Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Rootkits are Hard to Detect (Shocker)

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Rootkits are Hard to Detect (Shocker)

    Half of the rootkits tested against anti-virus suites and online scanners prove tough to catch. No real surprise there...

    New Tests Show Rootkits Still Evade AV - Dark Reading

    The XP test used 30 active rootkits and 30 pieces of malware using rootkit technologies. Not surprisingly, anti-rootkit tools did the best, detecting about 80 percent of the rootkits overall, while the security suites found over 66 percent, and online scanners, only 53 percent. Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”

    Security suites did better detecting inactive rootkits than active ones -- most found all (or nearly all) 30. But detecting and cleaning up active rootkits -- which is the task that AV-Test.org considers the “real rootkit test” -- was another story.
    via Slashdot

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    I wonder where AV-Test.org gets the rootkits to test?

    Friends at an AV company? Or maybe they just bring their kids' computers
    to work.

    edit -- From the article, this caught my eye: "Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”"

    I use IceSword and often see it crash on badly infected machines. Might try another tool like RootkitRevealer on those. Neither removes rootkits as far as I know.

    What's everybody using on rootkits here? Anybody?
    Last edited by brokencrow; May 15th, 2008 at 02:13 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    A lot of them are open source or u can find them on the web pretty easy

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    Cool

    Quote Originally Posted by brokencrow

    edit -- From the article, this caught my eye: "Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”"
    This is the point large red flags of system instability would have me format and reinstall to ensure it is not a hardware issue.

    So in a sense the malware or "rootkit" is detected as the system becomes unstable with the application crashes or errors.

    AFAIK...the only way to clean a rooted system is to format and reinstall...as you could never be sure what has been done to the system.

    This because anti malware is a reactive technology.....detecting known malware.....opposed to a proactive or preventative application such as the use of limited users, firewalls and safe surfing habits .

    Not saying these measures will eliminate malware as a whole...but greatly reduces the infections.

    My humble opinion as always.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Quote Originally Posted by morganlefay
    This is the point large red flags of system instability would have me format and reinstall to ensure it is not a hardware issue.

    So in a sense the malware or "rootkit" is detected as the system becomes unstable with the application crashes or errors.

    AFAIK...the only way to clean a rooted system is to format and reinstall...as you could never be sure what has been done to the system.
    It still begs the question, "What is a rooted system?" Ask ten admins and
    you'll get a number of answers (ten, maybe?). If the guys at AV-Test are
    half-right, we really don't know for sure when a system is rooted. We know
    when it's unstable and can make an educated guess (aka judgement call),
    which is what we most often do. I chuckle when users (and even admins)
    think of IT as an exact science. I find it far from that.

    It ultimately gets down to what you can live with. In an enterprise environment,
    "not much"...don't even format and reinstall. Just ghost the d@mn thing
    with the proverbial standard image. On a home or SOHO system, apps and
    data aren't planted on a server. Formatting and reinstalling present a new
    set of problems. I will sometimes throw in a "sfc /scannow" to replace any
    corrupted system files after cleaning up a bad malware infection. They'll be
    reinfected soon enough if they keep it up. Most users don't 'get' what we
    do and just want it to work.

    Quote Originally Posted by morganlefay
    This because anti malware is a reactive technology.....detecting known malware.....opposed to a proactive or preventative application such as the use of limited users, firewalls and safe surfing habits .

    Not saying these measures will eliminate malware as a whole...but greatly reduces the infections.

    My humble opinion as always.
    Technology humbles us all. Ben Franklin's advice that an ounce of prevention
    is worth a pound of cure holds more true than ever, particularly IT. I have
    some users I've dealt with going on 8 years, and they've certainly come along.
    Clean it up and keep to their budget. And just as important, warn them off
    of their behavior (sin sites). As for cleaning rootkits, they are 'married' to
    malware, so cleaning malware and regedits seem to be the order of the day.

    Still curious what else folks are using on rootkits in Windows.
    Last edited by brokencrow; May 15th, 2008 at 06:05 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    BTW: Pandas product line is reactive as well as proactive. This is different from other vendors.

    www.infectedornot.com
    www.activescan.com

    Let me know if you need anything Panda wise and I will hook you up.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I do not no if any of you have come across this :http://www.microsoft.com/emea/spotli...px?videoid=359

    Well worth an hour of any ones time to watch.

    MLF you bring up an issue covered in the video, Resticted user account. Basicaly that is not going to give you much protection in the future.

    As for what tools to use, use them all, as many as you can find. here's a list of some that I have used.

    Regnuls
    Autoruns
    Process Explorer
    IceSword
    Backlight
    TCPView
    Rootkit Reveler
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  8. #8
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    unhackme works well.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Wow...that looks like a great tool KorpDeath

    Thanks

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hey there

    Hmm, decided to try this "unhackme". Anyway downloaded it.

    Well scanned the system. All of them were flase positives. It detected all my AV+FW processes and things like Cdburner and DAP.

    Not satisfied!
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

Similar Threads

  1. Hard Disk CRASH
    By goodGAL in forum Hardware
    Replies: 15
    Last Post: May 6th, 2004, 07:48 PM
  2. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  3. A look into IDS/Snort part 1 of 3
    By qod in forum The Security Tutorials Forum
    Replies: 18
    Last Post: January 5th, 2004, 02:30 PM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Question about multipule hard drives
    By codewarrior2 in forum Hardware
    Replies: 3
    Last Post: November 30th, 2003, 12:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •