rootkit detection

Discussion in 'other anti-malware software' started by majorpain, Oct 13, 2016.

  1. majorpain

    majorpain Registered Member

    Joined:
    Jul 22, 2016
    Posts:
    4
    Location:
    tennessee
    are there any quote unquote best rootkit scanners anymore or are all the good ones all intergrated? what would be a goot kit to use to detect possably hardware specific rootkits or rootkits
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  3. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    Last edited: Oct 13, 2016
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    here is a way to check your Rootkit for UEFI Firmware from Intel.

    http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html

    also Kaspersky and a bunch of other security companies make software rootkit scanners.

    If I remember right there has been a bunch POC's on hardware rootkits including network card, router software ect. From the past many tin=mes there is a POC, it becomes a reality at some point later.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  6. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,095
    Anti-rootkit:
    Best Free Rootkit Scanner and Remover
    How to Remove a Rootkit from a Windows System
    Kaspersky TDSSKiller
    GMER
    GMER MBR rootkit detector
    aswMBR
    Malwarebytes Anti-Rootkit
    Sophos Anti-Rootkit
    VBA32 AntiRootkit
    Kernel Detective
    SpyDllRemover
    Trend Micro RootkitBuster
    Bitdefender Rootkit Remover
    SanityCheck
    McAfee Rootkit Remover
    RootRepeal
    Rootkit Unhooker
    NoVirusThanks Ring3 API Hook Scanner
    catchme
    Oshi Unhooker
    ESET Hidden File System Reader
    AntiSpy
    Getting rid of MBR Rootkit's (bootkit)
    NoVirusThanks Anti-Rootkit
    wincheck
    Packed Driver Detector
    ListParts
    PC Hunter
    PowerTool
    List of Anti-Rootkits
    15 AntiRootkits to Detect and Remove Malware that Uses Rootkit Technology
    13 top best free rootkit removal (anti-rootkit) programs

    http://www.techsupportalert.com/content/free-windows-desktop-software-security-list-scanners.htm
    ------------
    Best Free Rootkit Scanner and Remover
    http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
     
  7. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    I found anon's post very helpful. I'm afraid rootkits may be coming back in "style,"
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    "detect possably hardware specific rootkits"

    I guess I misunderstood what you were looking for. I thought you meant a rootkit or malware that can infect a video card, bios, network card ect.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,035
    Location:
    The Netherlands
    No not really. On Windows 64 bit, rootkits are not that advanced anymore because they can't modify the OS kernel. And on top of that, drivers need to be signed before Windows will allow them to load. This doesn't mean that rootkit drivers are not dangerous at all, they can still manipulate the system on Win 64 bit. That's why it's best to only load drivers from tools that are 100% trusted.
     
  10. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    Rasheed187: " found this article, I'm not sure what to think:"

    http://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/

    I read this article which you yourself posted. Don't you think its contents sort of justify the concern here? I have the Management Engine:cautious: and it's benign now but can it be subverted? Maybe it'll be time to make a decision
    soon. Food for thought, right?

    Edit: Theoretically, it looks like ME could be turned into a kind of driver-less rootkit. What do you think?
     
    Last edited: Oct 15, 2016
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    additionally on Win10 the kernel-driver has to be cross-signed from Microsoft (if Secure Boot is enabled). Another hurdle.
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    So better uninstall intel-management-engine ? Anyway I never was sure that it is effective and an advantage to keep it.
     
  13. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    I set up a poll in this forum. I just don't know.
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    if you go to the web site of the author of that article on ME jackwallen.com it redirects you to http://monkeypantz.net/.

    I wonder how many business's actually know about AMT and ME.

    in the beginning of the article it think he says it can't be disabled
    then further down he shows how to disable AMT and ME.
    have any of you gone into the BIOS and disabled it?
     
  15. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    Monkey who? Wow, maybe just ditch this whole Intel thing. The thing is, many business machines have a variety of Intel software, I think It has that "I am necessary because I'm Intel" cache.

    No, personally I haven't gone into the BIOS. This is another obstacle: safely getting rid of something that interfaces directly with the innards of your computer.
     
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    Even if it's disabled in the BIOS, it cannot be disabled according to the article (and AMT is able to remotely control your PC):
    But Intel said there is no backdoor, so we can sleep well ;)
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    it seems AMT is for small-medium and enterprise users. also said the computer can be configured at the OEM. so I would then have to ask the question, do OEM"s like Dell preconfigure all computers for ATM use or even resellers like Best Buy?


    looks like the method they use to create a signed cert for each machine is secure.
     
    Last edited: Oct 16, 2016
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
  19. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    276
    Location:
    Da mean streets of Brooklyn
    http://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking

    So, nothing is "sacred." If Intel wasn't so messy with its uninstall... Besides, this is such a massive industry, any potential whistle blower would be a target of violence and retribution. So, these matters are assiduously suppressed. It's all about the cash. Same as for the malware people.

    Thanks, Fabian Wosar, for above link.
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    plat1098

    and I wonder how many have been patched since July or even if they care. glad I don't use any of those security products.

    but of course they are selling something too.

    https://www.ensilo.com/
     
  21. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,242
    I went ensilo.com. Looking at the some of the statements they make such as:
    and
    It seems that they are overstating the possibility of getting infected in order to get customers. I may be wrong, but I highly doubt there are "more than 250,000 known uniqe kinds of ransomware."
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,035
    Location:
    The Netherlands
    I was talking about software based rootkits, not about hardware-rootkits which is another subject. On Windows 32 bit, the kernel based rootkits were a much bigger problem, because they could modify key parts of the Windows OS. This is not possible anymore on Windows 64 because of PatchGuard.
     
Loading...