Slashdot Mirror

← Back to Stories (view on slashdot.org)

Six Rootkit Detectors To Protect Your PC

Posted by samzenpus on from the rate-them dept.

An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

108 comments

  1. Print version. by antdude · · Score: 5, Informative

    Click here to going to next pages. :)

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. I can see... by 42Penguins · · Score: 5, Funny

    "helpful" activex popup ads:
    Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

    1. Re:I can see... by Jesus_666 · · Score: 4, Funny

      "helpful" activex popup ads:
      Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

      Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    2. Re:I can see... by rvw · · Score: 4, Funny

      "helpful" activex popup ads:
      Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

      Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

      To get this level of protection you should install Windows. These toolbars, you probably won't even have to install them. They come all by themselves.

    3. Re:I can see... by deviceb · · Score: 1

      Pwn0r T0olbar v2 is coming out soon -just wait for it

      I cleaned a box recently.. with a tape measure the internewb's IE bars measured 5" vertical. I should have got a screen shot for the most Pwn3d browser award..

      --
      Kill your TV
  3. "The concept of the rootkit isn't a new one, by Indes · · Score: 5, Funny

    ... And dates back to the days of Unix. "

        Whew. Good thing GNU is Not Unix.

    1. Re:"The concept of the rootkit isn't a new one, by djh101010 · · Score: 2, Funny

      ... And dates back to the days of Unix. "

      Whew. Good thing GNU is Not Unix.

      I'm not seeing what your point is, can you explain? Or am I trying to overanalyze a throw-away comment? I do that sometimes...
    2. Re:"The concept of the rootkit isn't a new one, by Evilest+Doer · · Score: 3, Funny
      I'm not seeing what your point is, can you explain? Or am I trying to overanalyze a throw-away comment? I do that sometimes...
      I think you missed the memo when you worked on The TTP Project.
      --
      I feel like death on a soda cracker.
    3. Re:"The concept of the rootkit isn't a new one, by Fred_A · · Score: 3, Funny

      Speaking of which, could we stick to rootkit for Unix and administratorkit for Windows ? It would be much less confusing.

      --

      May contain traces of nut.
      Made from the freshest electrons.
    4. Re:"The concept of the rootkit isn't a new one, by Chacham · · Score: 2, Funny

      >>And dates back to the days of Unix. "
      >Whew. Good thing GNU is Not Unix.

      Which is why "The concept of the rootkit isn't a GNU one"

      --
      Have you read my journal today?
  4. On debian/ubuntu by delirium+of+disorder · · Score: 4, Informative

    apt-get install chkrootkit rkhunter

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
    1. Re:On debian/ubuntu by MrShaggy · · Score: 1, Interesting

      They forgot a decent anti-root kit

      MAC-OSX.. see it has six letters to.

      Is there a decent one for OS-X?

      --
      I have mod points and I am not afraid to use them.
    2. Re:On debian/ubuntu by Anonymous Coward · · Score: 0

      > Is there a decent one for OS-X?

      No, nor is there any software that would let me do my corporate drone work in a timely manner.

      Perhaps a TRS-80 would be an even better choice. I hear there haven't been any new viruses sighted in the wild for the TRS-80 in years.

  5. Summarized: The free one is the best! by tgbrittai · · Score: 5, Informative
    Ironically enough, it was one of the independent tools -- Rootkit Unhooker -- that turned out to be the best.

    It's interesting that programmers working outside of a corporate environment produce such amazing products. Hmmm... I wonder what's up with that?

  6. Security solutions by chris(pinecone) · · Score: 4, Insightful

    Shouldn't these tools be a part of already-existent anti-virus solutions? Why another application for rootkits if trojans, virii, and spyware detection are (usually) in the same package? It's not like rootkits are new threats.

    --
    /.
    1. Re:Security solutions by jomama717 · · Score: 1

      Norton AV 2007 boasts rootkit protection.

      --
      while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
    2. Re:Security solutions by Anonymous Coward · · Score: 2, Informative

      When it's not being exploited

    3. Re:Security solutions by Macthorpe · · Score: 3, Funny
      Norton AV 2007 boasts rootkits

      Fixed for you :P

      (Yes I know it's not true, but you'd have to pay me severely large amounts of money to expose my system to anything by Symantec)
      --
      "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
    4. Re:Security solutions by Gazzonyx · · Score: 1
      It also boasts an extra 3 minutes to boot up time, except on the larger corp. edition which seems to run more quickly with a smaller footprint.


      I stopped using Symantec products when Peter Norton stopped coding them; that is to say, when I was 11 years old running windows 98.

      --

      If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

    5. Re:Security solutions by jomama717 · · Score: 1

      Yeah - I've about had it with the startup hit (mine is more like +7 minutes - ugh), if it's not corrected soon I may bail. Wasn't meant as an ad, just pointing out that they have rootkit detection, which is one of the reasons I went with it in the first place.

      --
      while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
  7. What if Sony made a rootkit detector? by UbuntuDupe · · Score: 0

    Before you laugh, that's basically what Microsoft's "Windows Defender" firewall would be like. "We'll remove the security vulnerabilities we gave you ... for a price!"

    --
    Apology to Ubuntu forum.
    1. Re:What if Sony made a rootkit detector? by Anonymous Coward · · Score: 2, Funny

      1. Windows Defender does exist.
      2. Windows Defender is freeware.
      3. Windows Defender is malware removalal tool, not a firewall.
      4. You're tool late, I already laughed.

  8. I am the author of AFX Windows Rootkit 2003 by Afecks · · Score: 5, Informative

    Hey, thanks for the mention in the article but that is a really old version you've used to test! The last version I've released publicly is AFX Windows Rootkit 2005, it's open source and can be found on http://www.rootkit.com/ the other more recent versions I've sold privately.

    Now on the subject of rootkit detection. Most of these use the method based on Microsoft's Strider: GhostBuster. Which uses a low-level method to gather seemingly clean system information then gathers the same information using a high-level method. The idea is that rootkits will have only hooked the high-level methods so there should be a difference in results. Whatever is listed in the low-level results and not listed in the high-level results is displayed as "hidden information". Effectively they are using the rootkit's own hiding functions against itself to detect it. If the rootkit doesn't hide itself to avoid detection it's still made itself visible.

    The problem is that you put yourself in an arms race with who can hook system information at the lowest level. Luckily since we (the sysadmin) have access to the hardware and presumably the attacker does not, a hardware method of gathering system information would be the best. You can bet money that we are going to be seeing hardware level rootkit detectors sooner or later.

    The final problem is that a backdoor can be hidden without using these rootkit methods. By hooking incoming socket connections we can make a hidden backdoor that creates no new processes, threads, files, registry keys or any other permanent data. I and others have released POC code already. Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

    1. Re:I am the author of AFX Windows Rootkit 2003 by EvanED · · Score: 2, Insightful

      Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

      But if you don't hide files, you leave yourself as open to signature-based detection as viruses are, so your typical virus scan should pick it up. Even if you can obfuscate yourself well enough to hide from signature-based scans, if you alter system files like userinit or explorer, you are vulnerable to tripwire-like systems.

      So if you want to protect against that but remain persistent, you're back to hiding files or file data, which means you have to address the low-level/high-level type scan that these tools do.

    2. Re:I am the author of AFX Windows Rootkit 2003 by Afecks · · Score: 3, Informative

      My old site is down because I've moved away from this kind of stuff in the past. The only surviving mirror I can find is here. Basically you're just hooking accept() Winsock API in all processes and then any listening service is a potential backdoor. This is a simple user-mode method. Someone could write a more specific version for a particular service such as IIS that hooks deeper into the code that receives network data.

    3. Re:I am the author of AFX Windows Rootkit 2003 by Blahbooboo3 · · Score: 1

      Will a complete system format and OS re-install from CDs erase any possible re-entry?

    4. Re:I am the author of AFX Windows Rootkit 2003 by Afecks · · Score: 4, Informative

      The simple answer is, yes.

      The complicated answer is, for a little while. The reason is that there are rootkits being developed that are designed to store itself in your video card. The idea is that after the hard drive is reformatted the video card will load this rootkit back into the kernel. Right now it's highly unlikely.

    5. Re:I am the author of AFX Windows Rootkit 2003 by Anonymous Coward · · Score: 0

      We've always wondered; help us out here:

      Is your real goal to force common computer usage into hobbled, TCM-mandatory, freedom-deprived, police-state mechanics? Newsflash: what you're dicking around with today spells doom for open systems tomorrow. Because not-smart people make the laws you live by. That's not your fault, that's not their fault, that's simply the terminus of this arms race. Godspeed, enjoy the future.

      --Everyone Else

    6. Re:I am the author of AFX Windows Rootkit 2003 by Anonymous Coward · · Score: 0

      If he was the actual rootkit author he would not disclose his identity here. Or maybe he is looking forward to a cuban vacation paid by uncle sam.

  9. Re:Summarized: The free one is the best! by Mistlefoot · · Score: 0

    You just trolling? If you read the article you would know that they were all free.

  10. Something is missing by toupsie · · Score: 1

    I didn't see one rootkit detector reviewed by InformationWeek that would work on my PCs, a Macbook and an iMac. Any suggestions?

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
    1. Re:Something is missing by InsaneGeek · · Score: 1

      Probably because the article was talking about Windows rootkit detectors, might be a good reason that you didn't see ones for OSX (I could see through your thinly-veiled attempt at a windows vs mac dig, but I'll play along). For OSX you might try http://www.chkrootkit.org/ as there are OSX rootkits in the wild, they've had a version out for quite some time now.

