Quasi Rootkit Detection?

Discussion in 'other anti-malware software' started by Searching_ _ _, Sep 29, 2008.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I was wondering how the Anti-Rootkit tools are at detecting quasi rootkits that hide information from the user but is still visible to the system.
    An example would be the PoC Kitkat: A Poor Mans Rootkit
    Tools:
    RKU
    GMER
    Radix
    Rootrepeal
    and any others...
     
    Last edited: Sep 29, 2008
  2. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hello Prorootect,

    That would qualify as a Quasi Rootkit.

    I wanted to know how Anti-Rootkit tools are at detecting them.


    Thanks for the reply. I guess there could be a few variations of this type.


    Searching
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Yes Searching,

    HideProc: a toy is not bad for a little fun ...

    For my exemple : sched.exe ( Antivirus Scheduler from AVIRA AntiVir ) - hidden by HideProc :

    # RootAlyzer: Quick Scan : Invisible processes ( from handles );

    #GMER: Warning!!! Gmer has found system modification, which might have been caused by ROOTKIT activity.

    # KX-Ray: Processes: tab: sched.exe is black ... SSDT: Module HideProcDrv.sys is black;

    #SREng: I see near the clock on System Tray, in Red: Warning: System Repair Engineer found 1 hidden processes. Smart Scan: Warning ( yellow ): System Repair Engineer has detected a valid 3rd-party upload plug-in which have valid digital signatures in Upload sub-directory.:argh: When you use " Copy Suspicious Files sub-directory automatically " function ...:D Hidden Process: C\Program Files\Avira .../sched.exe .:argh:

    Other toy to divert itself:: www.SemanticHacker.com/ ...
    Other: http://personal-computer-tutor.com/rot13.htm ...
    And: ESCAPA ?:p

    PS. Look to thread: Detection of hiding a process by HIPS - last post: September 2nd, 2008.

    Your PROROOTECT ( Beta )
     
    Last edited: Sep 29, 2008
  5. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Searching, how will your tests with anti-rootkits?

    Thanks, PROROOTECT
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.