Discussion in 'other anti-malware software' started by Meriadoc, Feb 24, 2008.
Hypersight Rootkit Detector North Security Labs
Virtual Intrusion Prevention Systems (VIPS)
Thanks for sharing, seems to be very interesting. Of course I will wait for some feedback first, because you should be cautious with these kind of tools. And this one seems to be making use of hardware (processor) based virtualization? Sort of like the Blue Pill rootkit? Perhaps the next step is to build a hypervisor HIPS? Or is this VIPS already a HIPS? Exciting stuff!
Yes indeed. (currently cpu must support Intel VT-x Intel VT (Intel Virtualization Technology)) NSL Blog
Would like to try it, but unfortunately I have an AMD processor which is not supported as stated in the last sentence of the home page:
"Due to the requirements of a hardware platform to support virtualization, the current preview release is only compatible with Intel Core 2 family of processors for the time being. We are currently working on adding support for other CPUs."
Brilliant idea to use the virtualisation feature of the CPU
My processor won't support it either. Seems like an interesting concept though.
I discovered it some days ago but unfortunately also using Amd, seems to be only useful for a smaller circle. But to detect CR0 there are easier ways and these works on all systems.
To detect ShadowWalker maybe one should disable pagefile.sys .. lol..
Genial.... However it cuts out AMD based boxes. That is a large segment of the possible market for such a technology...
perhaps, this app is INTEL-sponsored. AMD just has to stay 10 feet away.
Similarly, PEPSI vs COCO cola, or Blu-ray vs HD DVD. Diamond cuts another diamond. Interesting, eh?
I don't think of any reason why this app is incompatible with AMD processors. AMD has virtualization technology built-in in its latest processors which is (AFAIK) compatible with the Intel's technology.
Support for other than Intel Virtualization is being worked on.
I stand corrected, thanks Meriadoc
Is it true gmer not detecting unreal.A. still?
Tested version: GMER 1.0.12 (Released in 2006)
Latest version: GMER 1.0.14
Be careful with that comparative
I tried this on my laptop which has an Intel Core2 T5500 processor. Here are some impressions:
(1) I went into BIOS and "enabled" Intel Virtualization Technology for the CPU, and then I installed Hypersight.
(2) On the subsequent reboot, I experienced system freeze during the WinXP splash screen, and I did a hard shutdown (power button).
(3)The next boot completed normally, and I received a taskbar pop-up from Hypersight informing me that rootkits were discovered on my system. Opening the GUI revealed that Hypersight considered Online Armor components to be rootkits and was blocking them.
I wonder how Hypersight can conceivably co-exist with any HIPS that touches the kernel. If there are settings in Hypersight to ignore trusted software, I couldn't find them - and therefore decided to uninstall it and reset CPU Virtualization to default setting of "Disabled".
I installed Hypersight and it recognized SSM.
But if given administrative rights in my LUA- eventually it seems to disable the Jetico Firewall HIPs (this could be a good thing or a bad thing).
Even noadware (rogue antispy) could easily detect unreal.a, don´t know why there is such a hype about this un-real thing.
And as I said it is very easy to track cr0 changes from user mode you don´t need a hypervisor for it.
Sounds interresting. It didnt work well with sandboxie though. Rebooting after the install got me self a BSOD, sbiedrv.sys was the culprit according to the bluescreen. But I guess that is no surprise, one can only have so many softwares living that close to the kernel
But the question is how long will it take before security tools start to act like hypervisors? Is this even technically possible? You would sure hope so. Picture this: your favorite anti malware tool still monitoring everything as usual, but now completely immune to attacks from other stealthy software, and of course with the ability to protect the whole system from all kinds of attacks flawlessy. Yes this may be science fiction, but it sure is very exciting.
If I´m correct, KAV/KIS can protect against "R0-R3 gateway handler modification". But will this stop all (or most) rootkits, or just rootkits using this method?
I sent a feedback message via their website and I think they are a Russian company.
They are a russian company and most think that EP is behind this project but that doesn´t seems so. Who are these guys?
Has anyone tried this yet? Has it been proven successful at removing anything? I am a little scared to test it on my system. But I have a friend's laptop for a few days now that is infected with a DOOZIE of a rootkit and I am desperate to get it fixed.
I doubt it will help you to wipe this DOOZIE out of your system.
hmm ok. what do you suggest Ilya? I have tried Mcafee rootkit detective, avg anti spyware, nod32 3.0, malwarebytes, fixmbr, and its still seems to be infected...
Reformat it and get a peace of mind.
Separate names with a comma.