Re: Download freeware RKR scanning software (detect Sony rootkit & others)
From: karl levinson, mvp (levinson_k_at_despammed.com)
Date: 11/21/05
- Next message: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Previous message: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- In reply to: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Next in thread: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Nov 2005 06:59:04 -0500
<pamelafiischer@yahoo.com> wrote in message
news:1132523820.051182.243900@g14g2000cwa.googlegroups.com...
> Q1: Where do mere mortals obtain root kit scanning procedures?
> A: Those of us who are not experts can still obtain rootkit detection
> procedures at
> a. Rootkit Revealer
> http://www.sysinternals.com/utilities/rootkitrevealer.html
> b. GhostBuster Rootkit Detector http://research.microsoft.com/rootkit
> c. RKdetect Rootkit Detecter
> http://www.security.nnov.ru/files/rkdetect.zip
Those are pretty much what the experts use, except that no one should be
using or relying on the GhostBuster method yet.
Another tool by the way is Encase Enterprise edition from Guidance Software,
although you need to set up a server, and it is not cheap, so it is for use
in enterprises, not at home. There is also no guarantee that a future root
kit won't evade its detection method.
Keep in mind that root kits don't exactly do anything themselves, they hide
another program. That other program can do things that
And, because people using rootkits are usually sloppy, the usual malware
tools you use can still often detect rootkits. For example, although some
root kits have the ability to evade tools like the netstat -ano command in
Windows XP or fport / vision from www.foundstone.com/knowledge, many of them
don't. This tool can reveal when malware starts listening on a certain
TCP/IP port. Doing a search of your computer for files that have changed in
the last day might also reveal clues that something is hidden, if a
keystroke logger or sniffer is logging to a file that the attacker forgot to
hide. Root kits can be used to hide hidden pubstro FTP servers, but you
will often notice that your hard drive suddenly has a LOT less free space or
is all out. Many of these also generate network traffic that cannot be
hidden from your high speed modem / router, network IDS and maybe even your
personal firewall software, if you have these. These are not just
theoretical examples, they are among the most common scenarios where root
kits are used and discovered, in my experience.
> My remaining questions are off topic so I will post them separately:
> Q2 Where do mortals obtain the smallest reliable Windows XP bootable
> CDROM?
> Q3: Where do I find a lookup table for each of these 8-4-4-4-12 CLSID
> class ids?
Searching www.google.com for CLSID brought up a number of sites, including:
which may or may not be complete. I'm not sure Microsoft can necessarily
maintain a complete list, because I would expect non-Microsoft third parties
can create their own CLSIDs at any time.
- Next message: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Previous message: karl levinson, mvp: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- In reply to: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Next in thread: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Reply: pamelafiischer_at_yahoo.com: "Re: Download freeware RKR scanning software (detect Sony rootkit & others)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
