Sunday, April 8, 2007

Modern ARKs - illusion of detection?

The RootkitUnhooker site recently went down due to hosting issues. The RKU forum went down along with the site, but luckily Google Cache still has the posts archived. One of them is a review of Anti-Rootkit programs (ARKs). It was originally posted in Russian, but someone translated it into English. Enjoy.

Their new site can be found here & a mirror here (latest version of RKU is 3.31)

Modern ARKs - illusion of detection?

The problem of rootkits' existence appeared fairly long ago. It arose because of holes in the most popular operating system, and also because the average user wasn't prepared to switch from Windows 9x/ME to Windows NT, with all its specifics. Namely, they didn't verse themselves in privileges. But this discourse isn't about that.

Only recently did the problem of rootkits attract the concern of anyone who wasn't too lazy. If in 2004 there were only a few specialized detection programs (the programs of Joanna Rutkowska, Rootkit Revealer, AVZ, rkdetector, IceSword), then now the quantity of thusly named detectors has risen several-fold. At face value, there seems to be a tendency to "copy and paste," because the majority of programs in this list of detectors are like carbon copies: created with one and the same algorithm. And moreover, their methods of detection are ripped from the same place.

For a determinate period of time, we tried all the well-known and publicly accessible anti-rootkits. Alas, as in the case of the Anti-Viruses, the results are lamentable. The current level of detection programs makes it possible to fight off only well-known and widely distributed rootkits - and that with variable success. For the last half year we tested the heaps of anti-rootkits that were released. Tests were run with real malware patterns, and similarly with demo rootkits - so that we could compare the level of the declared possibilities to the actual level of realization.

In our tests, we put to practice a wide spectrum of public rootkits, such as (in alphabetical order):

afx 2005 (test rk)
all-in-one (malware)
badrkdemo (
gromozon (malware)
hxdef (
haxdoor (malware)
phide_ex (test rk)
rkdemo v1.0/1.1/1.2 (test rk)
rustock.a / rustock.b (malware)
vanquish (test rk)
unreal.a (test rk)

We tested a whole heap of detectors - here's the full list:

BitDefender RkUncover
Hidden Finder
Hook Analyzer
Hook Explorer
McAfee Rootkit Detective
Panda ARK
Panda Tucan
Process Master (hf)
Process Master
Rootkit Revealer
RkDetector 2
Rootkit Buster
Safe'n'Sec RkTrap
Sophos ARK

So as not to advertise ourselves or our programs, we won't say a word about them here. To not embitter the authors of these programs, we
won't detail the principles their products are based on.

On the basis of our internal (and public) tests on sysinternals we obtained the following results: Name of product, brief description, merits, limitations, our general assessment according to the five ball system (for a program's correspondence to declared possibilities) - [1=F, 5=A, -1=0.5, etc.]

A product of the company AntiVir. Positioned as if to fill a void in their company/software. Has the ability to find hidden processes, files, and registry keys.

Easy to use.

This program’s detections methods are relatively weak. The reason for this program’s release isn’t clear, and its ability to remove found objects seems weak (if it can find them in the first place)

Overall assessment: 1

Also the product of an antivirus company. Detects registry keys, files, and processes.

Very easy to use. A friendly interface with beautiful pictures.

The sole method of detection in this program is hanging of program notification. All drivers started with ADS are automatically read as rootkits, along with the hidden file (despite the fact that they can be seen in the API)
Warning – may cause BSODs.

Overall assessment: n/a

Oleg Zaitseva’s Anti Virus has a simple code hooks detector, which is what got his program included in these tests. Has a rather primitive module to monitor system activity.

It deals well with common user-land rootkits, and even with some privileged ones. Written by a fellow Russian citizen. The anti-rootkit is integrated into his Anti-Virus product, and is often updated (for free)

Poor interface; written with 'perverted' VCL, which strongly hinders perception. Uses a disassembler borrowed from AFX, with all the resulting consequences. The program is overloaded with ‘bugs’, which are in terrible disorder. Its searches for privileged rootkits leave much to be desired.

Overall assessment: 2

BitDefender RkUncover
Again, an Anti Virus company’s rootkit detector.

Ease of use.

Practically useless against rootkits, because there’s a terrible implementation of everything that should aid in detection.

