Thursday, November 15, 2007

Paranoid - Look what we Un-Rooted

Anti RootKit Tools:

The PC and Windows operating system is a extremely complicated system. The Nerd Herd can't save you this time. It's going to be up to you to find out whats running on your machine and why. If it isn't needed you need to permanently remove it. The problem is the rootkit. There can be hidden processes and registry entries that run without your knowledge or permission. They eat up system resources. Since they are hidden they are likely used for illegal activity like spam mail and identity theft. The links below can tell you if there is a problem and in some cases bail you out of trouble. The real problem is if you find a rootkit you need to re-install the OS to be truly safe.

AntirootkitAVG Anti-Rootkit Free
Download

RootkitRevealer
http://technet.microsoft.com/en-us/sysinternals/bb897445

Just discovered that with RootKit Revealer and I'm sure it was not there a couple of weeks ago:
HKLM\Security\Policy\Secrets\SAC* Key name contains embedded nulls
HKLM\Security\Policy\Secrets\SAI* Key name contains embedded nulls
These above entries are normal and you do not want to remove them from the registry.


Of course these keys are not visible with RegEdit
You can see those entries by running RegEdit under the system account with this trick:

At command line enter:
at 10:15am /interactive regedit.exe

Subsitute the time with appropriate value one minute greater than current time. RegEdit will start at the given time and you'll be able to see HKLM\Security\Policy\Secrets and many others.


Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Gmer
http://www.gmer.net/antivirus.php

Panda Anti-Rootkit
http://www.pandasoftware.com/download/documents/help/rkc/en/rkc_en.htm

Icesword
http://www.majorgeeks.com/Icesword_d5199.html

Trend Micro RootkitBuster 1.6 Beta
http://www.trendmicro.com/download/rbuster.asp

Blacklight
http://www.f-secure.com/blacklight/
Using Blacklight to detect and remove Rootkits from your computer


McAfee Rootkit Detective Beta
http://vil.nai.com/vil/stinger/rkstinger.aspx

System Virginity Verifier
http://invisiblethings.org/tools.html

*****************************************************
Hidden Registry Enties:

Download:
RegReveal v1.0 beta2c
RegReveal - a small rootkit registry revealerReveal hidden registry entries.
RegReveal supports Windows 2000 and Windows XP
RegReveal is a command line program.

SysInternals Hidden Registry Keys:
http://www.microsoft.com/technet/sysinternals/information/TipsAndTrivia.mspx#ECC
Download RegHide (24KB)

**************************************************************
Note of interest (use a rootkit to your advantage):

http://www.securityfocus.com/brief/34

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

No comments: