What program do you all consider to be the best anti-rootkit?

Discussion in 'other anti-malware software' started by WilliamP, Dec 3, 2006.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    Yeah i know that :cool:

    Throw in the fact of a Power Shadow in shadow-mode and i don't concern about anything possibly devised by the highest minds in that cyber-world field of dreams.

    I am mainly puzzled since this is first time i ever experience such ongoing issue with any ARK but i have had some trouble testing Helios because it requires SP2 you see and i believe in leaving things alone that work just fine. I understand ARK's is in past been somewhat in infancy but is maturing quickly now.
     
    Last edited by a moderator: Feb 24, 2007
  2. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    EP_XOFF - I have v 3.20.130.388

    The Hidden Files - Scan is only function that doesn't work properly but not until the end of the scan. When I got the error in my screenshot, I could see the hidden files displayed, but the RKU GUI closed as soon as I hit the OK button to close the error window. After copying (not moving) the DLL to the RKU folder - I no longer got the error but now the GUI closes automatically at the end of the Hidden Files scan.

    All other functions (pages) work perfectly - the data is displayed and can saved to a file. What else can I try and have you heard of this same occurence before?
     
  3. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @Zorra
    Symantec wrote long time ago:

    I tested Rustock.B on VISTA and even though it has a lot of BUGS most of it worked:

    Code:
    GMER 1.0.12.12067 - http://www.gmer.net
    Rootkit scan 2007-02-23 00:56:32
    Windows 6.0.6000 
    
    
    ---- System - GMER 1.0.12 ----
    
    SYSENTER  \SystemRoot\system32:lzx32.sys                   8F40BFAF
    
    ---- Devices - GMER 1.0.12 ----
    
    Device    \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE             [8F40A886] system32:lzx32.sys
    Device    \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION  [8F40A62A] system32:lzx32.sys
    
    ---- Services - GMER 1.0.12 ----
    
    Service   C:\Windows\system32:lzx32.sys (*** hidden *** )  [MANUAL] pe386                               <-- ROOTKIT !!!
    
    ---- EOF - GMER 1.0.12 ----
    Short movie:

    http://www.gmer.net/pe386vista.wmv

    Regards
    -Gmer
     
  4. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Try to test it on normal x64 Vista, frieeend.
     
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    This could be related to disk errors, check your harddrive with chkdsk /f /r /x
     
  6. EASTER.2010

    EASTER.2010 Guest

    Not happening here in this camp ever! Vista is nothing more to us then a cheap imitation of things already past and a sour reminder of how lousy M$ can be to it's loyal constituents/consumers/users.
    Anyone smell the smell of fresh dollars anywhere behind their marketing doors?

    In reality and in all honesty this camp over here will never touch it BUT, when Vienna or whatever lame name microsloww comes out with for that one arrives, then there might become some interest, not before & not untill.
     
  7. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    2,020
    Location:
    Canada
    100% agree EASTER.2010:)
     
  8. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @EASTER
    Who cares that a few guys will stay on XP . There are millions of new clients/victims ( of Microsoft's business )
     
    Last edited: Feb 25, 2007
  9. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Gmer, stop spreading your panic all around the web. There are no rootkits for x64 Vista, which are supersides XP in all cases. But I do not say that Vista is good operation system, I just trying to say that x86 Vista is not a point to test rootkits LOL.

    "Millions of victums" - absurdity.
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    there is no 1 rootkit detector that works on every case

    when looking for hidden malware I use a combination of Gmer, icesword, blacklight & any other one I can find

    sometimes one will show what others don't, sometimes nothing shows in any rootkit detector despite there being hidden files & entries
     
  12. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Show me one (at least) working non-PoC (or even PoC) malware (or not) rootkit that works fine on every (or almost every) x64 Windows Vista.

    Pills and other sci-fi currently are only words (by Joanna and not only). Malware writers always will use more simplest ways to hide from security tools.

    What about GMER it is more advanced monitoring system tool with scope of non-fixeable bugs.
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Granted but there is one that works on a high degree in my experience whilst malware collecting.

    I have one same drive tool onboard that has at worst part degree or in most cases to a total degree detected all known malware rootkit's that i have found out in the wild.Not only does it detect all samples that i have,it can recover them for analysis or kill them on the hosed system.

    With that i would be very interested in seeing either the droppers or component files of anything that has bypassed RootKit Unhooker so i can upload them to malware listserve at MIRT for widespread distribution as i have with alll others collected:thumb:

    Added bonus being if you can give these missed samples to EP i'm sure he will update his tool to an even higher level of capability.Maybe the best can get a little better ?

    Of course nothing will be as reliable as slaving the infected drive or booting in from a live CD(Bart PEetc) but all said and done in 5 months of harvesting i've yet to find one single malware rootkit that bypass's RKU latest evo when it is loaded:)
     
  14. Zorra

    Zorra Registered Member

    Joined:
    Feb 21, 2005
    Posts:
    19
    I think Gmer is just saying that though Rustock can be installed on Vista 32 bit, it is not functional, so unless author refines it - it is still not a threat as of yet.

    EP_XOFF - I'll try that - the error seems to be related to the GUI or report function because the hidden file scan detection works fine.

