Rootkit detectors

Just reading around about Rootkit detectors. Just from the little that I have read, I am not sure whether they are worth purchasing or NoT.

Apparently, there is a big back and forth battle between the people that detect rootkits and those that make them.

By the time, a rootkit detector maker comes out and makes a claim that it can detect "all rootkits" or even specific rootkits, the people that make the rootkit find ways of evading the detection.

Some rootkit authors are apparently making private builds for pay that are claimed to evade all of the known rootkit detectors out there.

It is also claimed that the only rootkit detector that can truly detect most or all rootkits are "private builds". Hmmm....where have I heard that term before?

Apparently, public rootkit detectors can detect public rootkits. I assume that this makes the uneducated public feel good and puts money into the hands of the rootkit detector authors....Apparently the people that need true protection from rootkits use "private build" rootkit detectors and the "bad" people that need a truly undetectable rootkit will buy one for around $500. The private build rootkit will never be detected apparently, by your favorite AV because the private build is not circulated widely and the AV has no definitions for it or even heuristics to detect it....so forget all the marketing "hype".

Apparently to detect these rootkits you either need a private build rootkit detector.....or have a someone that is a "friend" to the developer of the rootkit.

Maybe the best protection against rootkits is education. There is plenty of information in many publicly available sources that can educate the user in how to avoid being "rooted". Maybe the best protection is don't always believe the hype and investigate things for yourself.



Starrob

 

That seems true for just about everything

Yeah, as soon as they make a rootkit detector that detects everything, Hacker Defender will target it specfically. I don't think this makes all rootkit detectors worthless, it's just one version of one rootkit that would likely need to be directly targetted at you personally... if someone is going to go to that length, you probably don't have much hope any way, if they released that rootkit publicly then it would be detected shortly after.

I don't know that I'd pay for a rootkit detector, however. Rootkit Revealer is probably one of the best and it's free. Get a good security setup that blocks malware from getting on your machine in the first place and you should be good to go.. I wouldn't expect it to do any more magic than any other trojan to infect your machine. Then, if you're worried, just scan with the freebie tools as soon as they're released, before they have a chance to implement a way around it in the rootkit.

UnHackMe might be one worth paying for, because of it's realtime monitoring. No malware detector claims to have a 100% detection rate, there's no reason to think it would be otherwise with rootkit detectors, and I don't think it's any more worth dismissing than any other malware killer.

 

I am just a little disturbed about how the whole "security" game is played......there are certain aspects to it that I find.....disturbing... but don't mind me that is just my personal world view. There are two sides to every coin and both sides play it very well.


Starrob

 

What more do they have to go on?

This is why it's important to have a proactive generic (not rootkit-specific) kernel level defence in place such as ProcessGuard which will restrict which kernel-mode drivers can be installed - without any database updates (ie. not having to know about particular rootkits beforehand - all kernel drivers are assumed to be suspicious until authorised by the user). Prevention is better than cure. Secure yourself against the installation of kernel-mode drivers and you secure yourself from kernel-mode rootkits - it's a lot easier saying Yes/No to the installation of a kernel-mode rootkit than it is to disinfect one.

 

That's it. Then, it remains for the "bad guys" to figure out if there are any other "entry pathways" into the kernal. If there aren't, then they are locked out (until MS creates a new one, possibly in a new operating system).

Now, I have seen argued, that it is "too difficult" for new users to learn, whether or not to grant permission. This may or may not be true. However, whatever the case they are certainly no worse off with PG, which at least affords a user the opportunity to deny permission. Without this, the user (especially an unsuspecting user) is sunk.

Now, the question is, why doesn't MS get this, since it is quite easy for MS to build such a capability into their own operating system. The worse that can happen is that a user may have to spend a little time learning what a rootkit and driver is. Certainly a fraction of the time that is required to learn their Excel or Word products - not too mention the Windows XP operating system itself.

Rich

 

If you can give PG a whitelist of allowed programs, a blocklist of disallowed programs and let the user decide in unknown programs then PG would be even more useful then it is now.



Starrob

 

I think its important to have Root-kit Specific protection in place, as well as proactive Generic protection.

 

Hi,

I find it very revealing that HF says he doesn't use any AV etc whatsoever !

MS are talking about putting some RK detection into MSAS in the near future, using their Ghostbuster technology.

Pity the average user though faced with making mindnumbing decisions on what to delete and what to keep after a scan. And think of all the errors they could make, including messing up their PC.

Take a look at the problems some people PC with PC knowledge are already having, with just one particular App, out of all the ones that are available at this present time.

RootkitRevealer
http://www.sysinternals.com/Forum/forum_topics.asp?FID=15


StevieO

 

toadbee, yes - it goes without saying that the more layers of security you apply the better off you'll be (if something manages to get through your first layer it still has layers 2, 3 etc to deal with). This is why ProcessGuard has multiple layers of security built in, almost as if it was three or four security programs in one (anti-rootkit, anti-termination, execution protection, anti-keylogger, etc).