  11. Re:Summarized: The free one is the best! by Anonymous Coward · · Score: 1, Funny

    You just trolling? If you read the article you would know that they were all free.

    Yeah, but this one is free as in vodka.

  12. Re:Summarized: The free one is the best! by tgbrittai · · Score: 1

    D'oh! So much for skipping to the last page of the article.

  13. rkhunter anyone? by madsheep · · Score: 1

    Oh.. well I guess rkhunter http://www.rootkit.nl/ does not run on Windows. Nevermind. :-(

  14. Nervous about these... by ubuwalker31 · · Score: 5, Insightful

    Is it just me, or am I being overly cautious not wanting to download a rootkit detector from Chinese and Russian software developers? Are these programs opensource? Are they safe? Anyone?

    1. Re:Nervous about these... by gooman · · Score: 2, Insightful

      I swear, that's the first thought that ran through my head.
      I'm sure they'll detect every rootkit except the one they install.

      Why am I so paranoid?

      Oh yeah, I run Windows.

      --
      "Kittens give Morbo gas!"
    2. Re:Nervous about these... by Anonymous Coward · · Score: 1, Funny

      Considering the piece of shit OS you're using from American developers, why not?

      Besides, Russians are hardcore. They can do what they damn well like!

    3. Re:Nervous about these... by pipatron · · Score: 2, Funny

      It's not just you. It's a well known fact that all Chinese and Russian developers are evil communists that only release free code to promote their evil communist way of sharing! Remember what the RIAA told you.

      --
      c++; /* this makes c bigger but returns the old value */
    4. Re:Nervous about these... by kevinkite · · Score: 3, Funny

      In Soviet Russia kits root YOU!

    5. Re:Nervous about these... by Lord+Ender · · Score: 1

      To add to this: Some of the most sophisticated spamming trojans come from the Russian mob. These spamming trojans include rootkit detectors so that they clean other hackers' crap off of a zombie freeing up more resources for the spam bot.

      It stands to reason that some of the best trojan-cleaning products come from Russia--they are the ones writing the trojans!

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  15. Re:how to secure your computer by madsheep · · Score: 2, Informative

    LOL is this a serious post? Most rootkits out there are designed to work on *nix based operating systems. True rootkits are far more common on for these flavors of OS over that of Windows. I am not sure if this is a reference to Ubuntu being secure. Maybe you could have recommended visting a site that houses a BSD flavor..won't bother pointing out one for that useless debate. Choosing Ubuntu is not going to protect you from rootkits in anyway.

  16. Wow.... by Creepy+Crawler · · Score: 3, Insightful

    Wow! Lets rate programs on diagnosing a potentially lying PC!

    This is just a stupid idea if anything. The purpose of a rootkit is to make a very hidden hole into a system. Doing this requires reprogramming and setting up the system in that nobody can diagnose itself. The key is to diagnose any sort of rootkit, one must run from known good binaries.

    Now, we dont have the source to Windows, but we have binaries. Well, lets MD5 the binaries and then compare to a known good (just installed, no network interfaces) installation. The differences are possible holes.

    No program can be trusted when the system it sits upon cannot be trusted. When system trust is gone, one must redeploy the system to regain trust.

    --
    1. Re:Wow.... by jomama717 · · Score: 2, Informative

      If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot. This works for user mode and kernel mode rootkits, but if there's a BIOS rootkit you're pretty much screwed. See my previous post, Norton AntiVirus 2007 operates in this way.

      --
      while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
    2. Re:Wow.... by EvanED · · Score: 3, Informative

      If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot...

      There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.

      It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the results from the FindNextFile API; do a low-level parse of the registry hives, compare to the registry APIs; etc.) by UNHIDING the hidden/changed data from the rootkit detector rather than hiding from the low-level scans.

      If you're running on an infected system, you can't be guaranteed to find anything.

    3. Re:Wow.... by Creepy+Crawler · · Score: 3, Insightful

      ---If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot.

      Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received. As far as you know, the system will be "ok". But it'll be OK, because you can analyze the volume directly!!

      ---This works for user mode and kernel mode rootkits, but if there's a BIOS rootkit you're pretty much screwed.

      Sure. If you have to run a "checking program" on a corrupted system, what makes you think you'll get good results? I keep drilling this point, but all you do is give dumb comments. And bios rootkit? Good luck with that one. You all might wannna give LinuxBios some help if you can flash WORKING hacked firmwares to the multitudes of X86 boxes. Oh... you mean diddle with the ACPI tables. Welllll.. Bah.

      ---See my previous post, Norton AntiVirus 2007 operates in this way.

      I ignore ads.

      --
    4. Re:Wow.... by EvanED · · Score: 2, Insightful

      Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received

      If that's ALL you hide, then you'll be found by all of these tools.

