Slashdot Mirror
SysInternals Releases RootkitRevealer
Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."
But it's a good start, so that johnny q spammer won't be able to hijack as many sites as he had been doing previously. Good work, sysinternals!
Will wank off Linus Torvalds for fame.
I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds?? In other words is it foolproof?? I'm sorry that was a bad question. How foolproof is it??
Funny enough, when I tried to run RootKit Revealer, I got the 'Root kit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience.' Error. Not that that's suspicious, or anything like that...
RLU 180035, get yourself counted at http://counter.li.org
waiting for the whoppix project to produce a livecd distro I can just pop in...
The Answer
Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.
Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.
Google and Sysinternals are the only two companies that always make me feel good about being a Computer Scientist.
If I were Google, I'd buy Sysinternals and have them help build GoogleOS.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
For the hacker, priceless. This really accomplishes so little. Sure, here are your 'descreprancies', but they might not be that at all. Mostly Pointless. A good step, but only something the hackers will get control of well before this becomes mainstream.
No way will it let you remove itself. If you boot off of some sort of safe media and delete the thing, the computer no longer has the ability to read any of its data.
Yeah, I know I messed up the jargon, but I'm sure I'll be corrected on that. :P
Stop the Slashdot effect! Don't read the articles!
VMware is a very good way to neuter Windows and minimize some of its bad behavior. I've been beating the crap out of my windows development environment for two years straight with no re-installs of windows. My windows environment is hosted by SuSE Linux. I have reverted to a snapshot a couple of times, at a cost of a couple of minutes of downtime. Saving the original install off to somewhere safe is easy (just copy the virtual machine's directory somewhere else).
This sig kills fascists.
Possibly. But, what I was talking about is that some sysinternals tools overload/hook certain kernel calls. The system call tables are, IIRC, write protected even from kernel when the kernal has been loaded in the current/coming Win64 editions.
I don't know how your system is configured, but on my network all of my users run with non-privledged (read Users) accounts and can run Office 2000, XP, and 2003 just fine.
In XP, Microsoft added a (semi) documented API for hooking the registry API. This was done mostly, if not entirely, so SysInternals regmon could operate without patching the system call table. Regmon (and filemon) are used a lot inside Microsoft.
The change in Win64 to disallow kernel patching can be defeated. Malware just has to disable the code that enforces the rule -- all it takes is one RET instruction in the right place. I'm glad MS is trying to do something about the problem, but in the long run it's a losing battle. There is no technical defense against lusers logged in as Administrator loading malicious kernel-mode code.
Root
In australia, root has several meanings, not at all nice. The sense is similar to f**k.
Accordingly something like root user has the connetation of one that roots your system.
SysIntern RootKitRevealer
I have a fairly typical multi-boot system, with two FAT16 partitions, a FAT32 partition, a reserved BeOS partition, a HPFS partition, and the usual swag of NTFS partitions.
The disk has been showing signs of corruption [bad sectors], and a replacement is in hand: already bought, but there are some backup questions.
RootRevealer had problems scanning registry. (i suspect one of the registristry hives is not well placed on the filesys). On the other hand, i ran the thing from BartPE, (it works), it revealed a whole swag of OS/2 binaries, but i don't know if OS/2 or Windows placed them there. They were meant to be there, by the way. Apart from the metadata files in each partition, there were error messages from non-accessable partitions (like F: (hpfs) and H: (unformatted = beos).)
OS/2 - because choice is a terrible thing to waste.
Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.
A site which I support, relies on two different pieces of software from two different vendors, to make their business run. One is point of sale system software and the other is software specific to that type of stores specialized needs. I am constantly putting out fires, because these two companies, which must co-exist within many of their customers sites, whether they like it or not, have very different points of view on how their customers networks should be configured.
The sad part is, that one of them, really do expect that all passwords, including admin be set to blank and the whole of each drive be shared to everyone. Unfortunately for me, I am in no position to have my client use another company to replace the one with the lax attitude.
Scarey stuff? This client of mine is in the medical field! Customer financial and medical records don't matter much it seems! Many times I have felt like just walking away from this disaster waiting to happen. I am surounded by deaf ears.