Overall assessment: n/a

One of the first. It can detect hidden files and processes.

Easy to use. Scans the hard disk better than analogous programs

Terribly outdated. Possibly easily and fully bypassed by way of putting a few hooks in SSDT, even without DKOM. Practically all rootkits have ‘learned’ to bypass it. Stays afloat thanks only to the advertising efforts of the authors and their admirers.

Overall assessment: 1

The doing of GMERs author – a user-mode detector.


Pointless program created to detect gromozon.

Overall assessment: n/a

Chinese anti-rootkit. Possesses a wide spectrum of possibilities for rootkit detection.

Good process detection.

Interface is very poor. The program is very unstable; bsod-reset city. Detection of files and registry keys is practically useless, since you need to know where to look for items.

Overall assessment: 3-

The programs of Joanna Rutkowska

flister, klister, modGREPER, SVV

Perhaps some of the first anti-rootkiters. Regretfully, all are proof of concept. To her credit, she did acknowledge their limitations. Unstable and abandoned by the author. Detection of rootkits with these programs is practically impossible.

Overall assessment: n/a

Polish anti-rootkiter with a wide spectrum of possibilities. Has a primitive, built-in method for monitoring of system activity.

Can see processes well, and can detect files. It is updated often enough, and can deal with spreading rootkits.

Unstable, and suffers from terrible bugs that haven’t been corrected in a long time. Monitoring poses a problem for the user. The majority of methods used are kid-like and easy to bypass. Its detection of hooks leaves much to be desired and it gives an improbable amount of false positives – limited in its possibilities.

Overall assessment: 4

Made out to be a great achievement. Can detect hooks in SSDT, find hidden files/drivers, and monitor.



They wanted to be the best, but their results were same as usual. It presents no complexity in bypassing. Quite buggy, poor interface.

Overall assessment: n/a

Hidden Finder
Paid program. Detects processes and files.


Insolent and idiotic way to suck money from users. A fake anti-rootkit program; didn’t pass 95% of our tests.

Overall assessment: -1

Hook Analyzer
From the ‘programmers’ at Resplendence Software. Detects SSDT hooks.


Poor implementation of the simplest algorithms. You can’t do anything with detected hooks.

Overall assessment: n/a

Hook Explorer
Detects code hooks.


Detects whatever comes up [hooks], but you can’t do anything with them. Useless.

Overall assessment: n/a

One of the first – a Chinese anti-rootkit. Sadly, it is rarely updated.

Sees processes well enough. Has a wide spectrum of detection (though sometimes the text isn’t translated all the way) and an understandable interface. Has the ability to monitor and self-protect.

Almost can’t remove a rootkit from a computer. As with DarkSpy, you need to know what to look for.

Overall assessment: 3-

McAfee Rootkit Detective
Another anti-rootkit from an Anti Virus company.

Simple to use.

Its declared possibilities do no correspond with the current implementation. Practically useless against rootkits.

Overall assessment: n/a

Panda ARK
And Panda Tucan is nearly identical [to McAfee’s program]. Yet another detector from an AV company. Has even fewer possibilities than the previous product.

Easy to use.


Overall assessment: n/a

Process Master (hf)
Process detector created by HolyFather.


Outdated and doesn’t attract much interest. Terribly easy to bypass.

Overall assessment: n/a

Process Master
Paid detector that shows processes.

Easy to understand interface.

Paid software; a very simple program. As easy on the eyes as it is to bypass. Failed most of the tests. Useless.

Overall assessment: -1

Proof-of-concept by Peter Silverman. Has an interesting idea for restoring data modified by rootkits.

The idea.

Useless and not terribly stable. Abandoned by the author.

Overall assessment: n/a

Rootkit Revealer
One of the first. Detects registry keys and files.

Simple to use.

Easy to bypass, practically never updated.

Overall assessment: 2-

And RkDetector 2 as well. Also one of the first. Detects registry keys, processes, and drivers.


Useless, and version 2 is practically unworkable.

Overall assessment: n/a

Rootkit Buster
An anti-rootkit from Trend Micro.

Easy to use.

Its declared possibilities do no correspond with the current implementation. Easy to defeat. Practically useless.

