whats the best rootkit and trojan finder

Discussion in 'other anti-trojan software' started by winterlord, Jan 27, 2011.

Thread Status:
Not open for further replies.
  1. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Its strange that Gmner missed one as Combofix uses Gmners catchme rootkit detection
     
  2. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Yeah I thought the same, all I can think is that Combofix has internals that they'll never tell us about.
     
  3. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    just right click extract to subfolder on combofix to see what its insides looks like. it scripts gmner and some stuff from nirsoft like the cmd
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    1,034
    Location:
    Hawaii
    I've always wondered why so much emphasis has been placed on developing/using antimalware scanner/cleaners that are designed to run within an infected Windows system. This approach basically puts users on an equal footing with their malware, kind of like going out into the jungle at night to hunt tigers. Do users choose this approach because they want to give their malware a sporting chance? (just kidding on that last question)

    Since booting from a live CD prevents an infected system's malware from loading, actively masking its presence or engaging in countermeasures, I would expect this to be Step #1 for an anti-bootkit program and pretty high on the list for most other types of anti-malware programs. Step #2 would be booting into Windows and running the appropriate followup programs. Why isn't this type of two-pronged approach more commonly followed?
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Simply lack of prevalence. I don't see how this is harder than booting in Safe Mode, and some other fancy things to make scanners work.
     
  6. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    It's hard to detect a rootkit if it doesn't load.
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Definitely agree in principal; the main reason that people scan inside Windows is that it's often a lot faster. Some rootkits can only be detected by their behaviour.

    Even run a Dr Web LiveCD? Seen them go for longer than a day. What if a 1.5hr Avira scan doesn't have the definitions yet? Also got to be ready in case a critical system file is deleted, ergo you'll be loading another LiveCD to deal with that too.

    WinPE discs are a better choice for many reasons still, as you can use a few methods to find a rootkit.
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    +1 - not easy to find

    btw - why are you people such interested in rootkit detection?
    any doubts on your system?
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I always doubt my Windows system.
     
  11. mant

    mant Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    73
    Location:
    DIY
    This 3 best rarely used

    VBA32 Anti Rootkit
    Kernel Detective
    AVZ Antiviral
     

    Attached Files:

  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Thank you.
     
  13. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    The author of this paper (here) tested all three ARKs that you mentioned against the following rootkits: Rustock, TDL3, Black Energy, and Zeus/Zbot

    He was unable to detect any of the rootkits using VBA32 and AVZ; with Kernel Detective he detected just one.
     
  14. mant

    mant Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    73
    Location:
    DIY
    Thanks! I've read that good paper, well done fore the thesis.

    That research focus on detection (simply in the time when the paper is written, the tools detect or not). That's "time matter" are eliminated after update. There are many variables in the real life that need attention like:

    Scan Time (the table show AVZ is very fast scan), Easy to Update (download what we really need), Lite (not bloatware), Cost, Prospect & Continuity and many more.. keep research!
     
  15. carat

    carat Guest

    Well done MBAM :thumb:
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Interesting results, just missing Hitman Pro. Surprised that Moosoft The Cleaner actually detected 3.
     
  17. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    is Malwarebytes a great rootkit hunter ? like Gmner

    nod32 is not so good sadly
     
  18. NodKiller

    NodKiller Registered Member

    Joined:
    Feb 13, 2009
    Posts:
    19
    No, it isn't. It's very good for trojans, adware, spyware etc...
    Hitman Pro is much better for detecting rootkits.
     
  19. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    sorry may i know the meaning of offline ?
    how can i scan registry (for example) offline?
    thanks
     
  20. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    i guess that sadly gmer is not more update
    i guess the last version you can find in the avast website -http://public.avast.com/~gmerek/aswMBR.exe
     
  21. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Despite the results linked above, I don't really consider Malwarebytes a good rootkit hunter. IMO it's the best first step in malware removal, and in my own experience anything leftover after the first scan is usually going to be a rootkit.

    Forgive the confusing terminology - I just mean mounting the physical drive without running the OS that is installed on it.

    You can do that with Live CDs/USBs (e.g. PE disks, or the Offline NT Password & Registry Editor http://pogostick.net/~pnh/ntpasswd/), or by sticking the hard drive into another computer. Many registry editors give an offline or remote option.

    One of the more useful in this case is Sysinternals Autoruns. Just got to be more careful in interpreting the results depending on which one is used, as there'll be a lot of 'file not found' if it looks for the corresponding files on the host drive rather than the infected drive.
     
  22. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I'd have to have TDL4 to find out =p
     
  24. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    anyone using root repeal here?:)
     
  25. colorado13

    colorado13 Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    117
    Location:
    Orihuela, Spain
    Thanks mant
    Regards
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.