Rootkit scanners: UnHackMe & RootkitRevealer

Discussion in 'other anti-malware software' started by 666, Mar 16, 2007.

Thread Status:
Not open for further replies.
  1. 666

    666 Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    48
    Alcohol 120%, one of the more popular drive emulator apps, hides itself from overly intrusive DRM by using a rootkit.
    RootkitRevealer detects it, UnHackMe does not.

    Actual Spy (www.actualspy.com), a keylogger to spy on your kids, employees, wife(s), etc. also tries to hide itself. Without much succes, though.
    UnHackMe detects it, RootkitRevealer does not.

    Alcohol 120% is an innocent program, but what if a piece of malware tries to hide itself using Acohols method?
    Actual Spy may be "innocent" if you install it yourself, but its hiding method is also used by lots of malware.

    And of course there may be rootkits out there that escape detection by RootkitRevealer and UnHackMe.

    It's reasonable to assume no single rootkit scanner finds them all. But what would be a good combination of anti-rootkit apps without having to install them all?



    ---

    Edit: Rootkit Unhooker found 'em both. The keylogger had an entry in the hidden process tab (ASMonitor.exe hidden from Windows API), Alcohol had multiple entries for vax347b.sys in the hooks tab*. Unfortunately they're hard to find in between the hundreds of false alarms, unless you know what to look for.


    *) Rootkit Unhooker did not find the hidden Alcohol 120% registry entries detected by Rootkit Revealer:
    HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName
    HKLM\SYSTEM\ControlSet001\Services\vax347s\Config\jdgg40
     
    Last edited: Mar 16, 2007
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    FYI

    RootKit Unhooker does not look at registry entries,so this is not a missed detection but purely outside of its operations but as you found it dose *see* your 2 samples.RKU is miles ahead of your 2 stated tools;)

    RKU is the only same drive ARK tool that can see all my extensive repository of malware rootkits once loaded so in my experience it is the best available in its class.

    That said it is a forensic tool with some nifty functions but if misused it can do crazy stuff to the enduser's pc.So its use should be under guidance unless the enduser understands how to interpret raw data(good/bad/suspicious etc) and what the various functions can do.
     
  3. greencoconut

    greencoconut Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    38
    i agree, RKU is the most advanced tool right now
     
  4. EASTER.2010

    EASTER.2010 Guest

    All things considered, RKUnhooker is indeed Legendary and the authors have done a great service for many including generously sharing their expertise and exposing the truth from claims of others in a field that is as sophisticated as they come. Furthermore, they could not have surfaced at a more important time when malware of many types are utilizing hiding techniques with rootkits to try to keep themselves cloaked from common detection products.

    A truly innovative production that has made it's mark and presence invaluable in this massive ping-pong match.
     
  5. 666

    666 Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    48
    I opted for the combination Rootkit Unhooker & Rootkit Revealer.

    The latter because it looks for hidden registry entries, which Rootkit Unhooker does not.


    Is there a "Rootkit Unhooker log analyzer" similar to the HijackThis log analyzer on http://www.prevx.com/hijackthis.asp ?
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    No there is no automatic log analysis available and even if there was it would be exposed to the same level of **** ups as the HJT log automatic tools which are by the by very prone to mistakes in both directions:thumbd:

    RKU does have an official support forum located at
    http://rku.xell.ru/forum/
    where so are doing log reviews for the enduser:thumb:
     
Loading...
Thread Status:
Not open for further replies.