Overall assessment: n/a

Safe'n'Sec RkTrap
An anti-rootkit from the authors of Starforce. Used SVV and their article “Myths About Seven Popular Anti-Rootkiters” as the basis for this (where, in a drunken stupor, they included Windows Defender) Detects kernel interceptions, modifications of SYSENTER, searches for drivers, processes, etc. Emphasis is also placed on self-defense of the program.


The terrible, hallucinatory realization of alpha-beta doesn't astonish. It astonishes that the authors of this "anti-rootkit" went down the beaten path of pure advertising.

Overall assessment: n/a

Sophos ARK
Anti-rootkiter from Sophos.

Simple to use.

Easy to bypass. Practically (though not completely) useless.

Overall assessment: 1+

A system information utility with the beginnings of a rootkit detector.

Has a wide spectrum of possibilities.

Provides more system information that rootkit detection. Weak detection methods.

Overall assessment: 1

Paid program. Sais to detect ALL rootkits.


Idiotic interface. Useless against rootkits. Fake, ‘flashy’ job.

Overall assessment: -infinite

A code hooks detector. Detection of inline / IAT / SYSENTER interceptions.


Buggy and useless. Can ascertain the presence of hooks (if you can filter the log filled with false positives), though you can’t do anything with them.

Overall assessment: n/a

A very lamentable picture. Of all the diversity, there are only a few programs that can be recommended for rootkit detection. Unfortunately, almost no one has corrected deletion [methods]

And so, the list of winners: GMER, IceSword, DarkSpy, AVZ, Sophos ARK. The rest can be thrown on the stove to burn, even this minute.

This doesn't mean that those included on this list will defend from or find all well-known rootkits. No, just that out of all the diversity, only these companies can still do something [worthwhile]. However, all (without exception) can be avoided.

Saturday, April 7, 2007

MOMBY - Month of Myspace Bugs

These fine folks recently started their daily advisories, as promised. Let's wait and see how (some of) these bugs will be taken advantage of, and how long it takes myspace to correct them, if they ever will!

Saturday, March 3, 2007

Malware Cleaning Disc rev. 8 released!

Newest version was released on March 03, 2007.

The malware expert's toolbox keeps getting better.
Other than updated files, the kit has undergone some
expansion. This version packs 171 tools into a 170mb
download. Here's a section outline for the kit:
I.    File Analysis 
II. Anti Virus
III. Encryption
IV. Firefox
V. Firewalls
VI. General Cleaning Tools
VII. tools
VIII. Guides
IX. Hardware Tools
X. Internet Tools
XI. [anti]Malware Programs/Tools
XII. Rootkit Detection
XIII. Sysinternals
XIV. System Tools
XV. Trojan Removers

Specifically, many great file analysis and hardware tools
have been added. Check out this download on most any
torrent site. [ via Piratebay, Demonoid]

Sunday, February 18, 2007

ComboFix Warning

If you use the handy anti-malware tool ComboFix:
if a computer is infected with a new form of malware
(which apparently uses rootkit technology) and ComboFix
is run on it, critical system files can be deleted.

The author has ceased distribution of the program until
the problem is fixed. I can't find any information on the
malware, but i'll post when it is available.

Link to discussion.

Friday, February 16, 2007

Unreal.B to be Released Next Week

**Release has been delayed for a few weeks due to
some bugs that need to be worked out.

Yet another advance of rootkit technology (and soon
for detection) from the Russian team behind the
program RKU: next week they will release a new version
of their ARK (anti-rootkit) test program, dubbed 'Unreal'.
Version 2 will most likely bypass all known ARKs, including
the latest version of their own top-notch software. It won't
be long, I suspect, until RKU is updated to detect and
remove Unreal.B

More info on Unreal.B (scroll down for an English translation)
See my previous post about version 1, Unreal.A
See my last post(below) for more info on RKU.

Saturday, February 10, 2007

Leaving Babylon

Makers of the tiny, powerful RootkitUNhooker have released
a new version. Earlier, I posted about the Unreal rootkit test file,
which bypassed nearly every known anti-rootkitter; version
3.20 of RKU detects Unreal.A

*Here's a list of some of the rootkits that RKU detects and removes.
*Latest version: [updated February 18th, 2007]
*Info about the next version:
version 3.30 will include:

added: DKOH detection (not unhookable) for common kernel objects
added: ability to dump kernel memory region
added: AntiRkU and based tools bypassing, xdf updated to v0.7
fixed: few bugs in driver, related to self-protection part

And some other features not listed here, because they are not ready yet.
Release date: as soon as it will be ready tongue

-Thank you, independent coders, for advancing security software
farther than any AV company ever could.