      You ALSO have to mess with low-level I/O requests; if an application can say "I want block #17" you need to be able to mutate the returned data if it's a directory block or something like that. On Windows if you have detectable information in the registry, you also need to intercept all requests to the registry hives (either by file name or block number) and mutate the information in them to hide your data.

      If you can analyze the volume directly (and be sure of the integrity), you CAN'T hide data on it.

      If you have to run a "checking program" on a corrupted system, what makes you think you'll get good results? I keep drilling this point, but all you do is give dumb comments.

      I don't think there's a rootkit now that has the sophistication to hide from all the above avenues of detection.

      There's no reason why they MUST work, but for now they do a decent job.

    5. Re:Wow.... by Creepy+Crawler · · Score: 1

      ...Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received

      ---If that's ALL you hide, then you'll be found by all of these tools.

      Wrong. If I control the CPU as kernel level, I can do anything I want. Next of all, if I use custom tools, good luck trying to find them. Well, the only way to find them would to be proactive on system security and map all files via MD5 on install and upgrade, so that you would have maps of all edited files. Any changes = caught. Of course, the computer would have to be brought down and a BootCD be started up. The OS is too untrustworthy after you hook it on a network (in Windows case especially).

      ---You ALSO have to mess with low-level I/O requests;

      What does Kernel Level mean to you? Or rather, does Microsoft allow you to do extensive reprogramming? I know of extensive Linux kernel, GLibc, and usermode program backdooring. You hit one, and theres still all the others. Essentially, if you have no reference system to verify good data/files, you're screwed.

      ---if an application can say "I want block #17" you need to be able to mutate the returned data if it's a directory block or something like that. On Windows if you have detectable information in the registry, you also need to intercept all requests to the registry hives (either by file name or block number) and mutate the information in them to hide your data.

      Assuming you'd actually store data in the registry if you're using a backdoor. That just strikes me as friggin stupid. I'd store my data across the whole system in stupid stuff like user settings, whitespace on text and html files, files near commonly executed programs, and other various random places. And the backdoor would be hidden in plain sight, but in no recognizable form. It should take no more than 50 KB to start a backdoor, and the rest loaded from a distributed amount of places that the backdoor would have access to... local machines and the internet.

      --
    6. Re:Wow.... by EvanED · · Score: 3, Insightful

      Wrong. If I control the CPU as kernel level, I can do anything I want.

      That's true.

      The OS is too untrustworthy after you hook it on a network (in Windows case especially).

      Windows is no more vulnerable once you've got a kernel hook than Unix/Linux/whatever is. If anything, Linux is more vulnerable because figuring out the appropriate places to hook in Windows is a lot harder without source.

      ("Security through obscurity" is a bad idea -- but obscurity can be a layer and be helpful as long as you design and implement the rest of the system as if the obscurity wasn't there.)

      (The increased vulnerability of Windows comes from the fact that it's easier to inject your code. The above only applies once you have a suitable kernel of your code running in ring 0.)

      What does Kernel Level mean to you?

      It means you're running in ring 0, privileged mode, CPL 0, whatever you want to call it. It means you can *theoretically* do anything.

      I'm just saying that I don't think there are any non-VM rootkits that hide themselves so thoroughly that they can't be detected, because doing so is a difficult problem because there's way more that you have to trap if you want to be completely hidden than it initially seems. Like ALL I/O requests.

      Or rather, does Microsoft allow you to do extensive reprogramming? I know of extensive Linux kernel, GLibc, and usermode program backdooring. You hit one, and theres still all the others. Essentially, if you have no reference system to verify good data/files, you're screwed.

      Again, in theory, yes. In practice, now, there's still a lot you can do.

      Assuming you'd actually store data in the registry if you're using a backdoor. That just strikes me as friggin stupid.

      It really isn't; it's a perfectly legit method of ensuring that your rootkit is loaded if you can deal with the low-level/high-level scan thing or don't care if it's detectable with that method.

      I'd store my data across the whole system in stupid stuff like user settings, whitespace on text and html files, files near commonly executed programs, and other various random places. And the backdoor would be hidden in plain sight, but in no recognizable form. It should take no more than 50 KB to start a backdoor, and the rest loaded from a distributed amount of places that the backdoor would have access to... local machines and the internet.

      That's fine.

      Remember, my point is that if you have detectable information on the disk (e.g. something you could find with a signature-based scan), you MUST be able to vet all I/O requests to the disk. That means requests through the file APIs, requests for specific blocks sent to devices, and I/O requests that might be issued from other drivers. (For instance, you have to be prepared for detection software to load its own device driver and issue I/O requests itself.) Of course, if you can intercept all I/O instructions then the first two come free. Your rootkit must then be able to mutate the data that's returned so that it hides its presence but is still sane. This very well may mean that you have to understand NTFS and FAT, though it's possible that you could get all needed information from existing kernel data structures.

