Discussion in 'other anti-malware software' started by WilliamP, Dec 3, 2006.
So you want to mix all pages in a one?
In first it is an advanced rootkit detector, so it can't be used by people without any kind of knowledge, for such peoples are ready others all-in-click detectors like BlackLight, Avira. Well their detection abilities and quality are limited, but it is a price for easy-to-use interface.
RKU doesn't delete files, because malware can control itself file presence and recreate it. It wipes contents of file without any chance to resurrect for malware without re-infecting (tested on all available for us malware).
Deleting regkeys can't prevent malware from action. Malware can restore their keys before reboot or dynamically (like HaxDoor) and this feature will not help.
And btw, Derek where did you get this "removes regentry", RKU doesn't have such ability.
Is that a new method that you created? How do you do that without deleting the file first and does it change the file attributes such as last mod date?
No, it is not a new method. We are parsing NTFS / FAT32 data structures without help of operation system, manually, so we can locate a chain of file clusters and write our data inside, no matter was file blocked in the Windows, or not. With such abilities we can wipe contents of running malware process / dlls / drivers and other files and they can't absolutely prevent us from this. It's like when you using professional disk-edition software like WinHex. After wiping process sometimes to flush changes on disk, system reboot is required. To avoid possible problems your disk should be free from logical/hardware errors (checked firstly with chkdsk).
Not sure if that is a reply to my suggestion.
If it was then no.What i was thinking was on install only having *detect hidden file* active and the enduser having to click advanced option to unlock the remainder of the tool's function's/scans etc.
Fwiw i do not have any malware rootkits in my *zoo* that do not show up fully or partly in the hidden file scan.Make's sense in my opinion but its your excellent tool
Oh, yes it was reply to you, sorry without "quotes"
Thank you for your suggestion. Maybe it will be better to create standalone tool for hidden files detection?
It's really good method, it works like a rubber/eraser. The whole content of the malware file is being destroyed, but only content not the file, and of course this is powerful enough to destroy malware code.
It will work only "if" the malware didn't hooks OS little deeply. The only sure method would be your own "atapi/scsi" driver
Currently, I do not know any real malware that could survive this .
If it had all the functionability of the hidden file scan(copy&wipe) as the main software then this would be a very useful tool that could be used by a wider audience under instruction.
It would be very sreight forward to instruct/direct a victim to use this function without producing long complicated logs IMO or risking damaging a core system file as Derek pointed out,sinks that arguement in one
Fwiw the security community needs more effective tools versus Malware rootkits and in all honesty i cringe when i see *experts* at malware removal forums instructing victims to download and scan with Blacklight ARK
Blacklight shows nothing so the pc is clean and we wonder where these super botnets are lurking
Blacklight sleeps for too many types of malware rootkit and Gmer is better but still far too complicated logs and that is if it works.
So IMO if you code such a stand alone tool it would very much assist many people on the WWW and in the security community as a whole.
Either way my freind please keep up the great work
Thanks fcukdat, we will think about your suggestion.
As requested once already here....let's keep our posts directed toward the anti-rootkit program discussion and not individuals.
Having said that....certain insult exchanges between two individuals were removed and do not wish to continually see them as I'm sure some members would agree. If those two individuals wish to continue contributing to these discussion threads....Please do so without the personal attacks. Gentlemen, take it to PM or some other venue besides this site.
Just to name a few prevention aps:
DefenseWall, GesWall Pro and a few free ones Samurai, Antihook
In that case, SandboxIE for prevention, and Prevx1 for a second layer.
By the way, has anyone tried CyberHawk's rootkit scanner? Is it good, average?
So far i like what i see about CH, even though i can't see much.
Yeah I did test CyberHawk...
It stopped & then quarantined hxdef exe - stopped the process and locked up hxdef100.exe file, although in the first test everything froze and detection was made after a reboot, 2nd test CH handled it fine. The scanner detected the files, folder and reg keys - see screen shot.
