate upgrade you'll get your money paid for this feature back. When the support expires customer can renew the support paying the price for the support feature again.

    Antidetection engine support 1 month: price: 40 EUR
    Antidetection engine support 3 months: price: 110 EUR
    Antidetection engine support 6 months: price: 200 EUR

    All paid versions comes under following licence agreement...

    --------------

    1.
    Just for the record: In my opinion, this is getting ridiculous. I can't see any reason why you shouldn't put the developer/malware vendor into jail. Contrary to a normal remote administration tool / trojan there appears to be no legit reason for using a rootkit.

    2.
    The above is not only a price list but also a nice summary of most available rootkit detectors.

    3.
    It seems that malware coders will face similar problems like AV/AT developers: too many malware samples or, respectively, rootkit detectors to handle ;-)

    4.
    It should be quite interesting to analyze how the anti-detection engine really works: "This engine works likewise basic antivirus engine with some advanced features. It scans running programs for patterns and behaves by defined entries in its database. The important feature of this engine is that it can't be cheated using packers, encryptors or antidebugging tricks."

    It seems to me that the anti-detection engine deactivates suspicious rootkit functions in respect of a rootkit detector. Apparently, it is signature-based. Maybe it looks for object handles in memory (because it cannot be outfoxed with the help of a crypter etc.) I am pretty sure that a careful analysis of the anti-detection engine would allow a rootkit detector to use effective countermeasures like polymorphism, combination of file & memory scanning + heuristics etc.
     
  11. 3 characters

    3 characters Guest


    The author probably hasn't been put into jail because the CIA, FBI and other government agencies (other countries besides the US too) probably use his programs LOL, that way we will never know when their spying on us. ;) ;)
     
  12. hubbahubba

    hubbahubba Guest

    or possibly because activist groups in the US like the ACLU would cry some sort of violation of the author's "civil rights" was taking place
     
  13. Governments+AV industry+ Malware authors = a three ring circus!!!!!!
     
  14. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Topic = "How good is Ewido at detecting rootkits?"

    Let's get back on it, please.
     
  15. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Ewido is a good trojan scanner but my personal opinion is that there really isn't any scanner that is good against rootkits. Public versions of AV/AT/Rootkit detectors can detect public rootkits.

    Any security professional that brags that their software can detect all rootkits will in general have their software analyzed by rootkit authors and the private version of the rootkit will be made that will evade the AV/AT/Rootkit detector that the vendor is hawking.

    The best rootkit detector is a private version that have not had their detection methods analyzed......but private versions of rootkit detectors are probably very expensive. Probably only large organizations would be in the market for them.

    The best thing for the average home user is to keep rootkits off of their computer in the first place


    Starrob
     
  16. ?i?i?

    ?i?i? Guest

    O.k....let's talk about Ewido:

    I picked the new Hacker Defender Revisited (hxdef100r) rootkit. Ewido's file scanner (latest sigs) detects it. If you execute the rootkit file Ewido's guard detects and blocks it.

    If you allow the rootkit to start the entire installation folder (including the rootkit files) will get invisible. Consequently, Ewido's file scanner (or any other AV/AT file scanner) will be unable to detect it.

    If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)

    There will be a new generation of rootkits that will also support memory cloaking. A special demo variant of FU has already been developed. Further information can be found in the "uncensored" forum's malware section (you may know where). I do not post the information here because it would probably violate the TOS.
     
  17. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493


    Thanks for the info. I'll take a look at the uncensored forum.


    Starrob
     
  18. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
  19. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I also found this link from Kaspersky:

    http://www.viruslist.com/en/analysis?pubid=168740859


    At the end it states:

    "All the methods for detecting active rootkits depend on the fact that they disrupt system functioning in one way or another. Kaspersky Lab products exploit this, which also makes them able to detect unknown rootkits.It will be more difficult to write rootkits for future versions of Windows, where it is impossible to modify system code and the system architecture. This step taken by the developers of the operating system should reduce, if only temporarily, the number of new rootkits for new versions of Windows."
     
  20. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I think I read that article before that the link refers to on that uncensored website. I don't think I could link directly to it here.

    Here are some quotes from the article titled Shadow Walker - Raising The Bar For Windows Rootkit Detectiont:

    "There are public rootkits which illustrate all of these various techniques,
    but even the most sophisticated Windows kernel rootkits, like FU, possess
    an inherent flaw. They subvert essentially all of the operating system's
    subsystems with one exception: memory management. Kernel rootkits can
    control the execution path of kernel code, alter kernel data, and fake
    system call return values, but they have not (yet) demonstrated the
    capability to 'hook' or fake the contents of memory seen by other running
    applications. In other words, public kernel rootkits are sitting ducks for
    in memory signature scans. Only now are security companies beginning to
    think of implementing memory signature scans. "

    This is where AT's like Ewido excel....catching the rootkit in memory.


