-
May 14th, 2008, 07:52 PM
#1
Rootkits are Hard to Detect (Shocker)
Half of the rootkits tested against anti-virus suites and online scanners prove tough to catch. No real surprise there...
New Tests Show Rootkits Still Evade AV - Dark Reading
The XP test used 30 active rootkits and 30 pieces of malware using rootkit technologies. Not surprisingly, anti-rootkit tools did the best, detecting about 80 percent of the rootkits overall, while the security suites found over 66 percent, and online scanners, only 53 percent. Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”
Security suites did better detecting inactive rootkits than active ones -- most found all (or nearly all) 30. But detecting and cleaning up active rootkits -- which is the task that AV-Test.org considers the “real rootkit test” -- was another story.
via Slashdot
-
May 15th, 2008, 02:04 AM
#2
I wonder where AV-Test.org gets the rootkits to test?
Friends at an AV company? Or maybe they just bring their kids' computers
to work.
edit -- From the article, this caught my eye: "Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”"
I use IceSword and often see it crash on badly infected machines. Might try another tool like RootkitRevealer on those. Neither removes rootkits as far as I know.
What's everybody using on rootkits here? Anybody?
Last edited by brokencrow; May 15th, 2008 at 02:13 AM.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
May 15th, 2008, 02:06 AM
#3
A lot of them are open source or u can find them on the web pretty easy
-
May 15th, 2008, 03:57 AM
#4
Originally Posted by brokencrow
edit -- From the article, this caught my eye: "Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”"
This is the point large red flags of system instability would have me format and reinstall to ensure it is not a hardware issue.
So in a sense the malware or "rootkit" is detected as the system becomes unstable with the application crashes or errors.
AFAIK...the only way to clean a rooted system is to format and reinstall...as you could never be sure what has been done to the system.
This because anti malware is a reactive technology.....detecting known malware.....opposed to a proactive or preventative application such as the use of limited users, firewalls and safe surfing habits .
Not saying these measures will eliminate malware as a whole...but greatly reduces the infections.
My humble opinion as always.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 15th, 2008, 06:02 AM
#5
Originally Posted by morganlefay
This is the point large red flags of system instability would have me format and reinstall to ensure it is not a hardware issue.
So in a sense the malware or "rootkit" is detected as the system becomes unstable with the application crashes or errors.
AFAIK...the only way to clean a rooted system is to format and reinstall...as you could never be sure what has been done to the system.
It still begs the question, "What is a rooted system?" Ask ten admins and
you'll get a number of answers (ten, maybe?). If the guys at AV-Test are
half-right, we really don't know for sure when a system is rooted. We know
when it's unstable and can make an educated guess (aka judgement call),
which is what we most often do. I chuckle when users (and even admins)
think of IT as an exact science. I find it far from that.
It ultimately gets down to what you can live with. In an enterprise environment,
"not much"...don't even format and reinstall. Just ghost the d@mn thing
with the proverbial standard image. On a home or SOHO system, apps and
data aren't planted on a server. Formatting and reinstalling present a new
set of problems. I will sometimes throw in a "sfc /scannow" to replace any
corrupted system files after cleaning up a bad malware infection. They'll be
reinfected soon enough if they keep it up. Most users don't 'get' what we
do and just want it to work.
Originally Posted by morganlefay
This because anti malware is a reactive technology.....detecting known malware.....opposed to a proactive or preventative application such as the use of limited users, firewalls and safe surfing habits .
Not saying these measures will eliminate malware as a whole...but greatly reduces the infections.
My humble opinion as always.
Technology humbles us all. Ben Franklin's advice that an ounce of prevention
is worth a pound of cure holds more true than ever, particularly IT. I have
some users I've dealt with going on 8 years, and they've certainly come along.
Clean it up and keep to their budget. And just as important, warn them off
of their behavior (sin sites). As for cleaning rootkits, they are 'married' to
malware, so cleaning malware and regedits seem to be the order of the day.
Still curious what else folks are using on rootkits in Windows.
Last edited by brokencrow; May 15th, 2008 at 06:05 AM.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
May 15th, 2008, 10:05 AM
#6
BTW: Pandas product line is reactive as well as proactive. This is different from other vendors.
www.infectedornot.com
www.activescan.com
Let me know if you need anything Panda wise and I will hook you up.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
May 18th, 2008, 02:36 PM
#7
I do not no if any of you have come across this :http://www.microsoft.com/emea/spotli...px?videoid=359
Well worth an hour of any ones time to watch.
MLF you bring up an issue covered in the video, Resticted user account. Basicaly that is not going to give you much protection in the future.
As for what tools to use, use them all, as many as you can find. here's a list of some that I have used.
Regnuls
Autoruns
Process Explorer
IceSword
Backlight
TCPView
Rootkit Reveler
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
May 21st, 2008, 10:10 PM
#8
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 26th, 2008, 02:32 PM
#9
Wow...that looks like a great tool KorpDeath
Thanks
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 26th, 2008, 08:42 PM
#10
Hey there
Hmm, decided to try this "unhackme". Anyway downloaded it.
Well scanned the system. All of them were flase positives. It detected all my AV+FW processes and things like Cdburner and DAP.
Not satisfied!
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
Similar Threads
-
By goodGAL in forum Hardware
Replies: 15
Last Post: May 6th, 2004, 07:48 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By qod in forum The Security Tutorials Forum
Replies: 18
Last Post: January 5th, 2004, 02:30 PM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
-
By codewarrior2 in forum Hardware
Replies: 3
Last Post: November 30th, 2003, 12:32 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|