      I don't think such a rootkit is known to exist right now, and I don't think we'll see one. It's now easier to drop the OS into a virtual machine and have a VM-based rootkit. (Though I'm somewhat skeptical about a sudden loss of speed tipping people off, it should be possible in theory to make this undetectable to software running in the guest OS.)

    7. Re:Wow.... by rastos1 · · Score: 1
      This is just a stupid idea if anything. The purpose of a rootkit is to make a very hidden hole into a system. Doing this requires reprogramming and setting up the system in that nobody can diagnose itself.
      The idea is that the rootkit is not perfect. If the diagnostic tool says: "found", you know there is a problem. If it says "not found" you don't know anything. Just like you did not knew before running the tool.
    8. Re:Wow.... by repvik · · Score: 1

      So? My rootkit detects attempts to md5sum my binaries, and makes sure the program returns the expected md5sum ;-)

  17. Easier solution... by Stormwatch · · Score: 5, Funny

    Do NOT buy music from stores. Instead, get them from torrents. It's safer!

    --
    Circumcision is child abuse.
    1. Re:Easier solution... by Anonymous Coward · · Score: 0

      The mods were indecisive. This is funny AND essentially true.

  18. Re:how to secure your computer by Anonymous Coward · · Score: 0

    Fanboy

  19. Got it by kahrytan · · Score: 1


      Those who don't know, BitDefender Antivirus has rootkit detection and removal since v10. It was released back in Aug-Sept 2006.

    --
    \
  20. Re:Rootkit by chris(pinecone) · · Score: 4, Insightful

    Most rootkits target *nix. OS X is a Unix variant. But since Macs don't ever get viruses, I'm sure it would be impossible to get past Apple's expert, fully-secure software.

    --
    /.
  21. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  22. Blue Pill by Asztal_ · · Score: 3, Interesting

    Can any of them detect blue pill?

    1. Re:Blue Pill by Cheesey · · Score: 2, Informative
      Apparently one of them attempts to. From TFA:

      The single most intriguing feature is the "Virtual Machine Detector," which uses the time elapsed between two low-level CPU instructions to determine if the operating system is running directly on the PC or in a virtual machine.


      There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here). However, there is still an arms race: the rootkit programmer might attempt to detect these tricks and defeat them.
      --
      >north
      You're an immobile computer, remember?
    2. Re:Blue Pill by EvanED · · Score: 1

      There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here).

      That only would detect VMWare-style virtualization; to the best of my knowledge, the hardware virtualization that's now in chips (VT and whatever AMD calls theirs) should eliminate this possibility and force you to go with timing tests.

    3. Re:Blue Pill by WrongSizeGlass · · Score: 1

      Can any of them detect blue pill? That blue pill is easy to detect ... just look for signs of priapism.
    4. Re:Blue Pill by Asztal_ · · Score: 1

      Even so, blue pill alters the fake clock value when it exits its own, slower, subroutines. You need an external time source. (As far as I know, this is the only weakness). So yes, it's not totally undetectable. Here's where I read about it.

  23. Faster IceSword Link by d2_m_viant · · Score: 1

    IceSword120_en.zip -- Somewhat faster download for IceSword (at least until it gets Slashdotted)

    1. Re:Faster IceSword Link by Anonymous Coward · · Score: 0

      Funny rootkit.

  24. +avoid by antdude · · Score: 1

    Bah, I didn't proofread before I submitted. :(

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  25. Where can I download... by mh101 · · Score: 1, Funny

    ...the Mac version of these tools?

    Oh, wait...

    --
    Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
  26. Re:Rootkit by John+Jamieson · · Score: 2, Interesting

    A/Coward - What, you somehow think that you are immune to Rootkits???

    I would not bet my life on that. Even though I consider the default security in my choice of GNU/Linux distro to be tighter than OS-X, I still use Knoppix (a CD based GNU/LINUX OS) for internet banking. It is the only TRUE assurance of safety from being rooted.

  27. Correction, and possible next step in arms race by Beryllium+Sphere(tm) · · Score: 1

    The F-Secure product is Blacklight.

    Wish I could remember the name to give the guy credit, but someone's pointed out that even booting from a CD doesn't necessarily give you a trustworthy system if there's malware flashed onto a graphics card that the BIOS detects and configures before the CD takes over.

    1. Re:Correction, and possible next step in arms race by Anonymous Coward · · Score: 1, Informative

      Of course modern OSes do not use the BIOS any more... plus Windows has HAL (hardware Abstraction Layer) and Ctrl+Alt+Del login to protect against this.