 

Hmm.. all that and more. Then the question begs to be asked..why did anyone need then TDS for all these years even on WinXP if the whole ball of wax answer was as simple as just using process guard ?? or is all that just a wee bit of a sales pitch ?

 

I suspect that they do get it and it is why they are refining two approaches in Windows Vista: 1) User Account Protection (UAP) also known as Least-Privileged User Account (LUA); and 2) User-Mode Driver Framework (UMDF). After all, if you run with normal user privileges rather than with Administrator level privileges you aren't going to be able to install a kernel mode driver or rootkit either. But the problems are many with nearly all of these various approaches. In my mind, for example, technologies such as Process Guard and UAP/LUA merely move the ball only partially down the field since in either case they require an intelligent & informed decision to be made by the end user: Do I allow this kernel-mode component to install? Do I enter my Administrator password in order to install this app? Sure, both may eliminate somewhat the threat of "drive-by" malware that can automatically and silently install hidden components; but it seems to me that the real threat remains the classic "Trojan", an app with an apparent legitimate use that nevertheless has malware embedded in it. The vast majority of end-users will likely never have the information or skills at their disposal to make a truly wise decision in each and every case. Therefore, rootkit detectors will unfortunately become increasingly necessary.

UMDF, hopefully, will eliminate the need for many peripheral drivers to be installed at the kernel level... both for reliability as well as security concerns. However, it seems to me that there will always be a certain class of drivers and applications that will require kernel mode access in order to provide the necessary functionality.

 

Primrose,
TDS and ProcessGuard are two completely different programs. ProcessGuard cannot for example identify trojans - TDS can. On the otherhand, TDS cannot prevent the installation of kernel rootkit drivers - ProcessGuard can. I could go on and on about the various differences of both - there is some overlap because they both have anti-trojan qualities, but they are both two very different programs, just as for example WormGuard is different.

Best regards,
Wayne

 

Starrob, I share your concerns... but most of your statements could equally be applied with respect to "anti-virus" software and "anti-spyware" software as well. It's always a back-and-forth battle, and always will be. People will, of course, harbor suspicions about the true nature and interplay that goes on behind the scenes with any of this malware. However, whatever the case may be surrounding all of this malware and anti-malware, the end result is the same... normal consumers have to be increasingly informed, educated, and vigilent when it comes to information security. It just a reality that we have to unfortunately accept.

As far as "complete" effectiveness, or lack thereof, that has never really and truly be a realistic goal of mine when I appraise anti-virus software, anti-spyware software, anti-spam software, or rootkit dectors. There are very few absolutes in the security business. You just aren't going to find a 100% "magic bullet" solution and you just have to accept that. If some really clever hacker wants to get you, there will almost always be a way for him or her to do so. I generally don't deploy anti-malware software to stop the bright, determined, and extremely skilled hackers... but rather to stop the mindless, automated, zombie generated worm attacks and the relatively clueless, bored, teenage script-kiddie attackers.

 

Wayne....Do you think there is any purpose in having a rootkit detector when almost as soon as a detector is released that can detect the rootkit, rootkit authors design one that can bypass the detector?

Sometimes it seems like the rootkit authors make a public version so all the AV's and AT's and Rootkit detectors can claim to detect it, then the rootkit authors go in and see how the public version is detected and they then make undetectable private versions. The ones that get fooled are the one's that think they have close to 100% protection.

I guess this type of round-robin thing goes on with just regular trojans and viruses too. I am starting not to see the point in this round-robin game.

PG can have a place but hopefully it can be made more user friendly.




Starrob

 

That is essentially the same question as "is there a purpose in having a virus detector when as soon as virus updates are released the virus authors bypass them?" ... the answer is of course yes, such software still has a purpose, especially when you know you've been infected - you need something to try and hunt the infection down, but it's also important to realise that they're not 100% reliable - no single security program is. The anti-virus/anti-rootkit/anti-trojan (etc) industries are cat-and-mouse industries ... every now and then each side will gain the upper hand, albeit for a brief period, but yes the scanners still certainly have a role to play.

Again we get into layered security ... no single layer is going to be 100% bullet-proof on its own, but multiple layers of security will prevent the vast majority of attacks, malware and so on. The more layers of security you arm your system with the better off you'll be when it comes your time to be attacked (and on todays Internet that is only a matter of time), however there is usually a tradeoff in convenience - it's more convenient and easier for the user to have less security software, but it's also more risky. It's up to the individual user to find a balance of security and convenience that they're happy with.

 

Hi Alec,

This is the key question. I certainly have never heard of a good case where an application level piece of software required kernal mode access. Usually, the requirement for this level of access occurs under two conditions:

a) a poorly designed operating system that does not provide necessary functionality at reasonable performance levels.

b) when an application is trying to "modify the operating system" for malicious purposes.

The best way to address a) is to build the functionality and performance into the operating system framework and software APIs. The best way to address b) is to disable kernal access - or at least allow the user to make this decision.

