** RootKit Detection + Prevention ! **

UPDATE

Avira AntiRootkit Tool - Beta 3

Avira Rootkit Detection (ARK) is designed to detect active rootkits on Windows systems with Microsoft Windows 2000 and above.

Installation
============

Please note that you must be logged-in as ?Administrator? or as a user with administrative rights in order to install or run Avira RootKit Detection ? Beta. Please start SETUP.EXE and follow the instructions.

Background
==========

?Rootkit? is usually defined as a software code intending to hide a resource from the user.

Avira AntiRootkit Tool ? Beta supports detection of hidden processes, registry entries and files. Some malware frequently hide their processes, registry entries and files to bypass detection by anti-virus products. If a hidden object is detected in the system, then Avira AntiRootkit Tool ? Beta shows it and offers supplementary options accessible by doing a right click on the object. The button ?Quarantine all? first shows a list of the files that will be quarantined; please note that registry entries are not deleted or quarantined.

Moreover, we would like to draw you attention to the fact that some commercial products deliberately hide their own resources. Not all applications which hide their tracks should be considered as being malware.

The period of time needed for the scan, dependes on how many files, registry entries or processes you have on the system. Therefore, the option ?Fast Scan? is now available. If this is activated the only location scanned is the one used by malware.

Supported platforms:

- Windows Server/Workstation 2000 Service Pack 4 or more
- Windows XP
- Windows Server 2003
- Windows Vista
 
*********************W A R N I N G *****************

This is a BETA product. Do not install it on a production machine.

*************************************************

Any feedback is very much appreciated.

antivir_rootkit_beta.exe - 2.2 MB

MD5 = 2bdbb1bfa1f72d30114ca73ed3acff58

Available Free both in English + German here -  http://betatest.avira.com/beta/index.php?lang=en

-

Spanner

New Rootkit Scanner for Linux:

Rootkit Profiler LX

Overview
RKProfiler LX is divided into two parts: a data collection component called "Rootkit Profiler Module" (RKPmod) and a data interpretation component called "Rootkit Profiler Console" (RKPconsole).

RKPmod is a kernel module that gets loaded on the system that should be checked for the presence of a kernel rootkit. There are other ways to perform data collection, but currently only this approach is publicly available.

RKPconsole is a userland program that can be used to analyse the collected information.

Features
Detection: RKProfiler LX checks the whole kernel code as well as different kernel data sections and cpu registers regarding possible modifications and hidden components:

- Generic kernel code modification
- Syscall table address modification
- Syscall address modification
- Syscall code modification
- Interrupt handler address modification
- Interrupt handler code modification
- Page Fault Handler modification
- Kernel symbol modification
- SYSENTER register modification
- Virtual File System function pointer modification
- Hidden processes and threads
- Hidden kernel modules

Check out http://www.trapkit.de/research/rkprofiler/rkplx/rkplx.html for more info and download,

regards

Steo
www.antirootkit.com

UPDATE

Process Walker v1.0.05

Process Walker unzippped = pwalker.exe + pwalker.sys

Process Walker App = pwalker.exe = Internally numbered as v1.0.0.340

Process Walker Driver = pwalker.sys = Internally numbered as v3.0.40.0

Fixed -

A bug that can lead to BSOD's on some machines

UI bug

-

For Windows XP SP2 Only.

Console version only.

Zip MD5 = 51F6A0C14513199B9913ACE5A812926F

Free from http://rku.xell.ru/?l=e&a=dl

Spanner

rootchk

Here's an ARK made by ejvindh. It's doesn't pretend to be All inclusive, but you might find it useful or interesting !

Translated from Danish -

-

I have made a small tool to check a few, well-known rootkit's. It's Only one diagnosis-tool. If you do not know how to fix the infections, you can establish a thread in here, I will try to help you off with it. And even if the tool doesn't find anything, there isn't any guarantee that there isn't a rootkit in the computer. In one respect the check is far from thorough. In one respect they can examine rootkit's it's also very easy to avoid detection, if they change their name. But it's better than nothing. I'll try to keep it brought up to date, as I am able.

-

Fetch this tool, and keep it on your desk: Http://www.uploads.ejvindh.net/rootchk.exe Run the programme. After a short time a logfile will turn up. Copies the contents of the log in here in the thread.

-

Following drivers are checked also for. But only on experimental basis. I.e. I am not completely certain whether rootchk actually can find them (haven't been able to track down the infections in order to test. ):

rootchk.exe - 251kb - MD5 = DD6D95AFF7997C9974280575A0E306B8

Free from - http://www.ejvindh.net/viewtopic.php?t=91&sid=1ba77615bb 0b45d3b06809c35e7cb912

Spanner

I saw that too   I never concern myself too much over those interesting appearances because i know MP_ART/EP_XOFF have a firm handle on their excellent RK Detector and take their creation very seriously.

But i'm sure either can offer you a reasonably logical explaination.