    2. Re:Correction, and possible next step in arms race by Dog-Cow · · Score: 1

      That's not true. Even Linux still uses the BIOS. And that's besides the point. The BIOS runs when the computer boots, so any embedded code has a chance to setup the system to suit itself.

  28. Oh, we say to thee by snarkth · · Score: 1

    That when the rootkit, undid me

      The warning box, I did not see

      OK I clicked on, I spent freely

      then My Ruin passed on, gleefully.

      --A user's lament

      snarkth

  29. change mod from by John+Jamieson · · Score: 2, Insightful

    The review was for tools for the Windows PC, not the MAC or Linux. Sorry this was not more evident. The parent is (without knowlege) implying that the Mac is not vunerable to being rooted. And some fanbois are modding this funny? This might be funny, IF IT WERE TRUE! Not only are MAC rootkits possible, they exist. Do a google search before you post and it will prevent mistakes like this. (Yes I know, I run a risk of hardcore fans modding me down)

    1. Re:change mod from by mh101 · · Score: 1

      Dude, chill. That was supposed to be a joke.

      --
      Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
  30. Root of the problem with Windows by shanen · · Score: 3, Interesting

    It's really a philosophic problem. Microsoft sees the OS as a weapon against the competitors, and when you're building weapons, of course you make them as powerful as possible and of course safety gets a lower priority. (Microsoft's highest priority has always been on the money, however.) The problem is that the results are overpowered OSes that real experts can use in ways that completely overwhelm us normal mortals. Heaven help the little old lady who just wants to visit her church's website on Sundays.

    As regards the article, I read most of it, and might finish it later, but I wasn't too impressed with it or with the rootkit-detection tools that I've experimented with in the past. I'm supposed to be something of a computer expert, and I've certainly been using them long enough, but I regard myself as pretty much a helpless infant in these areas. If the NSA is planning to root my computer because I regard Dubya as an asinine embarrassment to my nation, I don't seriously expect to be able to do anything about it. Sure, I can use an expert's tools in many cases, but that doesn't make me any match for a real expert with corresponding tools. Or returning to the weapon metaphor, I may have a great gun, and even be competent enough in using it, but I'm sure that a seriously experienced killer would have little trouble taking me out, even with an inferior weapon.

    In conclusion, "It's a poor craftsman who blames his tools", but it's also a poor craftsman who can't tell the difference...

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
    1. Re:Root of the problem with Windows by justthinkit · · Score: 1

      Microsoft sees the OS as a weapon against the competitors, and when you're building weapons, of course you make them as powerful as possible and of course safety gets a lower priority.

      And like any good weapons vender, you self-limit your product (so wayward purchasers lose the ability to maintain it without your help), backdoor it (so you can cripple it if purchasers have the audacity to try to improve it themselves so they can cut your support/upgrade strings) and only release it when you yourself have something better (i.e. I doubt that the software Microsoft runs on its own servers is exactly the same as what they sell to us sheeple).

      --
      I come here for the love
  31. What about Linux? by Stephen+Samuel · · Score: 1
    - and I don't just mean converting the poor user to Linux either -- I mean things like Knoppix with clamav which allow you to search for signs of rootkits without having the rootkit, itself, get in your way.

    Once you've pulled out those pieces, then you can hopefully boot (what's left of) Windows, run some of the Windows-centric anti-virus ware in hopes of finding those pieces that clamav didn't find.

    --
    Free Software: Like love, it grows best when given away.
  32. Re:Rootkit by tetrode · · Score: 1

    Are you sure? This: http://it.slashdot.org/comments.pl?sid=217446&cid= 17659380 indicates that the method of rebooting with a CD will not be sure in the near future.

    1. Boot with a Knoppix CD to do banking
    2. Virus hides in Video
    3. You reboot, virus installs itself and PROFIT!

    Mark

  33. Rootkit detects you by youthoftoday · · Score: 1

    In Soviet Russia, Rootkit detects You!

    --
    -1 not first post
  34. Spelling blunder from down under. by SkaOMatic · · Score: 1

    "...and Rookit Unhooker."
    I for one welco- eh. To hell with it.

    Kangaroos are more than welcome to obtain low-level access to my OS. I've got mad respect for their built-in pockets.

    Genetics wasn't as friendly to me. I had to BUY my Scott-E-Vest.
  35. There's an excellent podcast... by tcopeland · · Score: 1

    ...on this sort of thing, Security Now. They had a good explanation last year of all the things the Sony "rootkit" did, like hiding files with the prefix "$sys$". The podcasts are pretty short (20 mins), definitely worth a listen to ease your morning commute.

    Also, getindi!

    --
    The Army reading list
  36. an alternative approach by butterberg · · Score: 1

    A few weeks ago, I played around with some of those rootkit detectors. Cool things, if you want to learn about some OS internals. But: When the primary use of a rootkit detector is to uncover malware so that a virus killer can see it, why not just do an /external/ virus check from a boot CD? So, that is what I am doing now!