Another interesting note: while reading the RKU forum, I happened
upon a post by someone requesting source code for the program.
One of the authors of RKU responded:

"If we give sources for public, they also will be used for malware

Wednesday, February 7, 2007

Decryption Challenge part 3

Here's a tougher one. Figure out what book I am
referring to using some or all of the following clues:
(tildes separate the parts of code)

Hints: many ascii de/encryption sites exist.
Double encryption anyone?

ecisionsday reaay otnotnotnay ertaincay
6d 69 74 20 70 72 65 73 73
b3h4v10r4l, c45h

Saturday, February 3, 2007

Decryption Challenge part 2

Here's an easier one: a 3 part code separated by
tildes. To properly decrypt, you must figure out
what each section means and answer the question


01100001 01101101
01111010 01101110
00101110 01100011
01101111 01101101
00100000 01110010
01100101 01110110
00101110 00100000
00100011 00110010

Decryption Challange part 1

I have encrypted a text file with some quotations in it.
I used Bcrypt, with an eight character password (the
minimum password length)

First person to decrypt the file gets title of leet cryptanalyst.

Download link [via Rapidshare]

Monday, January 29, 2007

Underground Economies

I just read an interesting article[pdf] from a recent issue of ;login:
It begins with an important figure: -$336(mil) was lost to online fraud
in the US last year. In a recent case, a Michigan treasurer fell
victim to a 419 scam and lost county funds!

Keep in mind that the above figure is likely an underestimate.
Identity theft (and similar online crime) is especially strong in
countries where computer skills are high and good job opportunities
low. And what is being done about this problem by credit card
companies, isps, the government, etc. ? "Not much," according
to the two CYMRU Team authors. If predictions are correct, and
I believe they are, these underground economies should experience
a boom in 2007.

This reminds me of a telemarketing call I recently got. It was from
my bank. A sales rep droned on and refused to let me say anything.
It was obvious that he was just reading a script. First, he told me
about the growing threat of identity theft. Then, he said that for a
low monthly fee, my bank would take steps to ensure that my
information (including social security number) would be safe.
So I have to pay extra money have my info guarded? Shouldn't
every possible safeguard be standard for a company I entrust
with my personal information (and money!) Where is the funding,
or even a plan to troubleshoot this situation? [It's likely that my
banks protection does nothing more than take my money. Oh,
and i hung up on the sales rep]

Another example related to this "underground economy"-
I've recently quoted HolyFather, writer of the HackerDefender
rootkit. In an interview, he talked about how hew has done
freelance programming for people who needed various kinds
of malware.

"IDG News: Did you code viruses or Trojans previously? Do
you do other kinds of software development?

HF: I code (mostly) security stuff. I can code Trojans, viruses,
whatever. But I have never coded a virus or Trojan for me. It
was always commercial stuff.

IDG News: Could you explain that more. Commercial for who
or what?

HF: I'm the coder. This means (people) hire me to code something.
I do accept or I do refuse (their) job offers; security stuff (including
trojans/virus/spyware) is what I can code and usually do not refuse
to make. For who? Who needs and pays."

Microunits & Macroresults

For years, I used the Windows Defragementer, thinking that
other defrag software had minimal benefits over it. Upon
using a program called UltimateDefrag, I must say that I was

Here's a brief outline of how it works. If you're still confused,
check out the site, which has an excellent explanation.
You hard disk is basically a circle filled with little clusters that
store data. There is an arm that spins around the disk to retrieve
the data. The data in the outer portion of the disk is retrieved
at a significantly faster speed than data on the inner portion.
This program allows you to specify which programs/files
you'd like to put in that outer portion of your hard drive. This
equals amazing speed increases (you just have to know where
all the files for a particular program are located)

You can download a fully functional 7-day trial if you'd like.
Use the method described: label certain program folders as
important so they will be written to the outer section of the
hard disk.

No more
Firefox startup delays!

P2P Bonanza

After trying out countless crap software on several fresh
installs of Windows XP, here are my favorite p2p clients.

