Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows IT

New Antivirus Tests Show Rootkits Hard to Kill 178

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
This discussion has been archived. No new comments can be posted.

New Antivirus Tests Show Rootkits Hard to Kill

Comments Filter:
  • by pjt33 ( 739471 ) on Wednesday May 14, 2008 @12:45PM (#23406390)
    I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.
    • but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.
      Now if Sony made an antivirus product, then that would be totally different, wouldn't it?
  • In other news... (Score:5, Insightful)

    by Oxy the moron ( 770724 ) on Wednesday May 14, 2008 @12:49PM (#23406470)

    Grass is green, sky is blue, Pope is Catholic, etc...

    When people create these things... isn't the intent to make them hard to detect/kill?

    What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

    • My nephew got something or other on his laptop. I made a desultory effort to clean it, but whatever crap was on there would kill the anti-spyware install routines within seconds. Fortunately I'd installed Ubuntu on another partition, and he was still able to do web and email and stuff, and I told him to back up the data he needs and I'll wipe it and start fresh.

      I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->

      • whatever crap was on there would kill the anti-spyware install routines within seconds

        Don't they have virus scanners you can run from CDs?
        • by jimicus ( 737525 ) on Wednesday May 14, 2008 @02:46PM (#23408552)

          Don't they have virus scanners you can run from CDs?
          Let's assume you wanted to write the perfect AV which was able to work from a CD with guaranteed 100% success rate. Once complete, you can be sure that the computer can be rebooted and will neither be affected by a piece of malware, nor will the user inadvertently spread dormant malware.

          It would have to compare the checksum of every executable and every DLL on the system to known good examples to confirm they've not been infected (though to be honest I suspect most of them are just taking advantage of the labyrinthine mess that is Windows rather than going to all the hassle of infecting files).

          It would have to confirm that every patch which has security implications has been installed (eg. there have been patches which deal with code which loads JPEGs - not much point in rebooting if the first thing that's going to happen is you get reinfected so that's got to be solved).

          It would have to delete any application that isn't on a known-good list. So you need a "known-good" list covering every Windows application known to man, and you also need to account for those rare cases where you're dealing with a software developers machine and there are executables on there that aren't known to man.

          And remember what I said earlier about "there have been vulnerabilities in code that reads JPEGs"? Well, that means you need to delete any JPEG which isn't known-good, And any other file for which similar vulnerabilities in decoding have been found. Or it's possible that the first thing that will happen on reboot is the user will email out this "kewl JPEG" to all their friends, forwarding the malicious payload in the process.

          And you need to do all this without breaking anything in the process. Or else if you do, you might just as well have wiped and rebuilt the system.
          • by Z34107 ( 925136 )

            What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.

            But, a better way is to make a BartPE image with all of your tools (HijackThis, AdAware, SpyBot S&D, AVG, etc.)

            And while I'm giving out advice: Partition your Windows disk into C: and D: partitions. Install programs and Windows on C; save your irreplaceable personal things (music, homework, etc.) on D.

            • by jimicus ( 737525 ) on Wednesday May 14, 2008 @03:53PM (#23409562)

              What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.

              Not really.

              Signature-based scanners are a glorified form of grep. They look through every file looking for a string of bytes which is reasonably unique to a virus. It's not possible to have a computer know in advance with 100% certainty whether executing a particular block of code is dangerous - the best you can do is say "this is probably dangerous", so realistically your options are:

              1. Look for things which are known to be bad, delete any we find. Well, 20 years of antivirus should have taught us by now that this is a crappy solution.
              2. Look for things which are known to be good. Anything which isn't known to be good we delete. This is essentially what I described originally.

              The minor issue with this (and indeed with what I described) is that writing a general-purpose application which does this without leaving the system broken beyond real use (who's going to put up with an AV product which deletes every data file they've got because there have been known vulnerabilities in programs which read those files?) is impossible.