  37. Hunting down the bad guys like Dirty Harry. by toadlife · · Score: 3, Insightful

    I find it curious and a bit disconcerting when I see how much emphasis people place on the subject of malware detection in the realm of information security. What to do after malicious code finds it's way onto our systems, or into our networks is certainly something to consider, and any security plan would be incomplete without it, but this area takes up far too much of our time, given that other aspects of security bring a much more favorable cost/benefit ratio.

    I can only surmise that there is certain "sexiness" to malware detection; much the same way that fancy home alarm systems are the first thing that many think of when contemplating home security.

    In the home security market, advertisements depict evil prowlers dressed in sweat-suits busting through the back door of the house, while a frightened soccer mom with her five year old daughter cower upstairs. The alarm sounds, the prowler runs away, and a call comes in from the alarm provider, asking if they are ok. Quite dramatic. Quite unrealistic too.

    In the information security market there are no soccer moms, and the prowlers don't run around in matching sweat-suits, but the theme is similar. "Buy our product - it will catch intruders when they enter and save you." Again - quite dramatic, and quite unrealistic.

    In the real world, people forget to turn on their alarm systems, or they forget to change the batteries, or intruders know how to disable them without triggering them.

    In the real world, people also forget to update their AV/IDS signatures, or turn their security product off for various reasons - usually convenience-related, or like the prowler in the home, malware simply disables the security solution on it's way in.

    Just as in securing a home, we would be better off if we first focused on installing heavy doors and deadbolts on all outside entrances, in the virtual world, we would be better off focusing on the barriers that malware must overcome to gain entry to our systems and access to our information and resources.

    This is far from an original thought, but I'll say it anyway as it deserved to be repeated. The security industry is a joke. It's is filled by people who either don't understand the basic pricipals of information security, or do but choose to to sell 'sexy' solutions anyway. I once ran into the author of a somewhat popular Windows security product on a messageboard and was shocked at his aparent lack of understanding of how his platform of choice, Windows, worked.

    I supposed this is more of a Windows problem than anything else. Not a problem with Windows, the operating system, but a problem with WIndows, the culture.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  38. Rootkit Unhooker says it is infected. by Futurepower(R) · · Score: 1

    When I ran Rootkit Unhooker, downloaded 01/17/2007, 11:46 PM, it said it is itself infected: Rootkit Unhooker has detected parasite inside itself. "It is recommended to remove parasite, okay?"

    1. Re:Rootkit Unhooker says it is infected. by antdude · · Score: 1

      Wow, it said that in the link? I wonder if it is a false alarm.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  39. What I'd like... by Cheesey · · Score: 1

    I'd like a rootkit detector that detects Windows rootkits, but runs from a live Linux distribution on a CDROM or a USB key. So I reboot a machine that I suspect is infected and do the rootkit scan without running any software from the hard disk. Seems to me that this would be a cheap way to do the "hardware level rootkit detection" of which you speak: provided that the Linux distribution was clean, a rootkit would not be able to hide itself on the disk.

    Do you know of such a thing? Do you plan to port your Windows rootkit detector to Linux to enable this?

    --
    >north
    You're an immobile computer, remember?
    1. Re:What I'd like... by mgblst · · Score: 1

      THe way most rootkit revealers work, they need windows to be running. What you are after is some sort of Virus checker, that looks through the files on a harddrive, for a particular signature. Rootkit revealers are better in some ways, because they don't need a signature database, which can be incomplete.

    2. Re:What I'd like... by Cheesey · · Score: 1

      Ah, they actually detect rootkits by detecting their attempts to hide? That is clever. Yes, I suppose that an offline scan could only really work using signatures, which is not a very good way to detect things.

      Thanks for clearing that up.

      --
      >north
      You're an immobile computer, remember?
    3. Re:What I'd like... by Afecks · · Score: 2, Informative

      Actually I've written an article describing how to do what you speak of. The only piece of the puzzle you left out is that you need to scan the system from inside Windows first. Then boot into Linux and scan the hard drive from there so you can compare the results.

      The article can be found here here.

    4. Re:What I'd like... by Cheesey · · Score: 1

      Ah, neat idea. Thanks very much.

      --
      >north
      You're an immobile computer, remember?
  40. on rootkit detection, MD5 etc. by Anonymous Coward · · Score: 2, Informative

    Someone said we could MD5 Windows binaries... Of course we can, though MD5 is so broken in this 21st century that you'd better use SHA-1 ;)

    Another dude said "but my rootkit detect attempt to MD5 and returns the correst sum". Kind of, it s even better than that for the best of the breed: they recognize themselves in *any* attempt to read the file and replace their code (that they recognized) with the code that the file is supposed to contain at that place. What I mean is: you don't specifically decide to defeat a cryptographic checksum or an anti-virus or or or... But you fake the infos coming from every single attempt to read the file.