I'll omit the obvious examples [namely: azureus, utorrent,
bitcomet, bittornado, etc.] and link to a few excellent, lesser
known clients.

Direct Connect Network:
This network allows you to connect to 'hubs' that cater to
your interests. Many of the quality hubs have requirements
to join, like sharing a certain amount of files. These clients
allow for speed boosts and downloading from multiple sources.
Personally, I prefer Strong DC++ because you can tinker with
its settings to increase download speed.
- Strong DC++

- DC++

eDonkey Network:
Big file selection, and you can reach pretty good speeds on it.
-eMule Plus

Encrypted Friend-to-Friend Network:
It's likely that we'll see many more losses for 'free' file sharing
in the future. I believe that encrypted-transfer, friend-to-friend
(f2f) networks will become more and more common because of
this. See the f2f wikipedia entry for more info.
-WASTE (also allows for encrypted instant messaging)

Fasttrack Network:
If you still use Kazaa, a removal tool exists for it. Replace it with
an adware free version which includes faster download speeds
and lots of handy tools.
-Kazaa Lite Resurrection

Gnutella Network:
I'm not a big fan of the Gnutella network, but if you're still
using Limewire or Bearshare, it's time you learned. Get
yourself some quality, malware free Gnutella clients. Just
make sure to uninstall the old ones and do a malware scan.
- Shareaza
- Phex

SLSK Network:
Soulseek - Ok, it's the only client for this network. But it
has an amazing selection of music (even very obscure artists)
Make sure to get version 156c, not 158.

Sunday, January 28, 2007

The College Life Is The Life For Me

For those at university: a compliment to my previous post.

"Comprehensive statistics on computer break-ins at
do not exist. But in the first six months of this
year alone, there were
at least 29 security failures at
colleges nationwide, jeopardizing the
records of 845,000
people. Both private and public institutions have
been hit."

"Personal information on 800,000 students, alumni
and others is exposed. Attacks lasted a year, the school

[possibly including social security numbers]

I wonder what sort of encryption they had for this
sensitive data. The article provides another example
of a breech, though it was different in cause.

"...a hacker atSan Diego State used an outdated computer
network in the
drama department to find a way into the
financial aid system.
The Social Security numbers of more
than 200,000 people
were exposed."

Everybody likes words with 'Crypt-' in them

Cryptobiont, cryptozoology, etc.

Recently, a friend and I had a debate: He insisted that if the
government had the need, it could decrypt any data - that
nothing was fully secure. While I had to concede to the second
part, I didn't entirely agree with the first.

If I had some data, and used the 63kb application Bcrypt to
encrypt it (using a very strong 56 character password) - it's
doubtful that the file could be decrypted. Maybe partially,
but secure passwords can go a long way if you have good
encryption algorithms. Bcrypt provides 448-bit encryption!

"There are two kinds of cryptography in this world:
cryptography that will stop your kid sister from reading
your files, and cryptography that will stop major
governments from reading your files. This book is
about the latter."
-- Preface to Applied Cryptography by Bruce Schneier

On a (very) slightly related note, I happened across an
interesting article that talks about how US government
websites are constantly hacked. For example, 19 sites
were hacked in the last 27 days.

What's in a name?

The makers of the excellent program RootkitUnhooker recently
released an anti-rootkit test file. Apparently, it will bypass most
modern anti-rootkiters, showing how "useless/helpless/out-of-dated
antirootkit software" [is] - It even eludes their own anti-rootkit

Partial description of Unreal.A:
"1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword

2. ADS attach to root directory of disk C: (that automatically
bypass GMER, RootkitRevealer)

3. driver set up itself as File System Filter and filters some IRP's
bypasses all other antirootkit thats using RAW reading (BlackLight,
Rootkit Unhooker etc).

Unreal.A contains specific code for AVG Antirootkit and AVZ
Antirootkit Module. Specific code was done because both of these
products using monitoring dirty-tricks based on Notify Routines
which are not a detection at all. Unreal.A do search for antirootkit
device (using DeviceObjects lists) and when it's found rootkit do
IoDeleteDevice, so antirootkit can't anymore communicate with
kernel part. Unfortunately as shows some tests of independent
people this part of Unreal.A are little buggy, sometimes AVG/AVZ
can show (with help of Notify of course) hidden driver."

