Results 1 to 2 of 2

Thread: Ghost Buster

  1. #1
    Senior Member
    Join Date
    Oct 2003

    Ghost Buster

    Couldn't find this anywhere on the site so I thought that I would share the link with you guys :

    Strider GhostBuster Rootkit Detection

    Simple explanation on how it works :

    Bruce Schneier

    Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

    Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

    Simple. Clever. Elegant.
    Why doesn't MS include programs like this is their OS ?
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    BAsicly because they dont have the programm for public release..yet..


    And because most of the common malware untill the past year could be removed with the tools provided with windows.. Safe mode, Msconfig, Command mode, Recovery Console..
    .. but in the last year the increase in the esoteric methods of operation of Malware product have rapidly grown.. and advanced/broadened.. into the main stream

    most that we(that is us at the coal face, the developers of software products, the anti malware creaters) have only done has been to produce bandaids.


    * Strider GhostBuster will be released either as a research prototype or as part of Microsoft products.
    * SysInternals RootkitRevealer, released on February 22, 2005, implements the same hidden-file and hidden-Registry detection techniques used in the Inside-the-box GhostBuster (which includes additional hidden-process and hidden-module detection techniques).
    * Simple steps you can take to detect some of today's ghostware:
    1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
    2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
    3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
    4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.
    Didnt search hard either.....

    Found here with a simple search of AO
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts