scan for rootkit

Discussion in 'other anti-malware software' started by Ximi, Jun 9, 2008.

Thread Status:
Not open for further replies.
  1. Ximi

    Ximi Infrequent Poster

    Joined:
    May 12, 2008
    Posts:
    40
    Location:
    Estern
    Hi
    I've read somewhere that i can scan my Network Router and PC-Connection for Rootkit's.
    Because sometimes i got disconnected from my Internet-Connection.
    I use a Router and share my Internet-Connection to 1 other PC.
    Where can i scan my Network for rootkits?
    thanks.
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    In the past, some people took advantage of the rootkit paranoia by providing detection service.
    And this is not serious off course: there's no better way than a deep and complete analysis based on human experience.
    If you suspect that your network perimeter is compromised, then it requires to make a network and host (each pc) analysis, locally and remotely (from pc 1 to pc 2, and pc 2 to pc 1).

    There's forensic free products like Mandiant first response for remote analysis.
    Locally, a protocol analyzer is required: i suggest Wireshark or NetworkMiner, both free.
    And of course, any good rootkit detector (IceSword, Gmer, RKU etc): this should be the first step for any "classical user".

    For scanning pc 2 from pc 1 (and pc 1 to pc 2), there is a lot of open source network scanner like Nmap for instance.

    Regards
     
  3. Ximi

    Ximi Infrequent Poster

    Joined:
    May 12, 2008
    Posts:
    40
    Location:
    Estern
    I did not understand anything you wrote, nothing at all.
    I was just worried that i had some undetected and unhidden rootkit and wanted to scan my Network and LAN and how and with what to do that?

    Can anyone else help me with this maybe ?
    thnx
     
  4. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    Kaspersky has a rootkit scanner as part of the application. Have you tried that?
    Maybe someone else can tell us why that might not be enough.

    I also did not understand anything that was posted.

    Regards,
    Jerry
     
  5. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi , Kaspersky = falses positives , and heavy , heavy artillery ! I'd rather do this : AVIRA . And antirootkit = GMER ; also look to ESET SysInspector , Process Explorer . Look to my configuration on Wilders / Other Anti- Malware Forum / thread : What is your security ...Page 105 . Thanks , PROROOTECT:thumb:
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Nice to see Kareldjag wandering around this forum again, NicM occasionally drops by also. Noticed your blogs were not updated much. Any chance of you providing tests and info in the future?

    Regards Kees
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Why do you have a keyboard without return-key ?
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    since when has kaspersky=false positive. the newest version is quite alot lighter than 7.0 was.
    much better than most of the alternitives.
    i know of other product which has quite alot of fp's but wont mention.
     
  9. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hello , # ... Jun 2008 : 3.55 Gb : /Documents and settings / All Users / ... / kaspersky Lab / AV ... 7 / Report / eventlog . rpt ! YEAH ! LIGHT : 3.55 Gigabytes , Eventlog . rpt . o_O :argh: :argh: :argh: THANKS.
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    if u checked the checkbox with "log non-critical events" thats not the product's problem :) otherwise..otherwise the report log won't get that big even after 3 years of use lol..
     
  11. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,306
    The signature of the OP indicates he uses Kaspersky.
    I have been using KIS 7, and now KIS 8. I find neither FPs nor heavy.
    If the OP already is using Kaspersky why not use it rather than add to the load?

    I must admit that if we used everything recommended when we ask "what" we would really have a lot of stuff on our systems. Unless paranoia has one in its clutches a good application like one of the top suites will take care of everything. Of course if one is determined to see if his machine can be infected "all bets are off."

    Although I use a couple of AT/AM applications none that I have ever used has found anything but traces and cookies. I become more and more convinced that a good suite will take care of things.
    If you disagree fine, but until I get infected I will continue to take that position. In slightly over 9 years my systems have remained clean.

    Regards,
    Jerry
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,279
    Hello,

    Like kareldjag wrote ... but if you don't understand what he wrote, then there's no point in you trying to find this rootkit, because you prolly won't be able to tell legit from illegit software.

    Understanding nmap or Wireshark takes knowledge of network protocols, not sure if you're there ...

    I'd suggest a slightly different approach (more mainstream would be like):

    Use UBCD4WIN bootable windows CD first, run a tool called RootKitty, once booted in Windows and once from live CD, then run compare and see what files show up in the scan.

    Then, google one by one the .sys, .exe and similar files and see if anything interesting comes up.

    You can also try a more benign approach running SuperAntiSpyware scanner. No guarantee with in-vivo scanning.

    Running anti-rootkit tools is dangerous, if you don't know what you're doing, you can easily kill your system, so be careful.

    Mrk
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Rootkits might install themselves on my system, if they survive my boot-to-restore and my security, but they won't remain on my system permanently, just temporary.
    Besides when anti-rootkit scanners/tools detect a rootkit on my system, it's already too late, but at least, I will be able to remove it. As long rootkits only infect my harddisk, they are nothing but a temporary infection.
    I don't use scanners/tools to remove rootkits, I use my restore procedure to remove them, much safer, because I'm too stupid to read and interprete rootkit scanner reports.
    I ran a few userfriendly anti-rootkit scanners, they didn't detect anything, but how can I trust these scanners, they certainly don't remove all existing rootkits, while my restore procedure removes all of them.
     
    Last edited: Jun 17, 2008
  14. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    i think the OP just wanna scan to be sure..and learn..he do not wanna waste time restore in case it is infected...
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If he restores an infected image, it won't help. Infected images are caused by the user himself by doing a backup of his actual system, which is the most easy way of course, but also the wrong way.
     
  16. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    yea but to know if his image is infected he gotta know how to detect infections..image cleaning is done by virual mounting it..less probable of snaping something since its not loaded in memory and cannot cause bsod..

    you can use your kaspersky to detect known rootkits and then a tool like icesword,gmer rootkitty to look further(to the unkown) :p +google to destinct legitimate items from non legitimate ones..
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Wow. So many tools to run, just for rootkits ?
    In that case I prefer to use my clean images to remove rootkits and other threats, that weren't detected.
     
  18. blackdog56

    blackdog56 Registered Member

    Joined:
    May 15, 2007
    Posts:
    8
    I think what the OP is seeking though, is that he thinks his router has a rootkit, because he is getting disconnects. There is a good chance, this has nothing to do with rootkits. First, I would check on up to date router firmware, and probably visit the routers support/help/forum to see what others have done about disconnects. I would also check on up to date drivers for the NIC card. The other place a problem may be at is with your isp.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    IF it is a hardware (router) rootkit, I would be scared also. I hope it isn't otherwise every router might become vulnerable.
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,279
    Hello,
    How about not spreading baseless sci-fi paranoia scenarios that have nothing to do with reality?
    Mrk
     
  21. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    i think router rootkits are pretty real...i think a d-link service technician found out the first from a firmware size mismatch..i will provide source as soon as i find it..(bookmarked in another pc)
     
  22. Ximi

    Ximi Infrequent Poster

    Joined:
    May 12, 2008
    Posts:
    40
    Location:
    Estern
    but i want to scan my Network Internet-Connection, thru Router that i think someone is using my Internet-Connection by putting a rootkit-file, how can i scan Network and not all PC ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.