Quasi Rootkit Detection?

Discussion in 'other anti-malware software' started by Searching_ _ _, Sep 29, 2008.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I was wondering how the Anti-Rootkit tools are at detecting quasi rootkits that hide information from the user but is still visible to the system.
    An example would be the PoC Kitkat: A Poor Mans Rootkit
    Tools:
    RKU
    GMER
    Radix
    Rootrepeal
    and any others...
     
    Last edited: Sep 29, 2008
  2. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hello Prorootect,

    That would qualify as a Quasi Rootkit.

    I wanted to know how Anti-Rootkit tools are at detecting them.


    Thanks for the reply. I guess there could be a few variations of this type.


    Searching
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Yes Searching,

    HideProc: a toy is not bad for a little fun ...

    For my exemple : sched.exe ( Antivirus Scheduler from AVIRA AntiVir ) - hidden by HideProc :

    # RootAlyzer: Quick Scan : Invisible processes ( from handles );

    #GMER: Warning!!! Gmer has found system modification, which might have been caused by ROOTKIT activity.

    # KX-Ray: Processes: tab: sched.exe is black ... SSDT: Module HideProcDrv.sys is black;

    #SREng: I see near the clock on System Tray, in Red: Warning: System Repair Engineer found 1 hidden processes. Smart Scan: Warning ( yellow ): System Repair Engineer has detected a valid 3rd-party upload plug-in which have valid digital signatures in Upload sub-directory.:argh: When you use " Copy Suspicious Files sub-directory automatically " function ...:D Hidden Process: C\Program Files\Avira .../sched.exe .:argh:

    Other toy to divert itself:: www.SemanticHacker.com/ ...
    Other: http://personal-computer-tutor.com/rot13.htm ...
    And: ESCAPA ?:p

    PS. Look to thread: Detection of hiding a process by HIPS - last post: September 2nd, 2008.

    Your PROROOTECT ( Beta )
     
    Last edited: Sep 29, 2008
  5. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Searching, how will your tests with anti-rootkits?

    Thanks, PROROOTECT
     
Loading...
Thread Status:
Not open for further replies.