Rustock B and CH went straight into bsod - on reboot there was no Rustock, but nothing in CH logs.
Unreal wasnt detected.
I then stopped because the CH vm became unusable.
CH, like its new feature to detect and remove rootkits, real needs a lot of work to became stable and efficient...
Hate to burst bubbles but the mention of Cyberhawk in this thread does not compute or apply IMO.
CH is a behavioral blocker i'm afraid and RKUnhooker is a world-class AntiRootkit Detector/Remover! Those are two very different designs intended for different purposes. You won't find CH detect same rootkits that RKUnhooker will uncover, except maybe for HackerDefender which ever program under the sun is so happy to have placed in their database. It's all so very easy to do you know.
CH is not even close or in same league as RKUnhooker or ever was intended to be because is in a totally different arena i think.
Well it has a Rootkit scanner. You sugest ignoring it?
Meriadoc's post shows promise anyway. I was hoping EP_X0FF or GMER would comment, they really know their business.
If it is or not, i really can't tell. So i ask.
One thing i can say: It found nothing on my computer, ie, clean log, no FP's, no nothing. What i expect, since i scanned my pc with all sorts of things.
Cyberhawk rootkit scanner is weak and unstable. Intended for detecting samples that are out-dated, like for example HxDef. Almost no sense.
Unfortunately I do not have time to test every ARK on the planet
It's better for us if more ARK will be developed, but many of them are only "copy" of others'.
I prepared a similar box to yours and everything worked well ( see attached for the log file )
I think that deadlock can happen more often on VM than on real box, I will check it.
Fwiw the best defence for a malware rootkit is to stop it installing as all know.The problem begins if it has already loaded onto a computer then subsequent use of these signature based/control/behavioural tools will sleep to their presence in a lot of cases.In a post infected enviroment these tools are not all that effective and hence the need for ARK forensic tools.
Just for jollies one day i loaded Rustock B(lzx32.sys) onto my Pc.I scanned the infected machine with Adaware,AVG 7.5 ASW,Counterspy 2,SpywareSweeper,Spyware Doctor,Kaspersky AV6,Anti-Vir and Nod32 over a period of days.All softwares were configured to their respective maximum settings where applicable.The Rustock B was detected by all but one at VirusTotal yet all were *blind* to it,no detections whatsoever from full system scans by any of them
Next up i scanned the infected machine with Blacklight Beta and got a clean bill of health
Hey i've got a clean machine....Right because how can all thoes quality softwares and ARK be wrong afterall??
Oh **** son how can we say backdoored and generating mass spam in the same sentence Rustock in the house.Oh noes!!!112
Gmer ARK can also detect Rustock trojan but unfortunely owing to runtime issue's i cannot capture a sucessful capture screenshot but it is a Rustock detection software
For thoes that don't know about the Rustock trojan as driver automatically loads at system boot leaving no start up entry visible in the registry.Once loaded you will not see any software firewall alerts to outbound traffic as it filters various network activities to hide its actions.Rustock goes to work while your SW firewall sleeps through the whole performance Off course as a driver it will not be viewable in taskmanager or tool such as ProcessExplorer.
In fact if you did'nt know it was there and went looking with the relevent tools/softwares then you would be totally unaware of its existance/activities.
Thankfully there are some free tools including the above ARK's that can detect and in some cases affect a removal it once it has loaded although the list is still too short.At the end of the day the tools that work are not widely used by the default NIS user's of the web.They are afterall used more by us folks rather than mainstream web user's.
I just could'nt resist and my fav free botkiller
that all miss it, including Blacklight, though no surprises with superantispyware detecting - that was one of the best free tools I found at removing Gromozon rootkits also.
Do you know if full scans with all of those AV's/AS's in safemode would also miss that Rustock?
Agree, Hacker Defender was the only one I could get results from, then a screenshot and everything detects that. Cyberhawk rootkit scanner needs alot of work.
Slaps hand i actually did'nt run any from safe mode so i do not know the outcomes.When i'm next testing i will pen that in