Review: Six Rootkit Detectors Protect Your System

Discussion in 'other anti-malware software' started by ronjor, Jan 16, 2007.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Review
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Final conclusions

    About time this info got more coverage:thumb:
    I've used most of the more *popular *
    ARK's and then found RKU RC2 onwards.
    Absolutely no competition for overall functionability and coverage of most known malware RK's.

    GMER ranks #2 IMO located in effectiveness midway between RKU and the rest;)
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I agree what was said about RkU.
    stable, nice ARK, good work guys
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the link ronjor.:)

    Nice article.
     
  5. como212

    como212 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    18
    tnx for the info :thumb:
     
  6. controler

    controler Guest

    One thing not mentioned in the article about independent creators is the fact, they came form places like root kit com and actualy know how to create as well as find rootkits. That is all they did for years. At least people have become aware that sigs are no longer the ticket and even hips don't always help.
    I dodn't see much mention about Rustock C mentioned here other then XP_XOFF confirms it is in the wild now.


    controler
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    It may be. Then again: eating is the proof of the pudding - looking forward to a (zipped and password protected) copy...;)

    regards,

    paul
     
  8. tlu

    tlu Guest

    Recently the highly respected German computer magazine c't published a test of various anti-rootkit tools, too.

    The following tools were included:
    • AVG Antirootkit v. 1.0.0.13 beta
    • Avira Rootkit Detection 2.0. beta
    • Bitdefender Rootkit Uncover 1.0 beta 2
    • Darkspy 1.0.5 Test
    • F-Secure Blacklight 2.2.1050 beta
    • Gmer 1.0.12.12011
    • Helios 1.1a
    • IceSword 1.20
    • Rootkit Revealer 1.7.1
    • Rootkit Unhooker 3.0.86.338 RC3
    • SEEM 4.0
    • Spohos Antirootkit 1.2
    • UnHackMe 3.1
    c't recommends for users not intensely familiar with OS internals AVG Antirootkit and F-Secure Blacklight as the best one-click solutions. For advanced users and forensics c't recommends GMER and Rootkit Unhooker. The latter removes all hooks of a rootkit, so a subsequent scan by a anti virus scanner might detect that rootkit.

    Note, however, that each of these recommended tools found the hidden files of the demo rootkit Winrootkit but not the rootkit itself. That one (but not the associated autostart entry) was only recognized by IceSword and SEEM.

    c't recommends to use a clean boot CD with an up-to-date anti-virus scanner for a thorough scan of your PC since a well programmed rootkit might give the slip to all tested tools on a running system.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    http://forum.sysinternals.com/forum_posts.asp?TID=9385&PN=2&TPN=1

    9th or 10th post is the author of A/B making statement that C is undetectable as to whether it is in the wild has not been confirmed;)

    Nothing is completely undetectable it just depends on the tool /method of looking:D

    If i bag it ,you will get your copy:)
     
  10. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Because it doesn't hide itself. It hides only files.
     
  11. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    Its kind of scary to look at that list (article)
    and realize I use half of those programs
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Kudos to EP_XOFF and MP_ART et al, world champions. :thumb:
    Dont let it go to your head EP-XOFF ;)
    How are the hit counts going ?? :D

    LOL, just write them in bad French instead.

    No Gmer ?? :(

    Write the word G_m_e_R or post a link and get DDOSed out of existence :mad:
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes I saw that too.

    Good to know.
     
  14. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Thank you Longboard and others. I think Gmer site soon will return to life. Ops, I write "Gmer", I must to write gm3r, lol. Bad joke, I know.
     
    Last edited: Jan 18, 2007
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Well as soon if you think that your machine is infected with a rootkit I would advise to reformat. And I have to admit that I´m a bit wary to use anti rootkit tools that are a not coming from the big companies. :rolleyes:
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Perspectives. There are big companies and big companies. Others would see it the other way around.
    Would you try Sony's anti-rootkit if it hit the market?:eek:
     
  17. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    I was a little wary when I first used Ice Sword (in its Chinese version before there was an English one) but researching the matter I decided to trust better heads than mine when I was incapable of determining the facts for myself.

    I relied on my understanding of human nature for the decision
    Why would someone code an ap superior to the current benchmark of the time?
    (Holy Father was on a roll at the time and had beat Mark's latest RootkitRevealer)
    I felt pride in creation and ego were a stronger motivation within this little known field (coincidentally littered with some of the best security programmers) than the off chance it was a subversion attempt motivated by greed. Where was the return on investment? Especially considering it was likely being reversed engineered from almost the day it was released.
     
  18. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Rootkit scanners that comes from big AV companies can't deal with rootkits. AV rkdetectors - unprofessional work. I do not believe them and I will never say something good about them.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I have GMER logging on, in settings, and i was just about to turn it off, ran GMER and it displayed a warning when starting:

    It's SandboxIE, which i just installed:) (f. great program if you ask me)

    I think i'll let GMER log some more. It seems to do the job.
    Does RkU have that feature? Or something similar?
     
  20. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    We can detect malware-like "parasites" inside our program during it startup. FYI this warning message only because GMER do a fast scan of SSDT/Processes and drivers.
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    What do you mean by parasites inside your program? I'm sorry if it turns out to be a basic question, but now i'm curious.:)

    And congrats on the review. It seems that your ahead of the competition.:thumb:
     
  22. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    In most cases that is probably reality.
     
  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
  25. EASTER.2010

    EASTER.2010 Guest

    I experience the exact same results.

    AV companies specialize in one field and one field only, viruses. They have slowly evolved enough over time to also include some malware detections thru heuristics. But as far as RootKits, they are way out of their league in that field AFAIK.

    The problem with AV's, they try to manufacture and monopolize on the whole order of possibilities, they now even offer their own version of firewalls in some of their suites.

    RootKit detectors are better left to those who know how best to code programs that can reveal their presence/traces.

    That's my take on it.
     
Loading...
Thread Status:
Not open for further replies.