Hypersight Rootkit Detector VIPS

Discussion in 'other anti-malware software' started by Meriadoc, Feb 24, 2008.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hypersight Rootkit Detector North Security Labs

    Virtual Intrusion Prevention Systems (VIPS)
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Thanks for sharing, seems to be very interesting. Of course I will wait for some feedback first, because you should be cautious with these kind of tools. And this one seems to be making use of hardware (processor) based virtualization? Sort of like the Blue Pill rootkit? Perhaps the next step is to build a hypervisor HIPS? Or is this VIPS already a HIPS? Exciting stuff! :D
     
    Last edited: Feb 27, 2008
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes indeed. (currently cpu must support Intel VT-x Intel VT (Intel Virtualization Technology)) NSL Blog
     

    Attached Files:

    Last edited: Feb 24, 2008
  4. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    Would like to try it, but unfortunately I have an AMD processor which is not supported as stated in the last sentence of the home page:

    "Due to the requirements of a hardware platform to support virtualization, the current preview release is only compatible with Intel Core 2 family of processors for the time being. We are currently working on adding support for other CPUs."
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Brilliant idea to use the virtualisation feature of the CPU
     
  6. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    My processor won't support it either. Seems like an interesting concept though.
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I discovered it some days ago but unfortunately also using Amd, seems to be only useful for a smaller circle. But to detect CR0 there are easier ways and these works on all systems.
    To detect ShadowWalker maybe one should disable pagefile.sys .. lol..
     
  8. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Genial.... However it cuts out AMD based boxes. That is a large segment of the possible market for such a technology...
     
  9. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    perhaps, this app is INTEL-sponsored. AMD just has to stay 10 feet away.

    Similarly, PEPSI vs COCO cola, or Blu-ray vs HD DVD. Diamond cuts another diamond. Interesting, eh?
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I don't think of any reason why this app is incompatible with AMD processors. AMD has virtualization technology built-in in its latest processors which is (AFAIK) compatible with the Intel's technology.
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Support for other than Intel Virtualization is being worked on.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I stand corrected, thanks Meriadoc :)
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Is it true gmer not detecting unreal.A. still?
     
  14. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Tested version: GMER 1.0.12 (Released in 2006)
    Latest version: GMER 1.0.14

    Be careful with that comparative
     
  15. Tadoussac

    Tadoussac Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    118
    I tried this on my laptop which has an Intel Core2 T5500 processor. Here are some impressions:

    (1) I went into BIOS and "enabled" Intel Virtualization Technology for the CPU, and then I installed Hypersight.

    (2) On the subsequent reboot, I experienced system freeze during the WinXP splash screen, and I did a hard shutdown (power button).

    (3)The next boot completed normally, and I received a taskbar pop-up from Hypersight informing me that rootkits were discovered on my system. Opening the GUI revealed that Hypersight considered Online Armor components to be rootkits and was blocking them.

    I wonder how Hypersight can conceivably co-exist with any HIPS that touches the kernel. If there are settings in Hypersight to ignore trusted software, I couldn't find them - and therefore decided to uninstall it and reset CPU Virtualization to default setting of "Disabled".
     
  16. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    I installed Hypersight and it recognized SSM.

    But if given administrative rights in my LUA- eventually it seems to disable the Jetico Firewall HIPs (this could be a good thing or a bad thing).
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Even noadware (rogue antispy) could easily detect unreal.a, don´t know why there is such a hype about this un-real thing.

    Good choice! :D
    And as I said it is very easy to track cr0 changes from user mode you don´t need a hypervisor for it.
     
  18. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Sounds interresting. It didnt work well with sandboxie though. Rebooting after the install got me self a BSOD, sbiedrv.sys was the culprit according to the bluescreen. But I guess that is no surprise, one can only have so many softwares living that close to the kernel :)
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    But the question is how long will it take before security tools start to act like hypervisors? Is this even technically possible? You would sure hope so. Picture this: your favorite anti malware tool still monitoring everything as usual, but now completely immune to attacks from other stealthy software, and of course with the ability to protect the whole system from all kinds of attacks flawlessy. Yes this may be science fiction, but it sure is very exciting. :D

    If I´m correct, KAV/KIS can protect against "R0-R3 gateway handler modification". But will this stop all (or most) rootkits, or just rootkits using this method?
     
  20. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    I sent a feedback message via their website and I think they are a Russian company.
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    They are a russian company and most think that EP is behind this project but that doesn´t seems so. Who are these guys?
     
  22. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Has anyone tried this yet? Has it been proven successful at removing anything? I am a little scared to test it on my system. But I have a friend's laptop for a few days now that is infected with a DOOZIE of a rootkit and I am desperate to get it fixed.
     
  23. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I doubt it will help you to wipe this DOOZIE out of your system.
     
  24. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    hmm ok. what do you suggest Ilya? I have tried Mcafee rootkit detective, avg anti spyware, nod32 3.0, malwarebytes, fixmbr, and its still seems to be infected... :'(
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Reformat it and get a peace of mind.
     
Loading...
Similar Threads
  1. majorpain
    Replies:
    21
    Views:
    1,471
Thread Status:
Not open for further replies.