As I said before idea is not new, but we do not found any others
ready for use rootkits, so we decide to create this special demo to
show how in reality useless/helpless/out-of-dated antirootkit
software and of course for our internal testings."

Download the demo off their site if you'd like to test it.

The case of the 'Two Collectors'

My personal record for malware found on a computer is ~400.
This person, however, shattered it with only a virus scan.

On a related note, this guy took his old Dell Desktop and
purposely infected it with as much malware as he could,
visiting the shadiest websites he could find. He then
brought it in to GeekSquad to see what they would say...

Saturday, January 27, 2007

Certified Shmalware Expert

Someone at the SANS security training Institute recently
posted the following in their newsletter:

"Does anyone on your staff do an excellent job of cleaning
out PCs that have been infected by spyware and other
malicious software. We are just starting development of
a new certification (and related training) for Certified
Malware Removal Experts and we are looking for a
council of 30 people who have done a lot of it to help vet
the skills an knowledge required for the certification exam
and classes. "

First off, it is often impossible to undo all the changes made
by certain malware, particularly trojans and rootkits. Since
you often do not have full information of the attack, you cannot
know which of many possible ways the system was compromised.
Often, reinstalling the program/OS is the best solution.
Although hours of painstakingly tedious analysis could address
this concern, most businesses/individuals would simply want
the problem fixed ASAP.

I recently came across a malware cleaning toolkit (yes, it is
malware free) While I would include (just a brief list) more
decompilers, Snort, and the SIS Analysis Toolkit in my
version of this disc, will I really be able to fully disinfect a
compromised system? It would be very tough [see
this article for more info]

My second concern is how this certification program will
be executed. Will it genuinely be for experts in the field,
or yet another certification anyone who knows the basics
of computing can obtain? How much networking, rootkit,
trojan, programming, etc. knowledge will be required to
be "official"? Probably not too much.

The Caffeine Collection

Caffeine is showing up in many unlikely products lately.
Let's take a look at just a handful of examples:

-Water Joe - Caffeinated water. This has been around for
a long time. Even before the energy drink craze kicked in.

-Octane Energy Gel - Morning showers can be very refreshing-
especially if you absorb a megadose of caffeine through your

-Spazzstick - An Alaskan police officer wanted unchapped lips
and an easy buzz.

-Buzz Donuts - A scientist develops a way to add caffeine to
baked goods without the bitter taste.

Still not buzzed? Check out these great collections of caffeinated
& energy drink reviews.

*For the caffeine sensitive: I recommend a Guarana only
beverage/candy. Guarana is an Amazonian berry with a
natural caffeine content. It gives you a less jittery buzz
and seems to have health benefits (particularly for the liver).
Check out this study!
"The findings suggest that the effects cannot be attributed
to caffeine alone." [referring to the cognitive improvements
of guarana ingestion]

Efficient German Sex

While writing my post about Symantec, I thought of a few other
bloated programs that many people still use. In fact, many do
not realize that excellent alternatives exist. A few examples:

1. itunes - Most people use this for their ipods. Apple Quicktime
is needed for itunes to work, and it is painfully slow. Imagine a
brand new 2.3ghz desktop lagging constantly - i'd be pist. Not
only is there an alternative to Quicktime, but several very
efficient ipod alternatives. [I don't believe you need Quicktime
for the following programs, and you need the official Quicktime
software for itunes to work]

Anapod & Yamipod

2. Nero - One of the best programs for burning has been getting
quite chubby. Version 6 was tolerable, but 7 has been pretty slow.
You can either download an older version from the above link, or
choose an alternative. If you want all the features without the bloat,
get Alcohol 120% (shareware). If you want a free alternative,
download DeepBurner.

3. Adobe Acrobat - Another program that gets more bloat with
each release
. To be sure, a speedup application exists. However,
why even use it when you can get all the features in a 1.6mb Foxit file?
If you want a standalone application, Coolpdfreader works.

4. Windows Media Player - The newer version of this program can
be slow, especially on older systems. An excellent alternative is
VLC player. No codecs needed, as it supports most formats.
Alternately, you can use the modified version of Windows Media
Player Classic which is included in this wonderful codec pack.

If you want more quality freeware alternatives to commonly
used programs, check out this site.

How do I destroy Babylon?

