Re: Windows Me "User Connected"

From: nemo outis (outis_at_erewhon.com)
Date: 02/25/05 

Date: Thu, 24 Feb 2005 23:56:34 GMT

In article <cvjrbl$a0n@dispatch.concentric.net>, winged
<winged@nofollow.com> wrote:
>David H. Lipman wrote:
>> I was just made aware of a new utility by Sysinternals
>>
>> http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
>>
>> "RootkitRevealer is a an advanced root kit detection utility. It runs on
> Windows NT4 and
>> higher and its output lists Registry and file system API discrepancies that
> may indicate the
>> presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully
> detects all
>> rootkits published at www.rootkit.com, including AFX, Vanquish and
> HackerDefender."
>>
>>
>Thanks, I hadn't used this one before. It is in my toolbox now. I
>tested it on a known compromised virtual and the rootkit stood right
>out. It doesn't ID ADS (alternate Data stream)rootkits that I could see
>but it is a very useful tool, once I figured out what I was looking at.
>Thanks again!
>
>Winged

Sysinternals also has a ADS tool (Streams v1.5.1) as do may
others.

However, the best tool for actually manipulating (writing, etc.)
ADSs that I have found (although I haven't looked all that hard)
is called "ntfs streams info" at:

http://www.isgeo.kiev.ua/shareware/

There are cracks out there for it (but they don't seem to work on
the latest version from the site - although they DO work for
earlier versions with the same release number: 2.1).

Regards,