              However, they do say an ounce of prevention is worth a pound of cure, and nowhere in IT is it more true than here. Don't allow users to run as admin, filter email for anything even remotely suspicious, configure your desktop PCs to automatically update, run antivirus on your fileserver to slow down the spread of anything, get proper configurable desktop AV software - preferably configurable such that end users can't easily mess with the configuration - and set it up to scan everything on access.

              And while we're at it, abandon any email scanner which filters dodgy attachments on the basis of their file extension. The first virus which comes with text saying "Rename to .exe and run" will sail straight through.

              This sounds like a lot of work, but I've been in the middle of dealing with virus outbreaks before. Once configured, 99.5% of my suggestions can be just left to their own devices and it's a lot less hassle than dealing with a virus outbreak.
              • by Z34107 ( 925136 )

                Just for anyone's curiosity, HijackThis operates on #2 (Compare files/registry keys/etc. with known-good; blow it away if it differs.) This is why they recommend only "experts" use their program.

                But you're right- signature scanning (which most AVs use with some kind of heuristics) is always going to be one step behind, and a lot of times can't "clean" infected files and can cause problems by blowing infected ones away. (Heck, Norton does need viruses to trash your machine ^.^)

                I think there are two sou

      • Don't try to erase the HDD. Remove it and throw it away.
        • Instead, try to realize one important thing. There *is no* HDD...

          Don't try to erase the HDD. Remove it and throw it away.
      • by kesuki ( 321456 )
        "I'm pretty sure it was trojaned game mods"

        don't be so sure... there have been numerous security warnings about 'copy protection schemes' incorporated into video games, that allow an 'infected' user to 'infect' new users while playing online video games with the 'infected' basically, you play the video game, the trojan infects through the update vector of the 'anti-piracy' scheme, by pretending to be an "updated 'no-cd hack' detector", which allows them to put and run any kind of executable into anyone in t
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday May 14, 2008 @01:30PM (#23407242)
      Every time this subject comes up, I say the same thing.

      The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.

      With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?

      Anything that cannot be identified can be moved to a different drive. A drive without run permissions.

      Problem solved.
      • by sm62704 ( 957197 ) on Wednesday May 14, 2008 @01:49PM (#23407572) Journal
        One of the things I hate about Microsoft software (indeed, almost all software thet runs in Windows) is non-descriptive file names. Back in the DOS days XR2732A.DLL might have made sense, but wouldn't "Run-time library of graphics functions for Word.DLL make a whole lot more sense? If in fact you had removed Word (or some game or whatever) you would know that you could delete the file with impunity.
        • by An ominous Cow art ( 320322 ) on Wednesday May 14, 2008 @03:55PM (#23409604) Journal
          Maybe, but spaces in file/directory names are an abomination :-). I'd be ok with something like:

          Run-timeLibraryOfGraphicsFunctionsForWord.DLL
        • Back in the DOS days XR2732A.DLL might have made sense, but wouldn't "Run-time library of graphics functions for Word.DLL make a whole lot more sense?
          Doesn't "Word_Gfx.dll" make just as much sense as the long file name?
        • Re: (Score:3, Insightful)

          by smellotron ( 1039250 )

          One of the things I hate about Microsoft software (indeed, almost all software thet runs in Windows) is non-descriptive file names.

          On windows? Try "everywhere". Some other poorly-named libraries that come to mind are libm.so and libiberty.so (as cute as gcc -liberty may be, it is a useless name from a functional standpoint). Or if you consider any file, what about any of the 3-letter UNIX-style directory names?

          Run-time library of graphics functions for Word.DLL

          I would want to shoot any developer

        • With Linux, you assume that anyone stupid enough to sudo rm -f /usr/bin/ls knows what they are doing. With Windows, you protect people from being stupid, safe in the correct knowledge that the overwhelming majority of folks who would attempt manual deletion of a DLL are not, in fact, as expert as they think they are. This saves you from having your paid support lines clogged up with would-be l33t p0w3r userz. (Linux, of course, has the option of just ignoring folks in the newsgroups.)

