February 16th, 2005, 04:28 AM
Prototype Rootkit Discovery Application
Bruce Schneier describes a prototype app to help discover persistent rootkits. This is a really cool idea.
Basically, it's a CD based app that you pop in the drive while the system is up and running. It will examine the current state, stop all user programs, flush caches, and run a checksum of all files, as well as check the registry for keys that could 're-launch' certain infected programs and such. All data is written to a dump file on the harddrive.
It then tells the user to "RESET" the system which then boots from the CD and repeats the process on the files and registry/hive files. Any differences indicate a rootkit or stealth software.
Thats a pretty simple and cool idea.
And the most amazing part...it's a Microsoft prototype! They call it Ghostbuster, but don't have plans to sell or market. Here's hoping they don't hold the copyright, and let others take this great idea and run with it, if they don't want to.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 16th, 2005, 06:06 AM
Gawd there's nothing like a new wrench for the toolbox. Thanks for the clue-in and I'll check it out.
Even a broken watch is correct twice a day.
Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!
February 16th, 2005, 06:35 AM
Looks very interesting.... I'm definately going to have to check it out.
One of the things I've been looking into recently is VICE... only because I happened to come across an older ScreenSavers segment which had some guys from rootkit.com and covered VICE... It's a pretty nifty little rootkit hunter.
The README_VICE.txt in the EXE folder of the zip has more information on it as well as related documentation.
VICE is a program that identifies hooks in API calls, functions, and
function pointer tables. It has a user portion and a kernel portion.
Usually anything it detects in the kernel is a rootkit or some form of
third party software that uses "rootkit techniques". Third party
products that may be detected by VICE in the kernel are things like
personal firewalls and Host Based Intrusion Prevention Systems (HIPS)
like ZoneAlarm, Cisco Security Agent, or Blink.
The software is available from the downloads page of www.rootkit.com however you need to register to access it (registration is free)... I'm also attaching the archive to this thread for anyone interested in it..
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".