Re: New rootkit detection technology
From: Ian JP Kenefick (ian_kenefick_at_eircom.net)
Date: Fri, 11 Mar 2005 02:45:52 +0000
On Thu, 10 Mar 2005 19:53:18 -0600, "OldWiseMan, or am I?"
>"Ian JP Kenefick" <firstname.lastname@example.org> wrote in message
>> F-Secure launched a new scanner today to detect and remove rootkits.
>> There is a lot of information available on this website...
>A month and a half for a beta release? Seems a bit short. The window
>of opportunity is rather small of getting hit in that timeframe and
>you'll just start getting expert in the product, get some education on
>rootkits, and then the product self-destructs. I'm still trying to
>figure out the free SysInternals RootKitRevealer.
>Anti-virus software has matured to where most users can let it blindly
>disinfect the file. Anti-spyware is nowhere near that point. All the
>time you hear about a user that didn't check what action the
>anti-spyware program was going to commit in eradicating a detected
>spyware product (or the anti-spyware program doesn't tell the user
>anything which is even worse), they blindy let the anti-spyware program
>do its thing, and now TCP doesn't work because an LSP got removed or an
>application no longer functions. Rootkit removal tools are even more
>risky than using anti-spyware tools, especially because the typical user
>that gets their hands on this tool won't know how to use it. It
>involves understanding the operating system, components, and
>applications beyond the typical user's expertise.
>For example, I ran SysInternal's RootKitRevealer. It listed about 4
>hidden registry items. Reading the help that comes with the program
>might trigger the typical user into eradicating what is not a rootkit.
>In my case, it was the free Virtual Daemon Manager (Daemon Tools) used
>to run a driver-level CD-ROM drive emulator that lets you have up to 4
>virtual CD drives. I create an ISO image of my Windows, Office, and
>Bookshelf CDs, save them on the hard drive, and use Daemon Tools to make
>it look like I have 3 CD drives with these CDs in them. I can run
>Windows and Office updates without having to search for the real CDs, I
>can add the Recovery Console at-will, I can recover files, and I can run
>the program without having to load the CD (since many CD-based
>applications still don't copy everything onto the hard drive). Because
>it has some copy-protection bypass abilities, I even have an ISO file of
>a copy-protected game that I can play without having to hunt down the
>physical CD. Because I know the device ID of d347prt listed in the
>hidden registry keys is for the Daemon Tools virtual CD tool, I know
>this is a false alert. Actually there are no false alerts by
>SysInternals RootKitRevealer as you are assumed to have the expertise to
>know which hidden registry keys are good and which might be suspicious
>The $MFT for the master file table is also listed as a hidden directory.
>It isn't directly accessible via the Windows API. However, you
>obviously need your Master File Table in order for Windows to function.
>The tool identifies where you might start digging but you will have to
>do the digging along with some knowledge of what you are digging into.
>> Regards, |Windows XP Professional SP2
>> Ian Kenefick |NOD32 Antivirus system [resident]
>> http://www.ik-cs.com |AVP 3.5 - [On Demand]
>> no snake oil here! |Sygate Personal Firewall 5 professional
>> |Forte Agent 2
>> |Eudora 6.2 (Paid)
>And why would any of this be important to anyone except you who already
>knows what applications they have installed? A bit hard up for some ego
>stroking, eh? Only the URL is significant.
You don't need to know *HOW* they function. You just need to know what
a rootkit is. Soon enough they will be integrated in AV anyways.
-- Regards, |Windows XP Professional SP2 Ian Kenefick |NOD32 Antivirus system [resident] http://www.ik-cs.com |AVP 3.5 - [On Demand] no snake oil here! |Sygate Personal Firewall 5 professional |Forte Agent 2 |Eudora 6.2 (Paid)