Re: New rootkit detection technology

From: Ian JP Kenefick (ian_kenefick_at_eircom.net)
Date: 03/11/05


Date: Fri, 11 Mar 2005 02:45:52 +0000

On Thu, 10 Mar 2005 19:53:18 -0600, "OldWiseMan, or am I?"
<use_ReplyTo@domain.invalid> wrote:

>"Ian JP Kenefick" <ian_kenefick@eircom.net> wrote in message
>news:5u90315rvl0rk2qf5ptf3hvbcaprvd90da@4ax.com...
>> F-Secure launched a new scanner today to detect and remove rootkits.
>> There is a lot of information available on this website...
>>
>> http://www.europe.f-secure.com/blacklight/
>>
>
>
>A month and a half for a beta release? Seems a bit short. The window
>of opportunity is rather small of getting hit in that timeframe and
>you'll just start getting expert in the product, get some education on
>rootkits, and then the product self-destructs. I'm still trying to
>figure out the free SysInternals RootKitRevealer.
>
>Anti-virus software has matured to where most users can let it blindly
>disinfect the file. Anti-spyware is nowhere near that point. All the
>time you hear about a user that didn't check what action the
>anti-spyware program was going to commit in eradicating a detected
>spyware product (or the anti-spyware program doesn't tell the user
>anything which is even worse), they blindy let the anti-spyware program
>do its thing, and now TCP doesn't work because an LSP got removed or an
>application no longer functions. Rootkit removal tools are even more
>risky than using anti-spyware tools, especially because the typical user
>that gets their hands on this tool won't know how to use it. It
>involves understanding the operating system, components, and
>applications beyond the typical user's expertise.
>
>For example, I ran SysInternal's RootKitRevealer. It listed about 4
>hidden registry items. Reading the help that comes with the program
>might trigger the typical user into eradicating what is not a rootkit.
>In my case, it was the free Virtual Daemon Manager (Daemon Tools) used
>to run a driver-level CD-ROM drive emulator that lets you have up to 4
>virtual CD drives. I create an ISO image of my Windows, Office, and
>Bookshelf CDs, save them on the hard drive, and use Daemon Tools to make
>it look like I have 3 CD drives with these CDs in them. I can run
>Windows and Office updates without having to search for the real CDs, I
>can add the Recovery Console at-will, I can recover files, and I can run
>the program without having to load the CD (since many CD-based
>applications still don't copy everything onto the hard drive). Because
>it has some copy-protection bypass abilities, I even have an ISO file of
>a copy-protected game that I can play without having to hunt down the
>physical CD. Because I know the device ID of d347prt listed in the
>hidden registry keys is for the Daemon Tools virtual CD tool, I know
>this is a false alert. Actually there are no false alerts by
>SysInternals RootKitRevealer as you are assumed to have the expertise to
>know which hidden registry keys are good and which might be suspicious
>or bad.
>
>The $MFT for the master file table is also listed as a hidden directory.
>It isn't directly accessible via the Windows API. However, you
>obviously need your Master File Table in order for Windows to function.
>The tool identifies where you might start digging but you will have to
>do the digging along with some knowledge of what you are digging into.
>
>>
>> --
>>
>> Regards, |Windows XP Professional SP2
>> Ian Kenefick |NOD32 Antivirus system [resident]
>> http://www.ik-cs.com |AVP 3.5 - [On Demand]
>> no snake oil here! |Sygate Personal Firewall 5 professional
>> |Forte Agent 2
>> |Eudora 6.2 (Paid)
>
>And why would any of this be important to anyone except you who already
>knows what applications they have installed? A bit hard up for some ego
>stroking, eh? Only the URL is significant.

You don't need to know *HOW* they function. You just need to know what
a rootkit is. Soon enough they will be integrated in AV anyways.

-- 
Regards,		|Windows XP Professional SP2
Ian Kenefick		|NOD32 Antivirus system [resident]
http://www.ik-cs.com	|AVP 3.5 - [On Demand]
no snake oil here!	|Sygate Personal Firewall 5 professional
			|Forte Agent 2
			|Eudora 6.2 (Paid)


Relevant Pages

  • Re: New rootkit detection technology
    ... anti-spyware program was going to commit in eradicating a detected ... For example, I ran SysInternal's RootKitRevealer. ... it look like I have 3 CD drives with these CDs in them. ... Windows and Office updates without having to search for the real CDs, ...
    (microsoft.public.security.virus)
  • RE: Serv-u
    ... RootkitRevealer is an advanced rootkit detection utility. ... You can also download Windows Defender and scan your server. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Unusual service what is it?
    ... MS-MVP Windows Shell/User ... RootkitRevealer it adds another random service to services.msc. ... randomly named *.exe file will be deleted, ... If you do not want to mess in the registry, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Rootkit - please help
    ... Programs RootkitRevealer and Gmer shown that ... Windows systems? ... MS-MVP Windows User/Shell ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RootkitRevealer on Windows 7??? HELP!
    ... I then decided to try RootkitRevealer. ... program running on this computer is trying to display a message", ... Probably about 95% of the millions of results are "Visible in Windows ...
    (microsoft.public.windows.vista.security)