Samurai -- Antirootkit Function

Discussion in 'other security issues & news' started by -Gajin-, Jun 28, 2005.

Thread Status:
Not open for further replies.
  1. -Gajin-

    -Gajin- Guest

    This application http://www.geocities.com/turbotramp2/samurai.html purports to "clean" a system which is infected by a rootkit. In order to do this it restores the SDT and thereby cleans any API hooks:

    "DISABLE ROOTKITS: Clear existing rootkits and prevent future loading.

    This solution hooks system calls to prevent the loading of rootkits and refreshes the kernel’s system call table to clear existing rootkits. This solution also contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished with the Samurai HIPS."

    In theory, this should work. In practice, I still can't see the installed Hacker Defender rootkit ...

    Can anybody confirm this slightly disappointing result?
     
  2. lupus

    lupus Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    22
    I would certainly never download nor run something hosted on geocities, especially when it's a so called rootkit detector and probably installs some driver.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    About this function, should this really be able to delete rootkits from your system? I might test it in VMware but so far I can see that KAV keeps warning me about that almost every process wants to inject code into all other processes, with this feature enabled. :rolleyes:
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Samurai's roootkit function doesnt actually remove rootkits, it just prompt u when something tries installing a driver.
     
  5. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    I have never tired it but I thought it unhooked everything as you described?

    Have you tried ICEsword
     
  6. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    Surely nobody in their right mind tries to "uninstall" a rootkit? How can you possibly know when it's all removed? How can you tell if anything else on your system has been compromised?

    The best you can do is try to detect a rootkit. If one is found, format and start from scratch. There is no other sensible course of action, in my opinion.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes I agree with you trickyricky but I was just experimenting a bit in VMware because it can be a bit risky to try this on your real machine, it might become unstable or even worse. However Samurai claims it can "Clear existing rootkits", that sounds a bit too good to be true anyway. :rolleyes:
     
  8. trickyricky

    trickyricky Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    475
    Location:
    London, UK
    Indeed it is too good to be true, especially considering that Samurai hasn't been upgraded for quite some time as far as I'm aware and rootkit techniques are constantly being pushed forward. Methinks a pinch of salt is called for when reading that particular claim, good as the other functionality of Samurai is.
     
Thread Status:
Not open for further replies.