Slashdot Mirror

← Back to Stories (view on slashdot.org)

Six Rootkit Detectors To Protect Your PC

Posted by samzenpus on from the rate-them dept.

An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

13 of 108 comments (clear)

  1. Print version. by antdude · · Score: 5, Informative

    Click here to going to next pages. :)

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. I can see... by 42Penguins · · Score: 5, Funny

    "helpful" activex popup ads:
    Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

    1. Re:I can see... by Jesus_666 · · Score: 4, Funny

      "helpful" activex popup ads:
      Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

      Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    2. Re:I can see... by rvw · · Score: 4, Funny

      "helpful" activex popup ads:
      Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

      Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

      To get this level of protection you should install Windows. These toolbars, you probably won't even have to install them. They come all by themselves.

  3. "The concept of the rootkit isn't a new one, by Indes · · Score: 5, Funny

    ... And dates back to the days of Unix. "

        Whew. Good thing GNU is Not Unix.

  4. On debian/ubuntu by delirium+of+disorder · · Score: 4, Informative

    apt-get install chkrootkit rkhunter

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  5. Summarized: The free one is the best! by tgbrittai · · Score: 5, Informative
    Ironically enough, it was one of the independent tools -- Rootkit Unhooker -- that turned out to be the best.

    It's interesting that programmers working outside of a corporate environment produce such amazing products. Hmmm... I wonder what's up with that?

  6. Security solutions by chris(pinecone) · · Score: 4, Insightful

    Shouldn't these tools be a part of already-existent anti-virus solutions? Why another application for rootkits if trojans, virii, and spyware detection are (usually) in the same package? It's not like rootkits are new threats.

    --
    /.
  7. I am the author of AFX Windows Rootkit 2003 by Afecks · · Score: 5, Informative

    Hey, thanks for the mention in the article but that is a really old version you've used to test! The last version I've released publicly is AFX Windows Rootkit 2005, it's open source and can be found on http://www.rootkit.com/ the other more recent versions I've sold privately.

    Now on the subject of rootkit detection. Most of these use the method based on Microsoft's Strider: GhostBuster. Which uses a low-level method to gather seemingly clean system information then gathers the same information using a high-level method. The idea is that rootkits will have only hooked the high-level methods so there should be a difference in results. Whatever is listed in the low-level results and not listed in the high-level results is displayed as "hidden information". Effectively they are using the rootkit's own hiding functions against itself to detect it. If the rootkit doesn't hide itself to avoid detection it's still made itself visible.

    The problem is that you put yourself in an arms race with who can hook system information at the lowest level. Luckily since we (the sysadmin) have access to the hardware and presumably the attacker does not, a hardware method of gathering system information would be the best. You can bet money that we are going to be seeing hardware level rootkit detectors sooner or later.

    The final problem is that a backdoor can be hidden without using these rootkit methods. By hooking incoming socket connections we can make a hidden backdoor that creates no new processes, threads, files, registry keys or any other permanent data. I and others have released POC code already. Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

    1. Re:I am the author of AFX Windows Rootkit 2003 by Afecks · · Score: 4, Informative

      The simple answer is, yes.

      The complicated answer is, for a little while. The reason is that there are rootkits being developed that are designed to store itself in your video card. The idea is that after the hard drive is reformatted the video card will load this rootkit back into the kernel. Right now it's highly unlikely.

  8. Nervous about these... by ubuwalker31 · · Score: 5, Insightful

    Is it just me, or am I being overly cautious not wanting to download a rootkit detector from Chinese and Russian software developers? Are these programs opensource? Are they safe? Anyone?

  9. Easier solution... by Stormwatch · · Score: 5, Funny

    Do NOT buy music from stores. Instead, get them from torrents. It's safer!

    --
    Circumcision is child abuse.
  10. Re:Rootkit by chris(pinecone) · · Score: 4, Insightful

    Most rootkits target *nix. OS X is a Unix variant. But since Macs don't ever get viruses, I'm sure it would be impossible to get past Apple's expert, fully-secure software.

    --
    /.