    Another quote:

    "One method to detect the presence of a rootkit is to detect how it alters
    other parameters on the computer system."

    This is basically heuristics which what I will assume is one method that most AT's detect rootkits in memory.

    It appears also that Kevin from BoClean might be correct in saying that it is not necesarry to have kernel driven programs to combat kernel driven rootkits. From the article I am reading, it might even be more advantageous to detect the current crop of rootkits in memory.

    Another quote:

    "Although file system scans and loading detection are needed, perhaps the
    last layer of detection is scanning memory itself. This provides an added
    layer of security if the rootkit has bypassed the previous checks. Memory
    signatures are more reliable because the rootkit must unpack or unencrypt
    in order to execute. Not only can scanning memory be used to find a
    rootkit, it can be used to verify the integrity of the kernel itself since
    it has a known signature. Scanning kernel memory is also much faster than
    scanning everything on disk. Arbaugh et. al. [11] have taken this technique
    to the next level by implementing the scanner on a separate card with its
    own CPU. "

    Last but not least:


    "Memory Cloaking Concept

    One goal of an advanced rootkit is to hide its changes to executable code
    (i.e. the placement of an inline patch, for example). Obviously, it may
    also wish to hide its own code from view. Code, like data, sits in memory
    and we may define the basic forms of memory access as:

    - EXECUTE
    - READ
    - WRITE

    Technically speaking, we know that each virtual page maps to a physical
    page frame defined by a certain number of bits in the page table entry.
    What if we could filter memory accesses such that EXECUTE accesses mapped
    to a different physical frame than READ / WRITE accesses? From a rootkit's
    perspective, this would be highly advantageous. Consider the case of an
    inline hook. The modified code would run normally, but any attempts to read
    (i.e. detect) changes to the code would be diverted to a 'virgin' physical
    frame that contained a view of the original, unaltered code. Similarly, a
    rootkit driver might hide itself by diverting READ accesses within its
    memory range off to a page containing random garbage or to a page
    containing a view of code from another 'innocent' driver. This would imply
    that it is possible to spoof both signature scanners and integrity
    monitors. Indeed, an architectural feature of the Pentium architecture
    makes it possible for a rootkit to perform this little trick with a minimal
    impact on overall system performance."

    Yes, it will be interesting to see what AV's and AT's come up with to combat memory cloaking. I have read this article before. It is interesting.

    Maybe I'll also read the book from Greg Hoglund and James Butler if I get the time.



    Starrob
     
  21. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Last post removed pending admin review.
     
  22. nat1ed

    nat1ed Guest

    That is indeed true. I purchased a copy of Hackdefender gold and I have written my own private ring 0 , kernel based rootkit detector to detect it. If you want a copy send me an email <removed> and i will tell you where to download it....

    And if you believed all that and really installed it , you just got nailed by a rootkit. :)
     
    Last edited by a moderator: Aug 29, 2005
  23. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Too late me thinks. If the rogue is not stopped before it enters the labyrinth, then all is lost - for it cannot be found.

    Rich
     
  24. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Do you know that for sure by expirementation or otherwise?

    Nautilus happens to conclude as follows:

    "O.k....let's talk about Ewido:

    I picked the new Hacker Defender Revisited (hxdef100r) rootkit. Ewido's file scanner (latest sigs) detects it. If you execute the rootkit file Ewido's guard detects and blocks it.

    If you allow the rootkit to start the entire installation folder (including the rootkit files) will get invisible. Consequently, Ewido's file scanner (or any other AV/AT file scanner) will be unable to detect it.

    If you perform a manual memory scan Ewido will detect & terminate the running rootkit and all files will become visible again. This is because current rootkits can't perfectly cloak themselves in memory. The big advantage of Ewido is that it features a "full" manual memory scanner which scans the entire memory. (Such memory scanner was implemented after we performed the Flux tests demonstrating the weakness of mere process or module file scanners.)"



    Starrob
     
    Last edited: Aug 29, 2005
  25. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Yes, but the fiend that hides beneath the root has had opportunity to do no good. The only way to prevent the Trojans from laying the city to waste, is to stop them at the gates.

    Rich
     
Thread Status:
Not open for further replies.