Ghost Buster

Couldn't find this anywhere on the site so I thought that I would share the link with you guys :

Strider GhostBuster Rootkit Detection

Simple explanation on how it works :

Quote:

---

Bruce Schneier

Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Simple. Clever. Elegant.

---

Why doesn't MS include programs like this is their OS ?

BAsicly because they dont have the programm for public release..yet..

And because WHEN IT IS PART OF THE OS IT CAN BE DEFEATED.

And because most of the common malware untill the past year could be removed with the tools provided with windows.. Safe mode, Msconfig, Command mode, Recovery Console..
.. but in the last year the increase in the esoteric methods of operation of Malware product have rapidly grown.. and advanced/broadened.. into the main stream

most that we(that is us at the coal face, the developers of software products, the anti malware creaters) have only done has been to produce bandaids.

Quote:

---

Tools

* Strider GhostBuster will be released either as a research prototype or as part of Microsoft products.
* SysInternals RootkitRevealer, released on February 22, 2005, implements the same hidden-file and hidden-Registry detection techniques used in the Inside-the-box GhostBuster (which includes additional hidden-process and hidden-module detection techniques).
* Simple steps you can take to detect some of today's ghostware:
1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

---

Didnt search hard either.....


Found here with a simple search of AO