Among nerds interested in malware, rootkits are all the rage.
Not only for those who want to detect and analyze, but those
who want to write them. A recent article gives us a detailed
review of 6 rootkit detectors. Whose product best detects
stealth malware? An AV company's, or an independent
programmer's? [It's too bad GMER and Darkspy weren't

For the reader who isn't tech savvy: meet the malicious rootkit.
A magical program that hides itself on a computer and allows an
attacker full access to a machine. It often bypasses Anti-Virus,
Anti-Spyware, and Firewall programs. There is no process visible
in Task Manager, and you need some special tools to find this
malware. An example: you may recall a scandal resulting from
Sony secretly adding rootkits to over 4 million CDs.

*Some programs legitimately make use of rootkit technology (for
example, a firewall that wants to prevent itself from being shutdown
by malware must protect itself by hiding). Outpost, Daemon Tools,
and Alcohol 120% are some examples of programs that use rootkit
technology in a non-malicious way.

What kind of an human being would purposely create such devious
software? Holyfather, author of HackerDefender, one of the most
common & well known NT rootkits addresses this quite well:

" might find something strange on the behaviour of
and other security companies that develop products
to save people
from the threats of rookits. They sell the fake
sense of security but
they do not bring the real security to your
computer. Yes, they will
protect you against wild spread threats
like destructive worms but
this is not the real danger for users.
The real danger are pointed
attacks where private tools are used.
These tools uses the same
methods as our tools but are not
detected because security companies
have no chance to
download them and add those few bytes in their
database. And
because they catch only tools they know and do not
solve the
cause attackers will succeed with their tools. This attitude

brings money to security companies because their users still
upgrades and buy new versions of their products
and so this is why
these security companies don't want to
change the situation. We think
this has to be changed. We
believe that Hacker defender project
contribute making the
world of computers more secure. It forces
security companies
to care about the core of the problems, to develop
better and
better products. And after the years we see the results. The

situation here is still better and we believe it is also because of
our work.
There is still lot of work to be done with rootkit
detectors and antivirus
products. This is why we will continue
in our work to try to find ways
how to bypass their poor
products until they come with the real solution."


In fact, Holyfather's rootkit was a very big driving force in making
Anti-Virus companies take notice of this threat (and of their poor
software). Companies like F-Secure began to write tools to battle
rootkits. Then, almost every single AV company jumped on the
bandwagon. Which one of these excellent companies, who recruit
only the most promising developers nabbed the best anti rootkitter
trophy? Two did: a Chinese programmer named 'jfp_' and a team
of independent Russian coders. These programs surpass by far the
half-assed attempts of McAfee, Grisoft, Sophos, and many other
AV companies.

Very few Anti Virus programs (at least quality ones) come with
proactive rootkit defense. An AV with quality RK defense is
Kaspersky 6. In the next year, many companies should integrate
this sort of protection into their products (do not interpret this
as integrating quality rootkit defense). Until then, the best
proactive solutions are DefenseWall (recommended, shareware),
Neoava Guard (free) , and the latest Version of Outpost Pro.
However, proactive defense means little if you're already infected
with a RK. Check the review of programs and the link below for
more details.

If you need rootkit related assistance/info, check out this forum.

Friday, January 26, 2007

Symantec awarded prestigious Bloatware Award

Norton Internet Security 2006 = 60% system delay?
Norton 2007 fails retest

I haven't used Norton Anti-Virus since the 2000 version, which came
pre-installed on my 900mhz desktop. I quickly removed it when I
realized how much speed I'd regain. Back then, the uninstall was fairly
painless. But when I tried Norton again in 2004, I found that it wasn't
just cripplingly slow- short of doing a system restore, it was nearly
impossible to remove. Every version that followed was equally bad;
of course, other programs like Norton Ghost were also morbidly
obese. After standard delays, Norton cranked out a de-sodomization
tool for their slopware.

Norton has a ~70% hold on the virus market; i'm hoping for at least
a 5% drop over the next six months. And while we're boycotting AV
companies, let's add McAfee to that list; they're heading in exactly
the same direction.

-Need AV software suggestions? Here are some excellent freeware
anti-virus programs:

Antivir (recommended) -
ClamAV -

-But are these as good as Norton? I know that Antivir is equal to
or better in detection (depending on the test) If you want to see
detection rate comparisons, look here.