    Everybody has their favorite rootkit apps. There are definitely a few that have risen to the top because they are highly effective. I'll continue to use a variety of detectors. When new rootkits arise, POC or otherwise, most of the authors the top ARKs respond by making sure their program can detect them. So good job both Gmer and EP_XOFF. There is room for both of your programs!
     
  15. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Of course, Zorra, everybody have their favourite programs :)
     
  16. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Zorra, you are reading my minds .

    Like I said before. There is much more room for such programs: RootkitRevealer, BlackLight, IceSword, ...
    Their authors worked hard and these programs are still able to detect most of stealth malware .
    Few POC RK "toys" will not disparage them.
     
  17. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  18. EASTER.2010

    EASTER.2010 Guest

    There is even better room i think and more appreciation for ARK authors who add new improvements with frequency and quickly make "BUG FIXES" on regular basis as similarily as commercial Anti-Spyware programs . Would you like to name "one" that matches that description exactly for us?

    Proof-Of-Concept also comes in 2 flavors, the RK and ARK of course and can lead to better developments or don't you agree.

    Also is of importance not to become complacent wouldn't you agree?
    Modgreper & System Virginity Verifier courtesy Joanna Rutkowska are a finished project now? Ice Sword and the others are not needed to update either?

    I beg to differ with that philosophy. Look into the 98/Me transition into XP. Is XP been a waste of time or been so reduced now or as error laden as was 98/Me?
    What makes you think Vista is so much more refined or improved an O/S over the XP system as as you seem to allude to in that statement?


    Well Deserved! Congrats!
     
    Last edited by a moderator: Feb 25, 2007
  19. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    PoCs, rootkits and others

    No, Gmer. If you speaking this you should know that:

    - Rootkit Revealer are PoC
    - Blacklight doesn't been updated (really updated) since release, so it's a PoC from AV-company
    - IceSword stopped in evolution about year ago (author creates stupid plugins, nothing more)
    - All creatures from Joanna are pure (in some times completely unworkable) PoC's
    - DarkSpy is PoC, it was un-updated since release. And it very very unstable and unfriendly rootkit detector, sorry but this is true.
    - All mainstreams AV-rkdetectors was made by copy-paste technology from rootkit.com old sources, if some rootkit bypasses for example Avira it will also easy bypass any others from this company.

    Proof-Of-Concept rootkits shows actually technology, not a malicious evolution stage. They are containers for real - malware rootkits. For example, if you talking that PoC's are not a point here, then you should know that NtRootkit (famous SSDT hooker) are also PoC, but currently almost 70% of all malware rootkits uses the same technology as in "your useless" PoC rootkit :D

    When peoples talking such things - they need to think twice before do that. Only if your tool always easy bypassable by PoC rootkits it is not a reasons to speak such nonsense. It is reasons to review all your architecture and (like for example nonsense random generation of ctl codes, flickering and ugly UI) do the evolution.

    @fcuktdat

    Thanks for information. We do the best.
     
  20. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Along time coming :) - good decision!
    At the moment I consider RkU as no1 ARK program.
     
    Last edited: Feb 26, 2007
  22. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    @dvk01
    Derek: have you specifically used RkU yet.?
    Even pwalker?

    Be very interested to hear your comments.

    You mention other progs: still V.effective but no real change for some time with Ice Sword and DarkSpy.
    Even mainstream media have recognised RkU as One of if not the best.

    RkU under constant review and devt.
    Subject to harsh criticisms recently and close analysis of results.
    The more exposure the better. The Developers have responded each time in record time.
    The move by CC is a leap forward in terms of exposure and experience.

    Heh EP and MP e-mail will be running hot !!
    Popularity might be a curse.

    ( LOL EP-XOFF the belle of the ball :eek: )
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes I have tried RKU & in the right hands it is quite capable however it has it's faults & quite serious ones from my point of view

    the main problem is that you cannot recommend a victim of malware to run it, prepare & log and do simple fixes easily

    it is far to easy for the victim to seriously damage his computer & need a reinstall to fix

    I know it's a difficult problem but for ANY rootkit detector & fixer to be of any real use, it must be usable by the great unwashed in the real world & not just by experts

    I also don't really like the way that RKU doesn't remove the files involved just reg entries so leaves the possibility for the scum whom installed it in the first place to activate the files again
     
  24. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I'm a bit at odds with your findings Derek on several fronts o_O

    RKU dose not remove files....

    Correct but incorrect after analysis it overwrites them with 0's thus killing the file,no chance of restoration of file without fresh infection.

    RKU removes reg entries....
    Where does it do that o_O


    Fwiw HiJackThis can do damage if used incorrectly but that has'nt stopped being widely used as a tool under direction:thumb:

    In a nutshell maybe you should try the tools *hidden file* scan against any malware rootkits you have and see if it produce's a confused report.
    I have done it last night with 6 advanced and recent malware rootkits last night to produce illustration of how simplified it is:D

    http://www.castlecops.com/p901545-Rootkit_Unhooker_v3_20_Approved.html#901545

    Have you tried this tool in its latest encarnation at all ?
     
    Last edited: Feb 26, 2007
  25. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Afterthoughts following the last 2 posts...

    Hey EP Just an idea if you would like your tool more usuable across a wider scope of users then maybe have an advanced tab(option) where all scans are accessible and a basis(detect hidden file)only scan with wipe/copy still available by default ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.