Re: Download freeware RKR scanning software (detect Sony rootkit & others)
From: Andy Walker (awalker_at_nspank.invalid)
Date: 11/20/05
- Next message: Walter Roberson: "Re: brown-out"
- Previous message: if: "NAT routers - is IP spoofing a risk?"
- In reply to: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Next in thread: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: Trax: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 20 Nov 2005 11:22:25 -0500
karl levinson, mvp wrote:
>Note that there are supposedly root kits that can disable Rootkit Revealer
>and make it fail to detect hidden files. For a second opinion, you might
>also search for rkdetect in www.google.com and run that as well. I think
>it's a little harder to run than just double-clicking on it, I think you
>have to may run it at the command line. Using the same method to find and
>run Hijack This! and post the logs to their web site may also be helpful.
Rootkit Revealer implemented a defense mechanism against being
disabled by spawning a randomly named copy of itself and running it as
a service. This makes it very difficult for any other process to
identify and disable Rootkit Revealer, but it also creates a tell-tale
sign on any system that runs Rootkit Revealer -- the randomly named
program gets deleted, but the registry key for the service is left
over pointing to a now deleted file. CrapCleaner will find and delete
the "null" service, or you can manually edit the registry and delete
the key.
You can also use the MicroSoft method of identifying rootkits by
following their instructions at http://research.microsoft.com/rootkit/
Reproduced here in part:
Simple steps you can take to detect some of today's ghostware:
Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
infected OS and save the results.
Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the
same drive, and save the results.
Run a clean version of WinDiff from the CD on the two sets of results
to detect file-hiding ghostware (i.e., invisible inside, but visible
from outside).
[You can get WinDiff here http://www.grigsoft.com/download-windiff.htm
]
See Hacker Defender ghostware files revealed (highlighted) for an
example. http://research.microsoft.com/rootkit/HD_hidden_files.JPG
Note: there will be some false positives. Also, this does not detect
stealth software that hides in BIOS, Video card EEPROM, disk bad
sectors, Alternate Data Streams, etc.
- Next message: Walter Roberson: "Re: brown-out"
- Previous message: if: "NAT routers - is IP spoofing a risk?"
- In reply to: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Next in thread: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: Trax: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