          In the Windows parad
          • Re: (Score:3, Insightful)

            by sm62704 ( 957197 )
            With Windows, you protect people from being stupid

            You're confusing "stupid" with "ignorant". An ignorant user will have to reinstall Word if he removes one of its DLLs. A stupid user will have to reinstall Word a second time when he removed the DLL after reinstallation.

            The ignorant user will no longer be ignorant, and will think twice before removing said file.
      • Re: (Score:3, Interesting)

        by Wierdy1024 ( 902573 )
        Um how exactly do you do this? How can I run a scan and get a list of all files on the entire system that don't match the MD5's in their packages?
      • The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.
        It's unrealistically limiting to imagine that you can know ahead of time what every file on a computer should be.

        Also, rootkits can lie about checksums.

        • by kesuki ( 321456 )
          "It's unrealistically limiting to imagine that you can know ahead of time what every file on a computer should be"

          it's not though, linux creates a database of the checksums of every file, where it should be installed etc, rpm has a simple way of verifying every file based on this DB, the debian package manager doesn't but it's trivial to use the database files created to independently verify every file on the system... except user created files, or files downloaded from the internet (pictures etc) but comp
      • by sukotto ( 122876 )
        Not if your package manager and/or checksum software is compromised.
        • by sukotto ( 122876 )
          And before you say "compile from source" read up on Ken Thompson's work on compiling trojans via subverting gcc.
  • [...] A few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121.
    Yes, I know there's a comma, but it really sounds like both products are rootkits themselves. (I guess given that M$ created the rootkit market in Win32, they can do whatever they want with it...)
    • by cp.tar ( 871488 )

      [...] A few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121.

      Yes, I know there's a comma, but it really sounds like both products are rootkits themselves.

      Ah. So it's not just me and my non-native English comprehension.

      Then again, maybe it's intentional.
      How difficult is it to remove either of the two programs?[1]

      [1] Not a frequent Windows user.

  • by Svet-Am ( 413146 ) on Wednesday May 14, 2008 @12:57PM (#23406632) Homepage
    from the article:

    Dan Kaminsky, Director - Penetration Testing
  • by Conspicuous Coward ( 938979 ) on Wednesday May 14, 2008 @01:06PM (#23406796)

    If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

    That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

    Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

    • by Carnildo ( 712617 ) on Wednesday May 14, 2008 @01:28PM (#23407192) Homepage Journal

      That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).


      It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.
  • Not really surpirsed (Score:5, Interesting)

    by neokushan ( 932374 ) on Wednesday May 14, 2008 @01:10PM (#23406872)
    Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
    Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
    Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
    I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....
    • by Hatta ( 162192 ) on Wednesday May 14, 2008 @01:26PM (#23407170) Journal
      Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

      It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.
      • When MY FRIEND looks at porn, HE goes bareback.
      • Actually...
        Since when the fuck has bittorrent ever been devoid of viruses and trojans?
        It's P2P, by definition P2P is chocked full of that sort of crap.
        Perhaps I was too subtle for you, but "porn" is a just another way of saying Warez. Perhaps I should have said "Thanks to all the LINUX ISO SITES my FRIEND goes on..." but I fear that might have started an entirely different flame war...
        Either way, the point is there's only so much noscript (Which I do run, thankyouverymuch) can stop, the second you go near P
    • My FRIEND likes to look at port too. I don't know how he sees it from under the desk...
    • Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.
      Come on, you can admit that you're the "FRIEND" and that you surf porn. :)
    • by Omestes ( 471991 )
      I don't understand how people's friends keep getting viruses and other nasty malware from browsing porn sites. My *friend* has been browsing porn sites for years with never an issue, using Window's no less.

      How does other people's friends porn browsing differ from my friends? Not using Firefox? Clicking on monkey's? Downloading executables? I really don't get it.

