The RootkitUnhooker site recently went down due to hosting issues. The RKU forum went down along with the site, but luckily Google Cache still has the posts archived. One of them is a review of Anti-Rootkit programs (ARKs). It was originally posted in Russian, but someone translated it into English. Enjoy.
Their new site can be found here & a mirror here (latest version of RKU is 3.31)
Modern ARKs - illusion of detection?
The problem of rootkits' existence appeared fairly long ago. It arose because of holes in the most popular operating system, and also because the average user wasn't prepared to switch from Windows 9x/ME to Windows NT, with all its specifics. Namely, they didn't verse themselves in privileges. But this discourse isn't about that.
Only recently did the problem of rootkits attract the concern of anyone who wasn't too lazy. If in 2004 there were only a few specialized detection programs (the programs of Joanna Rutkowska, Rootkit Revealer, AVZ, rkdetector, IceSword), then now the quantity of thusly named detectors has risen several-fold. At face value, there seems to be a tendency to "copy and paste," because the majority of programs in this list of detectors are like carbon copies: created with one and the same algorithm. And moreover, their methods of detection are ripped from the same place.
For a determinate period of time, we tried all the well-known and publicly accessible anti-rootkits. Alas, as in the case of the Anti-Viruses, the results are lamentable. The current level of detection programs makes it possible to fight off only well-known and widely distributed rootkits - and that with variable success. For the last half year we tested the heaps of anti-rootkits that were released. Tests were run with real malware patterns, and similarly with demo rootkits - so that we could compare the level of the declared possibilities to the actual level of realization.
In our tests, we put to practice a wide spectrum of public rootkits, such as (in alphabetical order):
afx 2005 (test rk)
all-in-one (malware)
badrkdemo (www.rootkit.com)
gromozon (malware)
hxdef (www.hxdef.org)
haxdoor (malware)
phide_ex (test rk)
rkdemo v1.0/1.1/1.2 (test rk)
rustock.a / rustock.b (malware)
vanquish (test rk)
unreal.a (test rk)
We tested a whole heap of detectors - here's the full list:
Avira
AVG
AVZ
BitDefender RkUncover
Blacklight
catchme
DarkSpy
flister
GMER
Helios
Hidden Finder
Hook Analyzer
Hook Explorer
IceSword
klister
McAfee Rootkit Detective
modGREPER
Panda ARK
Panda Tucan
Process Master (hf)
Process Master
RAIDE
Rootkit Revealer
RkDetector 2
RkDetector
Rootkit Buster
Safe'n'Sec RkTrap
SafetyCheck
Sophos ARK
SEEM
SVV
UnHackMe
VICE
So as not to advertise ourselves or our programs, we won't say a word about them here. To not embitter the authors of these programs, we
won't detail the principles their products are based on.
On the basis of our internal (and public) tests on sysinternals we obtained the following results: Name of product, brief description, merits, limitations, our general assessment according to the five ball system (for a program's correspondence to declared possibilities) - [1=F, 5=A, -1=0.5, etc.]
Avira
A product of the company AntiVir. Positioned as if to fill a void in their company/software. Has the ability to find hidden processes, files, and registry keys.
Merits:
Easy to use.
Limitations:
This program’s detections methods are relatively weak. The reason for this program’s release isn’t clear, and its ability to remove found objects seems weak (if it can find them in the first place)
Overall assessment: 1
AVG
Also the product of an antivirus company. Detects registry keys, files, and processes.
Merits:
Very easy to use. A friendly interface with beautiful pictures.
Limitations:
The sole method of detection in this program is hanging of program notification. All drivers started with ADS are automatically read as rootkits, along with the hidden file (despite the fact that they can be seen in the API)
Warning – may cause BSODs.
Overall assessment: n/a
AVZ
Oleg Zaitseva’s Anti Virus has a simple code hooks detector, which is what got his program included in these tests. Has a rather primitive module to monitor system activity.
