Rootkits again?

Discussion in 'other anti-virus software' started by JerryM, Apr 14, 2006.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    On my other thread re rootkits, I learned some things about such.
    However, no one really named some AVs that are in the top rung at detecting them.

    Is there one, or more AV, such as KAV or NOD or Bit Defender, which provides superior protection from rootkits, or is this an area that is untested and not really known?

    Thanks,
    Jerry
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    NOD32 detects unknown rootkits. To my knowledge, it's the only AV that actually protects you againts unknown rootkits using advanced heuristics. Other means of detecting rootkits is using Blacklight, RootkitRevealer etc. but they basically share the same technology to detect rootkits (not excactly the same, since the technology used in RootkitRevealer is patent pending currently). But they only detect rootkits hidden from the API (they also report mismatch data from the "hive").

    So once a rootkit is installed & running they can't detect it (unless it's hidden).
    That's why it's vital to detect it before any rookit get's installed - And that's what NOD32 is doing.
     
    Last edited: Apr 14, 2006
  3. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    KAV 6 has some generic rootkit detection too.
     
  4. Ned Slider

    Ned Slider Registered Member

    Joined:
    Mar 24, 2005
    Posts:
    169
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    doctor web's newest beta has an anti rootkit module, allowing it to scan/disinfect rootkit masked files..
    havent had really time to test this against installed rootkits.. and the beta is expiring soon
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Can you remove rootkits with a clean snapshot or clean image restore ?
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O

    i'd go for an image restore,especially from an external HD or bootdisk!
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Thanks and that's my intention, I have an external HD.
     
  9. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Protection from rootkits works up to the point where a new technique is created by the malware authors. Detection ditto.

    The real question is with all of the tools running how can you be certain there is no rootkit on your computer, how to you protect against it and how do you detect it?

    As an example, consider the enhanced FU rootkit. The DarkSpy tool referenced in post #127 by nick s at: https://www.wilderssecurity.com/showthread.php?p=729023&highlight=DarkSpy#post729023
    speaks about DarkSpy in the thread entitled: Rootkits headed for BIOS

    DarkSpy finds processes and drivers hidden by "enhanced FU" rootkit, but can any of the tools AV, AT or otherwise?

    I like Illukka's response as a procedural tactic, but the issue remains - how to detect you have a rootkit.

    -- Tom
     
  10. controler

    controler Guest

    Does DarkSky also remove the rootkit? Isn't it too late once a rootkit has been detected?
     
    Last edited by a moderator: Apr 21, 2006
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    I have not downloaded/used DarkSpy, so I don't know whether it can remove a rootkit it detects - could be either easy or very tricky depending on what it modified to hide itself. Suggest sending a PM to nick s.

    That's a good question, probably dependent on the rootkit features as to whether it is too late once a rootkit is detected.

    First it needs to hide itself and not get caught (detected). If it does all of its damage upfront say for instance on a computer with weak security measures, then for sure its too late. How good it can hide (stealth) itself depends on both its method and the security tools in use on the platform. That is why it is also probably a good idea to have a remote scanner for rootkits which introduces a different perspective for detection in terms of both saftey from the rootkit and an extra set of eyes (external), so that the rootkit if it evaluates the local security tools in place would be a bit shy of knowing what it is up against.

    However, if it is the type of rootkit content to hide and bide its time, and poke its head up occasionally, then your guess is as good as anyones.

    Its a war out there!

    -- Tom
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm not going to ask myself this question.
    I simply will start with a clean system partition every day, not only to remove rootkits, but also the rest of possible infections.
    I can do this because my system partition won't have any personal files.
     
  13. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Dr.Web will soon add the rootkit-detection function to its scanner - and to the free CureIT! scanning module.
    Those who would like to try can still subscribe to the beta-testing program
    http://beta.drweb.com
     
  14. zoned

    zoned Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    11
    Tom,
    I have looked at it and it only detects rootkit behaviour.
    Its a test version at the moment. It is a stand alone exe.

    Here are a few screenshots for prospective users....

    http://www.antirootkit.com/images/darkspy-1.JPG
    http://www.antirootkit.com/images/darkspy-2.JPG
    regards
     
Thread Status:
Not open for further replies.