|
** RootKit Detection + Prevention ! ** |
Post Reply 
|
Page <1234 41> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
||
SpannerITWks 
Senior Member 
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
 Post Options
 Quote Reply
 Topic: ** RootKit Detection + Prevention ! **Posted: 02 February 2006 at 8:22pm |
||
|
Foundstone provide many fine Free tools, and in The Forensic ToolkitTM v2.0 are 2 that will assist you in finding hidden files. That doesn't automatically mean Rootkits of course, but non the less very useful Apps to have in your armament against Stealthy hiding items. HFind scans the disk for hidden files. It will find files that have either the hidden attribute set, or NT's unique and painful way of hiding things by using the directory/system attribute combination. This is the method that IE uses to hide data. HFind lists the last access times. Spanner |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
 |
|||
|
Nina
Newbie 
Joined: 03 February 2006 Online Status: Offline Posts: 3 |
Post Options
Quote Reply
Posted: 03 February 2006 at 4:45am |
||
|
It doesn't seem to help in System Inside's Binary File chek
Nicoli Edited by Nina |
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 07 February 2006 at 9:06pm |
||
|
More Tools to assist in the search for Hidden files etc + a couple of specific Rootkit/Sleath seeking Apps. All are FREE except for HF, but you can download and try it before you buy. Have fun !
http://www.wenpoint.com/product/hiddenfinder.html DetectProc - Detect Hidden Processes Hidden service detector https://www.rootkit.com/newsread.php?newsid=423 Unhide http://www.security-projects.com/?Unhide - RootKit Hook Analyzer http://www.resplendence.com/hookanalyzer System Virginity Verifier Spanner |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
Sysmaster2006
Newbie
Joined: 20 February 2006 Location: Germany Online Status: Offline Posts: 37 |
Post Options
Quote Reply
Posted: 21 February 2006 at 12:43am |
||
|
Foundstones Vision was one of the first tools that made me suspicious about hidden things, when it told me that I had no rights to start it, many years ago, some times it worked and some times it told me that there were not enough rights, could also happened because of software conflicts, who knows..
|
|||
|
Knowledge is Power. More Brain prevents More Pain.
|
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 10 March 2006 at 10:09pm |
||
|
Just released today is a 1.53Mb PPT available for DL on the RAIDE = Rootkit Analysis Identification Elimination tool, that i previewed in here on page 1 in January. Peter Silberman has been working in computer security field for a number of years, specializing in rootkits, reverse engineering and automated auditing solutions. Peter was previously employed at HBGary. Jamie Butler author of Rootkits: Subverting the Windows Kernel, and former Director of Engineering at HBGary Inc. is now involved with Copilot: A high assurance integrity monitor - www.komoku.com/technology.shtml RAIDE: By: petersilberman In Amsterdam Jamie Butler and I presented on a tool we have been developing called Rootkit Analysis Identification Elimination (RAIDE). I have put the slides in my vault and a public version of RAIDE Beta will be made available in the coming weeks. I am looking for final beta testers on all windows platforms from 2k - 2k3 to do tests with RAIDE. If you are interested e-mail me at peter {_[_dot_]_} silberman {_[_at_]_} gmail {_[_dot_]_} com Thanks Peter~
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid de- tection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits. We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine mon-itor underneath an existing operating system and hoists the original operating system into a virtual machine. etc etc PDF 204 Kb paper here - http://www.astalavista.com/index.php?section=directory&c md=detail&id=6365 Spanner Edited by SpannerITWks - 10 March 2006 at 11:42pm |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 23 March 2006 at 11:41pm |
||
|
Keynote Presentation - Black Hat Europe 2006 Presentations are now on-line. - Peter Silberman & Jamie Butler RAIDE: Rootkit Analysis Identification Elimination - Joanna Rutkowska Rootkit Hunting vs. Compromise Detection - John Heasman Implementing and Detecting An ACPI BIOS Rootkit - All available right now here - http://www.blackhat.com/html/bh-media-archives/bh-archives-2 006.html#eu-06 - Njoy Spanner |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 23 March 2006 at 11:45pm |
||
|
2 additions to include 4 U - - zeppoo 07.03.06 Zeppoo-0.0.2 is available.
01.03.6 Zeppoo v0.0.1
They are very interested in porting it over to Windows, so if you can offer any assistance then get touch ! - RootKitty RootKitty is a very simple utility that makes a file listing when running from windows and a file listing from PE/ubcd4win then compares the two files and shows you the differences (looking for rootkits). Can detect and delete. Saves a log. It doesn't scan for hidden registry entries (yet) but he's working on it. Free - http://www.ubcd4win.com/forum/index.php?s=b2064cb601a4694c6a 7f4abe10422d54&showtopic=2424 - Spanner |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 22 April 2006 at 1:24pm |
||
|
A recent interesting addition to the Anti RK arsenal appeared in the last couple of weeks. I left it until now to post it as there were some questions about it, and there are a few issues with it as you can see in my notes below. It is a Genuine App though having checked it out. And it's another one from China, just like the excellent IceSword ! - DarkSpy Anti-Rootkit by CardMagic & wowocock DarkSpy Anti-Rootkit V1.0 Test Version + V1.0.2 Test Version
DarkSpy is a new rootkit detection tool from China. It's coded by two guys : CardMagic & wowocock, and supports some new features that can make the detection more effective. DarkSpy consists of five parts: 1.Process: Detect hidden processes (even with FUTo... hiding) Force kill processes (even Icesword) 2.Kernel Module: Detect hidden kernel module (even with FUTo... hiding) Detect hidden files Force copy file Force delete file 4.Registry function is not provided in test version. 5.Port: Detect hidden ports (Notice: DarkSpy doesn't allow any kernel debugger to run!) Environment supported by test version: 32bit Windows 2000(SP4 and later) 32bit Windows XP 32bit WIndows 2003 Single CPU without hyperthread Try it at your own risk....:) If you find any bugs, please contact me via my email: sunmy1 (at) sina (dot) com [email concealed] Thanks! Platforms: Windows 2000, Windows NT, Windows XP Test Versions (Freeware) - http://lu0s1.3322.org/Utilitys/DarkSpy_En.rar or http://www.vistech.com.cn/incoming/DarkSpy_En.rar - Notes - If you get any BSOD's please send them a minidup file and any onscreen information such as driver base, bug code and bug address etc. Also DarkSpy has reportedly had some problems with Kaspersky products, so as a precaution you are advised not to use it in those cases. There is a DarkSpy v1.0.3 available now, which appears to have made improvements with the earlier KAV conflicts. These guys seem to be on the ball with updating the App etc. You can follow discussions about it, and lots of other things including IceSword etc, and DL the latest Versions etc from here - http://translate.google.com/translate?hl=en&sl=zh-CN& ;u=http://bbs.zndev.com/thread.php%3Ffid-16.html&prev=/s earch%3Fq%3DCardMagic%2Bwowocock%26num%3D50%26hl%3Den%26lr%3 D%26as_qdr%3Dall Spanner Edited by SpannerITWks - 22 April 2006 at 1:46pm |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
SpannerITWks
Senior Member
Joined: 14 August 2005 Location: United Kingdom Online Status: Offline Posts: 896 |
Post Options
Quote Reply
Posted: 26 April 2006 at 9:57am |
||
|
The latest version of IceSword is out and available for download right now. 1.16 enhances a few functions to detect rootkits. The help file is still in Chinese, so referring to previous versions HF should be useful. If anyone can translate both of the new HF to English it would be welcomed by the author. The email address is included for you in the ReadMe text file. IceSword 1.16 English version for Windows 2000/XP/2003 http://www.xfocus.net/tools/200604/1156.html ftp://202.38.76.151/pub2/Kernel/Windows/tools/IceSword116.ra r Spanner Edited by SpannerITWks - 26 April 2006 at 9:57am |
|||
|
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html |
|||
|
|||
|
Txon
Newbie
Joined: 09 May 2006 Online Status: Offline Posts: 11 |
Post Options
Quote Reply
Posted: 09 May 2006 at 3:35am |
||
|
Hello !
Many French explanations and comments (the Spanish or English adds and comments are allowed) -> (http://www.open-files.com/forum/index.php?showtopic=29383) @+ |
|||
|
|||
|
Post Reply
|
Page <1234 41> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