    Of course the real "game over for rootkits" comes when you unplug the drive, plug it to a known good system (for example, say, an OpenBSD system that has *never* been hooked to the Internet) and then compare every file with their previous version. Altered userinit.exe? Game over rootkit. Altered winlogon? Game over rootkit. It works the same for Unix systems (for which, btw, there exist many more rootkits, though not as successfull in spreading). Which is why projects like honeynet are so succesfull at catching malware "in the wild". And with projects such as Honeynet being so successful, rootkit writers sometimes decide to write rootkit that don't install to the disk and that don't install if they detect they're running on an emulated/virtualized system. Which means the rootkit will only live for as long as the computer is turned on. And then it will need to re-infect the machine using the same exploit if the machine reboots. Which is also a pain in the arse for rootkit writers: the vulnerability may very well have been patched meanwhile (think auto-update) or exploited by someone else, etc.

    Note that you can always detect suspicious trafic using a passive sniffer too (think shomiti tap or one-way ethernet cable... or "software" passive sniffer).

    There's no such thing as an "undetectable rootkit". No matter if it tries to hide in the BIOS (Sun machine have been having protection again BIOS write since ever btw), which is incredibly hard (the BIOS code being so small), no matter if it tries to hide in some GFX card's chipset (wtf? someone wrote there s work on that... I can only see it happen on broken-by-design GFX card and it is certainly not common practice), no matter if it tries to install as an hypervisor on VT-enabled systems...

    There's always gonna be a way to detect a rootkit, wether you're on Windows or Unix systems, wether you and rootkit authors like it or not. I'm not arguing, I'm not discussing: I'm stating facts.

  41. Avoid Rootkits (Almost) Altogether by Athanasius · · Score: 1

    Make your normal user a Limited one, not an Administrator. Try the initial install of any software as that user. Certainly playing a CD isn't going to be able to install anything rootkit-like as a Limited user. Oh, and disable Autoplay on all removeable media devices.

    Yes, some programs still require Administrator access to install, although in some cases you just need to give the Limited account access to write in the global Startup menu folder or something similar, so this isn't a 100% cure-all.

  42. Re:Rootkit by Anonymous Coward · · Score: 0

    are you sure you can really trust linux distros
    that come as all binaries on a CD?

    can you trust the GCC binary you received 7 years ago?

    the solution is to stop banking and go live in a cave.

  43. You can't find rootkits inside an infected system by Opportunist · · Score: 1

    Running a rootkit detection kit on a system containing a (good) rootkit is fruitless. There are now rootkits that can detect rootkit detectors and (since most rootkit revealers rely on the discrepancy between system API calls and "direct" access to the HD) simply "demask" while they're running, so the rootkit cannot be found.

    The only way to find a well written rootkit is to boot from a certainly uninfected bootdisk (or CD/DVD) and scan with it. Everything else is at best working against less sophisticated kits.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  44. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  45. Great! Better testing for Rootkits! by dashersey · · Score: 1

    Now anyone who wants to write a rootkit has a much better set of test suites to test its non-detectability! I'm glad we're investing in the education and skill of malware writers...we may need those rich crack programmers for something someday.

    --
    You are in a maze of twisty little passages; all alike.
  46. Re:Rootkit by John+Jamieson · · Score: 1

    Yes, I am aware of that post.

    I imagine it is theoretically possible... but to my understanding highly improbable.
    The Bios would have to be reverse engineered, modified and reburned to add the code to execute the rootkit(even if it resided elsewhere). Since it seems that every motherboard has a different Bios image... this would be a lot of work.

  47. Re:Rootkit by Anonymous Coward · · Score: 0

    Hows the fit on that tin cap? Tight?

  48. AVG Anti-rootkit by Anonymous Coward · · Score: 0

    AVG also has an anti-rootkit available, works just as good as any of the others in the article (all of which I've used).

  49. Re:Rootkit by toddestan · · Score: 1

    It doesn't even have to be that complex. There is no reason that Knoppix can't be rooted if you put it on a network. The only advantage to CD based distrobutions here is that you can get the computer back into a known clean state just by rebooting it.

  50. The program cannot be trusted. by Futurepower(R) · · Score: 1

    Yes, it gave the linked error message when I ran the program.

    Certainly it means that the program cannot be trusted. Note that there is a new version since yesterday evening.

  51. Windows rootkits: Network detection+steganography by Anonymous Coward · · Score: 0

    How would you go about detecting a rootkit from a LAN? I've heard the term "passive sniffer" thrown around but no programs have been named specifically. Also, I have read some posts mentioning the use of steganographic techniques to hide rootkits. What tools can be used to unmask these threats? I imagine it would involve comparing MD5's from a live and offline system.