Merits:
It deals well with common user-land rootkits, and even with some privileged ones. Written by a fellow Russian citizen. The anti-rootkit is integrated into his Anti-Virus product, and is often updated (for free)
Limitations:
Poor interface; written with 'perverted' VCL, which strongly hinders perception. Uses a disassembler borrowed from AFX, with all the resulting consequences. The program is overloaded with ‘bugs’, which are in terrible disorder. Its searches for privileged rootkits leave much to be desired.
Overall assessment: 2
BitDefender RkUncover
Again, an Anti Virus company’s rootkit detector.
Merits:
Ease of use.
Limitations:
Practically useless against rootkits, because there’s a terrible implementation of everything that should aid in detection.
Overall assessment: n/a
Blacklight
One of the first. It can detect hidden files and processes.
Merits:
Easy to use. Scans the hard disk better than analogous programs
Limitations:
Terribly outdated. Possibly easily and fully bypassed by way of putting a few hooks in SSDT, even without DKOM. Practically all rootkits have ‘learned’ to bypass it. Stays afloat thanks only to the advertising efforts of the authors and their admirers.
Overall assessment: 1
catchme
The doing of GMERs author – a user-mode detector.
Merits:
Absent.
Limitations:
Pointless program created to detect gromozon.
Overall assessment: n/a
DarkSpy
Chinese anti-rootkit. Possesses a wide spectrum of possibilities for rootkit detection.
Merits:
Good process detection.
Limitations:
Interface is very poor. The program is very unstable; bsod-reset city. Detection of files and registry keys is practically useless, since you need to know where to look for items.
Overall assessment: 3-
The programs of Joanna Rutkowska
flister, klister, modGREPER, SVV
Perhaps some of the first anti-rootkiters. Regretfully, all are proof of concept. To her credit, she did acknowledge their limitations. Unstable and abandoned by the author. Detection of rootkits with these programs is practically impossible.
Overall assessment: n/a
GMER
Polish anti-rootkiter with a wide spectrum of possibilities. Has a primitive, built-in method for monitoring of system activity.
Merits:
Can see processes well, and can detect files. It is updated often enough, and can deal with spreading rootkits.
Limitations:
Unstable, and suffers from terrible bugs that haven’t been corrected in a long time. Monitoring poses a problem for the user. The majority of methods used are kid-like and easy to bypass. Its detection of hooks leaves much to be desired and it gives an improbable amount of false positives – limited in its possibilities.
Overall assessment: 4
Helios
Made out to be a great achievement. Can detect hooks in SSDT, find hidden files/drivers, and monitor.
Merits:
Absent.
Limitations:
They wanted to be the best, but their results were same as usual. It presents no complexity in bypassing. Quite buggy, poor interface.
Overall assessment: n/a
Hidden Finder
Paid program. Detects processes and files.
Merits:
None.
Limitations:
Insolent and idiotic way to suck money from users. A fake anti-rootkit program; didn’t pass 95% of our tests.
Overall assessment: -1
Hook Analyzer
From the ‘programmers’ at Resplendence Software. Detects SSDT hooks.
Merits:
Absent.
Limitations:
Poor implementation of the simplest algorithms. You can’t do anything with detected hooks.
Overall assessment: n/a
Hook Explorer
Detects code hooks.
Merits:
Absent.
Limitations:
Detects whatever comes up [hooks], but you can’t do anything with them. Useless.
Overall assessment: n/a
IceSword
One of the first – a Chinese anti-rootkit. Sadly, it is rarely updated.
Merits:
Sees processes well enough. Has a wide spectrum of detection (though sometimes the text isn’t translated all the way) and an understandable interface. Has the ability to monitor and self-protect.
Limitations:
Almost can’t remove a rootkit from a computer. As with DarkSpy, you need to know what to look for.
Overall assessment: 3-
McAfee Rootkit Detective
Another anti-rootkit from an Anti Virus company.
Merits:
Simple to use.
Limitations:
Its declared possibilities do no correspond with the current implementation. Practically useless against rootkits.
Overall assessment: n/a
Panda ARK
And Panda Tucan is nearly identical [to McAfee’s program]. Yet another detector from an AV company. Has even fewer possibilities than the previous product.
Merits:
Easy to use.
Limitations:
Useless.
Overall assessment: n/a
Process Master (hf)
Process detector created by HolyFather.
Merits:
None.
Limitations:
Outdated and doesn’t attract much interest. Terribly easy to bypass.
Overall assessment: n/a
Process Master
Paid detector that shows processes.
Merits:
Easy to understand interface.
Limitations:
Paid software; a very simple program. As easy on the eyes as it is to bypass. Failed most of the tests. Useless.
Overall assessment: -1
RAIDE
Proof-of-concept by Peter Silverman. Has an interesting idea for restoring data modified by rootkits.
Merits:
The idea.
Limitations:
Useless and not terribly stable. Abandoned by the author.
Overall assessment: n/a
Rootkit Revealer
One of the first. Detects registry keys and files.
Merits:
Simple to use.
Limitations:
Easy to bypass, practically never updated.
Overall assessment: 2-
RkDetector
And RkDetector 2 as well. Also one of the first. Detects registry keys, processes, and drivers.
Merits:
None.
Limitations:
Useless, and version 2 is practically unworkable.
Overall assessment: n/a
Rootkit Buster
An anti-rootkit from Trend Micro.
Merits:
Easy to use.
Limitations:
Its declared possibilities do no correspond with the current implementation. Easy to defeat. Practically useless.
Overall assessment: n/a
Safe'n'Sec RkTrap
An anti-rootkit from the authors of Starforce. Used SVV and their article “Myths About Seven Popular Anti-Rootkiters” as the basis for this (where, in a drunken stupor, they included Windows Defender) Detects kernel interceptions, modifications of SYSENTER, searches for drivers, processes, etc. Emphasis is also placed on self-defense of the program.
Merits:
None.
Limitations:
The terrible, hallucinatory realization of alpha-beta doesn't astonish. It astonishes that the authors of this "anti-rootkit" went down the beaten path of pure advertising.
Overall assessment: n/a
Sophos ARK
Anti-rootkiter from Sophos.
Merits:
Simple to use.
Limitations:
Easy to bypass. Practically (though not completely) useless.
Overall assessment: 1+
SEEM
A system information utility with the beginnings of a rootkit detector.
Merits:
Has a wide spectrum of possibilities.
Limitations:
Provides more system information that rootkit detection. Weak detection methods.
Overall assessment: 1
UnHackMe
Paid program. Sais to detect ALL rootkits.
Merits:
Absent.
Limitations:
Idiotic interface. Useless against rootkits. Fake, ‘flashy’ job.
Overall assessment: -infinite
VICE
A code hooks detector. Detection of inline / IAT / SYSENTER interceptions.
Merits:
No.
Limitations:
Buggy and useless. Can ascertain the presence of hooks (if you can filter the log filled with false positives), though you can’t do anything with them.
Overall assessment: n/a
A very lamentable picture. Of all the diversity, there are only a few programs that can be recommended for rootkit detection. Unfortunately, almost no one has corrected deletion [methods]
And so, the list of winners: GMER, IceSword, DarkSpy, AVZ, Sophos ARK. The rest can be thrown on the stove to burn, even this minute.
This doesn't mean that those included on this list will defend from or find all well-known rootkits. No, just that out of all the diversity, only these companies can still do something [worthwhile]. However, all (without exception) can be avoided.
Sunday, April 8, 2007
Saturday, April 7, 2007
MOMBY - Month of Myspace Bugs
These fine folks recently started their daily myspace.com advisories, as promised. Let's wait and see how (some of) these bugs will be taken advantage of, and how long it takes myspace to correct them, if they ever will!
Subscribe to:
Posts (Atom)