      Then again I just spent a full day cleaning a Vundo infection from this box, thanks to some bad DVD ripping tools my er... *friend* downloade
      • Re: (Score:3, Informative)

        by neokushan ( 932374 )
        Actually this was the EXACT thing I had in mind when I was saying about the odd file AV's can detect but just not bloody delete.
        I found the easiest way to get rid of that one (Because all the 3rd party tools to do it simply didn't work) was to bite the bullet and install unlocker [ccollomb.free.fr]. This piece of software is without a doubt my favourite utility for windows and one of the first things I install (when I'm running 32bit, that is, no 64bit support yet :(). It does EXACTLY what you describe - it tells you what pro
      • by dissy ( 172727 )

        Vundo is really a bloody scourge. It took 5 malware scanners to remove it. Why the hell doesn't Windows let one force delete a file, or at least let me know what process is using it so I can kill it, and then delete the file.

        This program might help you out with that, when I was on windows I always had it installed, to make the filesystem locking work more sane.

        http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]

  • A slightly related question:

    Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?

    Scenario: Aunt Tilly phones that she suspects viruses on her Windows computer. She got afraid so she shut down the computer. You arrive, but don't want to boot the computer up as it will activate the virus, too. You insert your bootable disc, the antivirus program boots up, auto-downloads the latest program updates along with the newest virus and malware definitions from the Inter

    • by tsvk ( 624784 ) on Wednesday May 14, 2008 @01:24PM (#23407136)
      Ah. Lazy me for not searching more closely before asking... just found this as one alternative: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html [free-av.com].
    • Re: (Score:3, Interesting)

      by Carnildo ( 712617 )

      A slightly related question:

      Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?

      I haven't looked at Windows antivirus products in a few years, but all antivirus products used to do this. Originally, it was a boot floppy; later, a boot CD. The neccessity of an internet connection to get the latest virus definitions would make this harder these days, as you'd need to support an incredible variety of network cards.

      • Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?

        I haven't looked at Windows antivirus products in a few years, but all antivirus products used to do this. Originally, it was a boot floppy; later, a boot CD.

        I think the NTFS file system may have changed things (on Windows) in the last few years (at least for free antivirus software). A quick check of my installation of AVG Free (on my Windows 2000 PC) displays this message when I try to create a "Rescue Disk":

        • "System drive C:\ with label "___" uses NTFS file system and Rescue Disk may not have access to this drive. Would you like to continue creating Rescue Disk anyway? (Y/N)"

        AntiVir's free bootable antivirus tool [free-av.com] seems to get around this apparent NTFS lim

        • Re: (Score:3, Insightful)

          by pjt33 ( 739471 )
          Rather irritatingly, the Avira rescue CD comes as a .exe which (I presume - haven't run wine-safe on it yet) unpacks a .iso. Given that the whole point is to burn to a CD, I don't know why they don't just distribute the .iso.
    • by houstonbofh ( 602064 ) on Wednesday May 14, 2008 @01:57PM (#23407736)
      http://www.ubcd4win.com/ [ubcd4win.com]

      It is not totally burn and go, thanks to Microsoft and the EULA, but very close. I was just updating my images today, as a matter of fact. Several clients have the latest "It burns when I pee" support calls scheduled.
  • Well, DUH! (Score:5, Informative)

    by Todd Knarr ( 15451 ) on Wednesday May 14, 2008 @01:31PM (#23407258) Homepage

    First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

  • by Fallen Andy ( 795676 ) on Wednesday May 14, 2008 @01:37PM (#23407356)
    For your friends, non tech users:

    AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.

    Hint: AVG 8 *removes* their old free antirootkit.

    For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...

    (oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).

    Andy

    • Also consider rootkitty on the UBCD4win disk. Simple and elegant... It is a diff of a recursive directory list in clean and dirty states. Anything that shows up clean and is hidden dirty is listed. It is very nice.
    • Doesn't work on Vista. The direct source for Rootkit revealer is Microsoft since they bought up Sysinternals.
    • I remember a similar problem with Alcohol 120% a few years back. Only solution was to enter the recovery shell and overwrite the file after removing protection. Occurred after reinstalls or service pack upgrades. I don't know if they ever fixed it as I never really liked it that much in the first place and once I was up and running, I removed it.
  • by steveha ( 103154 ) on Wednesday May 14, 2008 @01:43PM (#23407462) Homepage
    What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.

    Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.

    I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.

    Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.

    Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.

    I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)

    Is there any way to suggest this as a "summer of code" project or something?

    steveha
  • While there are advantages to features like System Restore and the fact that in-use files are locked by their associated programs, these features are often the only things that come between detection and eradication of many of these rootkitting trojans. AV software still doesn't tell you to turn off system restore before it tries to delete viruses, or close program XYZ that is infected, and rootkit removal tools often forget to delete the other half of a virus when they reboot.

    On top of that, Google and o

  • It is actually quite easy to break a rootkit... however, removal from a running Windows install can be quite impossible.
    The best way to remove them is to use another OS to hit the files, then break the rootkit code and/or replication routine from Windows itself.
    Unfortunately, full removal of the kernel level coding injected by the rootkit tends to break the kernel itself.
    In a nutshell, Windows fragility prevents the proper removal of the rootkit, rather than the stealth and/or hooking used by the rootkit
  • by Sloppy ( 14984 ) on Wednesday May 14, 2008 @02:10PM (#23407940) Homepage Journal

    Sometimes it happens to work. If it does, you're lucky. But you can't rely on it, and you never will be able to, and anyone who sells you a product that says it can do that, is deceiving you.

    Don't execute the rootkit in the first place. That's the only way to be sure. Once you've run untrusted code, your system is compromised until you boot from read-only media.

    Sorry if you don't like hearing that. Sorry if it's inconvenient. Sorry if you're an AV company stockholder and you don't want people to know. But that's just how it is, period.

    And when you look at it that way, today's rootkits are actually really easy to kill; you just have to go "far enough" (e.g. nuke the whole damn partition). (I have to say "today's rootkits" because if your BIOS is flashable, well, you've got serious problems.)

  • These days *all* the major AV vendors need to ship a boot CD that
    1) connects to the Internet
    2) downloads the latest version of itself and verifies the download is authentic
    3) scans the disk and cleans up malware
    4) reports results to someplace that can be read later
  • It's called a USER account. Not admin or power user. USER ACCOUNT. Prevention is key. You're asking for trouble if you cruise potentially bad websites or open bad emails.
  • This thread is very timely for me because I'm currently trying to develop a way of "vetting" various Windows binaries that I don't yet trust... to make sure that they don't contain any rootkit/keylogger/etc.

    My current plan is to start with my linux box and use VirtualBox to install Windows as a guest OS. Last time I checked, VirtualBox and VMWare create virtual network interfaces for providing network capability to the guest OS. So, I can use WireShark (formerly ethereal) to watch all traffic on that int
  • no shit? (Score:3, Insightful)

    by smash ( 1351 ) on Wednesday May 14, 2008 @07:26PM (#23412226) Homepage Journal
    Well really what do you expect?

    Any half-competent root-kit will simply tell the scanner what it wants to hear via hooks into the O/S to trap any "diagnostics" that it may perform.

    The trick is not not get infected in the first place - once your PC *is* infected, you're fucked. Do not pass go, do not collect $200. Reinstall time - nothing on your box can be trusted any more.

    The sooner people "get" this, the better off they'll be.

  • For what it's worth, I dumbly installed a rootkit when I thought I was running a keygen (serves me well for trying to play CoD4 online for free). Since I know which file I ran to install it, I pointed a few decent anti-viruses to it (F-Prot, Avast! and a couple of anti spywares) and none of them found anything wrong about the very file that was the root of all this evil. Eventually Avast! alarted me it had found a rootkit on my system, but the boot-time scan of every single file on my system didn't fix anyt

It's been a business doing pleasure with you.

Working...