Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - UnHackMe is fake rkdetector? YES!
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

UnHackMe is fake rkdetector? YES!

 Post Reply Post Reply
Author
Message
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Topic: UnHackMe is fake rkdetector? YES!
    Posted: 10 February 2007 at 11:45pm
So, UnHackMe is a fake rkdetector? Yes! Why? Let me explain

Today I want to say everything about Greatis Software and UnHackMe "rootkit detector". Why in quotas? Very simple - because UnHackMe (any version) is not a rootkit detector at all. It can't be compared with other tools like (in detection rating order) GMER, DarkSpy, IceSword etc.

How UnHackMe detects rootkits?

Looks like level of professinalism inside Greatis Software is not so Great, detection based on constants (they are claim this as DEMO part, but the same are apply to any other "detected" rootkit, that is in UnHackMe list).

Since version 3.x Greatis Software gives up completelly to detect something during Windows Session period and start to think - how they can improve their tools.

Remember this is fully paid software with special editions that was made for advertaisment.

Solution was found. Great mind in Greatis Software (especially such great as Dmitry Sokolov) created new version of UnHackMe which must serve the following targets:

- return a part of lost market (since Hacker Defender, AFX UnHackMe cannot detect anything from rootkits areas)
- do a big advertaisment based on some popular wide-spread rootkits, like for example Rustock.B
- reach more money, girls and cocaine, of course.
- maybe help somebody (in this part I really doubt)

Not a bad intentions, right?

Okay now lets talk about every part of new "concept".
- market for this tool is completelly lost. I do not think that somebody wish to have this crazy programme, if it ABSOLUTELLY USELESS against any modern rootkit. Think I'm wrong? =) Test this programme with rootkits.
- Greatis always suffers with advertaisment, and this advertaisment always was naked, nothing behind it. Let's talk about Rustock issues. Greatis told everyone - "We can detect anything with our new Partisan technology".

So what is the Partisan technology? So smart word, so what is it?

Windows contains special keys in registry which can be used to start native-application during Windows Boot period. PageDefrag is an example of this. So Greatis decides to put their native module in BootExecute key.

The main mistake that was made by Greatis programmers is that this key loads application AFTER boot drivers, so this Partisan has NO EFFECT on any boot start rootkit. Even without this first release of Partisan+UnHackMe 4 was unable to remove/detect Rustock.B

Why?

Because Greatis guys sometimes is better to shut up than speak, they in a face of Dmitry Sokolov visiting different forums where they putting stupid ADV of their products, based on NONSENSE statements and other idiocy.

They even do not tests their software with rootkits, but always speaking sh*t and ADV.

So, lets return to "Partisan". How it works. Native application checks registry entries based on constants list and removes suspect entries, of non-active rootkits. Great method! Really good decision for Greatis software.

So how it effective with it "constants" against rootkits? =))) Around ZERO EFFECT from the next rootkits, that are based on the same technologies but with different key names.

- reach more money, etc... Good really good, Dmitry check your computer offline, I'm sure you have rootkits that are stealing your passwords for porno site accounts =)

- maybe help somebody... It can't help even to Greatis itself.

UnHackMe IS FAKE. FAKE was and FAKE will be. It is not a rkdetector at ALL.

p.s.
А теперь дорогой-со-справкой Дима иди сюда и я надеру твою жопу, тупой козел.

Edited by EP_X0FF - 11 February 2007 at 2:16am
Back to Top
MEGA View Drop Down
Groupie
Groupie


Joined: 04 December 2006
Status: Offline
Points: 40
Post Options Post Options   Thanks (0) Thanks(0)   Quote MEGA Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2007 at 6:38am
Originally posted by <span =bold>EP_X0FF</span> EP_X0FF wrote:

The main mistake that was made by Greatis programmers is that this key loads application AFTER boot drivers, so this Partisan has NO EFFECT on any boot start rootkit. Even without this first release of Partisan+UnHackMe 4 was unable to remove/detect Rustock.B

Owned

Good job EP_X0FF 
Back to Top
michk View Drop Down
Newbie
Newbie
Avatar

Joined: 17 September 2006
Location: France
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote michk Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2007 at 3:01pm
Hi,

I would not say that it is a "fake detector"...it's a little bit excessive.

Each time UH detects a possible rootkit, it plays a stupid game "Aphex2005 or Fu" etc...
Greatis should really update their rootkit and stealth keyloggers database!

Regarding Partisan, this is an "old" way for detecting rootkit presence, and known by any sysadmin.
There is an "old" tool that can be run from external drives and that can access to the SAM and edit the registry: ntpasswd:

http://home.eunet.no/pnordahl/ntpasswd/

Regarding Unreal, UnHackme detection just replaces the brain's basic effort required to compare registry analysys with the Service Control Manager

Regarding marketing, the worse is the Pro edition: about 100 dollars for such features?
And no forensics tools included...this is not marketing anymore...
The Pro editon? a program designed for those who have more money on their wallet, than knowledge (rkt) in thier brain...

These things said, the basic version is the best value for money for classical users with no particular skills about rootkit (70 or 80 % of internet users).

Hasta Luego



Edited by michk - 11 February 2007 at 3:02pm
Back to Top
EASTER View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 October 2006
Location: United States
Status: Offline
Points: 337
Post Options Post Options   Thanks (0) Thanks(0)   Quote EASTER Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2007 at 5:39pm

Thanks for that info. I never did trust it from it's very forst claims because it seemed to saturated with "buy me" and i'll find all rootkits on your pc. Too lofty a claim and too spicey the website IMO.

While we're probing and truthfully revealing these claimed-to-be detectors for RK's, i like to hear anyones opinion on this one please. I believe it is somewhat credible but is been long sitting in Limbo  collecting dust as in no updating offered since it's website was published awhile ago. I examined several "hiders" with it that it revealed but nothing recent since the much more advanced RKUnhooker is technically superior at probing "DEEPER" and uses a series of techniques yet unmatched that makes it very efficient indeed.

http://www.rkdetector.com/

INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 11 February 2007 at 6:11pm
Originally posted by michk michk wrote:

Regarding Unreal, UnHackme detection just replaces the brain's basic effort required to compare registry analysys with the Service Control Manager


Unreal does not hide registry keys. It was made specially for internal uninstaller that comes with application.

It is IDIOCY to add these keys to constants as it was made in UnHackMe. FYI all others rootkits detection in UnHackMe based on the same constants.

Constants RULEZZZ, etc.

It is FAKE, FAKE was and FAKE will be.

I'm really awaiting mister Sokolov here.

p.s. 2 Dmitry.
Ну же давай, пиздюк, иди сюда :)
Back to Top
Poorguy View Drop Down
Senior Member
Senior Member
Avatar

Joined: 17 July 2006
Location: Argentina
Status: Offline
Points: 443
Post Options Post Options   Thanks (0) Thanks(0)   Quote Poorguy Quote  Post ReplyReply Direct Link To This Post Posted: 14 February 2007 at 6:31am
Remember EP_X0FF, these posts? About UnHackMe advice

Edited by Poorguy - 14 February 2007 at 6:32am
Luis Fernando De La Fuente
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down