I believe that there are ways to build a substantially better operating system than MS has designed. For, whatever reason, Windows is and will continue to be the primary problem, and the only way I can see to fix it, is unfortunately, to try to plug the holes that MS has made available to the world of "bad guys". Did IE have to be embedded into Windows? Absolutely not. MS decided to do it to suit their own purposes. Ditto for ActiveX, JavaScript and alike.

Well, if MS has decided to allow any programmer to access and modify the kernal, so be it. I am glad PG (and similar programs) are around, so that I can just say NO.

Regards,

Rich

 

I have big suspicions about what goes on but I won't say them. Let's just say I don't like the whole game and yes knowledge and learning is important.........

 

It's also worth noting that ProcessGuard, due to its configuration flexibility, can be as complex or as simple as you want it to be. For example you could just install it and turn everything off except "Block Rootkit/Driver/Service Installation" and you'd still have a program which blocks the installation of virtually every kernel-mode rootkit for Windows - a powerhouse of a program in itself just with one option turned on. Rootkit prevention doesn't get any easier or stronger than that, and as they say - prevention is better than cure.

 

Process guard / Kerio PF etc.

~~~~~
Well I still think you are back to Signatures. Either that or a very boring computing experience.

If a program Isn't checked against known nasties first, then what do I do - simply not install a program I would like to try because its installing a service etc? Or would I need a second opinion - like an online scan or My AV or AT (back to signatures)? Why would I need process protection If I don't allow any thing to run? It's got to go thru signatures first IMO. The other way around makes no sense to me whatsoever.

If I had an AV that uses Heuristics, would I let an exe be checked by the sigs first or the heuristics?

Can I get my AV to scan before PG reacts?

 

Yes, I certainly understood the weakness of TDS..and nice there are things out there called wormguard..since we have these buzz words now of virus, trojans, keyloggers,dll injectors, packer, rootkits, worms, malware (and those etc's) in those multiple layers of Security Approaches..along with the old argument an AT product is not and AV product and vice versa..so ya need both..throw in there "do you want to "find" them on your system or stop them in the first place ?".. YET what the real world has to offer is blended threats..and to piece meal them out for their Qualities with "individual products" installed on a PC to protect an Operating System had been the appoarch for a long time since the days of firewalls.

And what the ANTI market has offered to date..is only products that conflict with another vendors products and that drove many vendors to offer a total solution- your all in one firewall-AV-AT-IDS-sand boxing Application...so they bought up each other and Integrated the Product Lines just to stay alive.

They were at the same time fighting for Space on the users PC in the Startup.

Rootkits don't just appear out of no where.

 

Hi,

As I explained in other threads, the requirement for security products like ProcessGuard and Kerio to work at a low level only exists because malware programs are allowed to execute at these levels. If you take away the ability of any ole' programmer to write at the kernal level, then security level programs to protect at this level (i.e. plug the holes) also goes away.

You don't. That is the DeepFreeze/Anti-Executable model. Nothing new is allowed to run. Period. If this works for you or your organization, it appears to be excellent protection.

I am sure each AV is programmer differently. But if I was to design an AV, I would first check it against signatures, since this is a "positive id", and then heuristics, which is more of a "possible/probably" Id.

An AV will usually catch the malware first, since it is scanning the file either as it is being buffered (as it is being sent over the network) or On Access. KAV has always responded first on my machine. Then Ewido. Then ProcessGuard and/or Online Armor (which I am trialing).


Rich

 

Only if you're running as Administrator. If you're running as a limited user, malware would need to utilize an exploit to do so. It really sounds like this would be one of the better options for you, you may want to look into what all you can do with permissions, as well as hardening.

I'll bet you didn't know you could do this with XP SP2, as well

 

I believe there are differences between running DeepFreeze (which restores a system to a prior state) and Anti-executable (which stops programs from running, but also allows anti-virus updates), and running XP in non-administration mode. However, ultimately, the general approach to the problem is very similar. The issue is whether either of these approaches, has a negative impact on the daily work flow of the user. In a library/education environment, this clearly works very well, since it enforces the general "rules" of the environment. Not sure what the impact would be in my own environment. But I may try it out.

Rich

 

This can be blocked at user level, but i can't verify if Amway understands that. Precisely Why i am amused by process guard.

Code:

I am sure each AV is programmer differently. But if I was to design an AV, I would first check it against signatures, since this is a "positive id", and then heuristics, which is more of a "possible/probably" Id.

I think your reasoning - order of effect - is correct in every single incindence
of every sane Av/AT out there. t

So what is the answer? - I have an unknown AV/AT and ProcessGuard barks, What am I reponding to - - the AV has checked it and PG says possible baddy or what? Who came first? Thanks for pointing this out.

Also, most Av's (by numbers) aren't scanning http yet. And yet as we bust on Avast- THEY are. ooops sales pitch and my bad. It's free is that a sales pitch?

In the same vein I personally think PG is so "dumb" it's already obsolete. I think if perhaps <<------ pg, worm guard, PG and TDS were a single product (TDS4), it might hold a candle to some of the good products that already exist.