Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Antivirus Tests Show Rootkits Hard to Kill

timothy posted more than 6 years ago | from the malice-evolves dept.

Security 178

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Sorry! There are no comments related to the filter you selected.

Interesting way of putting it (5, Funny)

pjt33 (739471) | more than 6 years ago | (#23406390)

I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.

Re:Interesting way of putting it (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23406432)

Well, it is not a bit strong to state that your reading comprehension is terrible.

Re:Interesting way of putting it (5, Funny)

Anonymous Coward | more than 6 years ago | (#23406482)

"removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Perhaps you yourself need a lesson in reading and comprehension.

Re:Interesting way of putting it (0)

Anonymous Coward | more than 6 years ago | (#23406812)

It helps to include the whole sentence in your quotes, oh but then you can't be a jackass, my bad!

Re:Interesting way of putting it (1, Insightful)

Anonymous Coward | more than 6 years ago | (#23407306)

"AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

That doesn't help.

It should be written this way to clear up the two possible readings:

"AV-Test.org also found that a few big name AV scanners, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121, had serious problems finding and removing active rootkits."

Re:Interesting way of putting it (3, Funny)

roaddemon (666475) | more than 6 years ago | (#23408038)

I believe the sentence was poorly written and the last clause is a dangling participle, but I got into engineering because I failed English.

(sorry to interrupt the flame war)

Re:Interesting way of putting it (5, Insightful)

mckinnsb (984522) | more than 6 years ago | (#23406526)

In other news: half of jokes made on Slashdot are incorrectly interpreted as serious commentary.

Re:Interesting way of putting it (2, Insightful)

geekoid (135745) | more than 6 years ago | (#23407518)

Which is why I advocate a new punctuation mark: ~

Re:Interesting way of putting it (5, Funny)

Mister Whirly (964219) | more than 6 years ago | (#23407590)

You ended that sentence with a "~". Why are you sarcastically advocating a new punctuation mark? ~

Re:Interesting way of putting it (1)

deathy_epl+ccs (896747) | more than 6 years ago | (#23407706)

Which is why I advocate a new punctuation mark: ~

The problem with this idea is that it always feels like somebody is drooling all over my inbox when they end their lines with twiddles.

Some of the IT staff over at Alaska Airlines for some reason have a cultural standard of twiddles instead of dashes in certain cases, and I keep thinking that all that spit can't be good for the electronics.

If your idea were to be implemented, I'd start to wonder why the Alaska Airlines folks are so sarcastic that they can't even say "hi" without a touch of sarcasm.

Re:Interesting way of putting it (3, Funny)

rcamans (252182) | more than 6 years ago | (#23408378)

In other news: half the threads posted on Slashdot are incorrectly interpreted as worth reading, or even educational.

Re:Interesting way of putting it (0)

Anonymous Coward | more than 6 years ago | (#23406556)

Well, it is not a bit strong to state that your reading comprehension is terrible.
you sir are an oxy-moron who obviously missed the joke of the initial poster.

Re:Interesting way of putting it (3, Funny)

Oxy the moron (770724) | more than 6 years ago | (#23406660)

you sir are an oxy-moron
No, I got the joke, TYVM. :)

Re:Interesting way of putting it (0)

Anonymous Coward | more than 6 years ago | (#23406772)

My guess is that English is your mother tongue. However, I suggest that you refer to it as your "second language" from now on, so as to save yourself further embarrassment.

Re:Interesting way of putting it (2, Funny)

phoenixwade (997892) | more than 6 years ago | (#23407006)

Well, it is not a bit strong to state that your reading comprehension is terrible.
whoosh!

Re:Interesting way of putting it (0)

Anonymous Coward | more than 6 years ago | (#23406490)

I believe that's a case of a dangling modifier.

OneCare and McAfee are the big name AV products, not the rootkits.

Re:Interesting way of putting it (0)

Anonymous Coward | more than 6 years ago | (#23406588)

I believe that's a case of a dangling modifier.

OneCare and McAfee are the big name AV products, not the rootkits.

English Grammar isn't a natural physical law: it's man made. I don't know about you, but I understood what he said.

If you don't want nothing, don't start nothing.

Re:Interesting way of putting it (1)

dgatwood (11270) | more than 6 years ago | (#23408936)

I understood what was meant. I still laughed so hard water came out my nose and shorted out my keyboard. Darn you, slashdot editors!

Anaphor (1)

pjt33 (739471) | more than 6 years ago | (#23407416)

It's not a dangling modifier: all the words are present, but the order is misleading. It's a bad usage of anaphor such that the immediate antecedent is the wrong one.

Re:Interesting way of putting it (1)

mini me (132455) | more than 6 years ago | (#23407596)

When I read it, I assumed there really were rootkits in the wild with those names. Then again, I've never heard of OneCare until now which didn't help.

Great.. (0)

Anonymous Coward | more than 6 years ago | (#23406452)

Now Steven Seagal [youtube.com] is writing rootkits?

We're screwed.

Re:Great.. (2, Funny)

Mister Whirly (964219) | more than 6 years ago | (#23407648)

"Now Steven Seagal is writing rootkits?

We're screwed."


No way. Not with my new Chuck Norris(TM) brand anti-rootkit software. Not only does it find the rootkit and get rid of it, but it first makes it cry and beg for it's life needlessly.

In other news... (5, Insightful)

Oxy the moron (770724) | more than 6 years ago | (#23406470)

Grass is green, sky is blue, Pope is Catholic, etc...

When people create these things... isn't the intent to make them hard to detect/kill?

What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

I don't even bother trying to clean them up. (5, Interesting)

Dr. Manhattan (29720) | more than 6 years ago | (#23407196)

My nephew got something or other on his laptop. I made a desultory effort to clean it, but whatever crap was on there would kill the anti-spyware install routines within seconds. Fortunately I'd installed Ubuntu on another partition, and he was still able to do web and email and stuff, and I told him to back up the data he needs and I'll wipe it and start fresh.

I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->

Re:I don't even bother trying to clean them up. (1)

kalirion (728907) | more than 6 years ago | (#23408340)

whatever crap was on there would kill the anti-spyware install routines within seconds

Don't they have virus scanners you can run from CDs?

Re:I don't even bother trying to clean them up. (4, Insightful)

jimicus (737525) | more than 6 years ago | (#23408552)

Don't they have virus scanners you can run from CDs?
Let's assume you wanted to write the perfect AV which was able to work from a CD with guaranteed 100% success rate. Once complete, you can be sure that the computer can be rebooted and will neither be affected by a piece of malware, nor will the user inadvertently spread dormant malware.

It would have to compare the checksum of every executable and every DLL on the system to known good examples to confirm they've not been infected (though to be honest I suspect most of them are just taking advantage of the labyrinthine mess that is Windows rather than going to all the hassle of infecting files).

It would have to confirm that every patch which has security implications has been installed (eg. there have been patches which deal with code which loads JPEGs - not much point in rebooting if the first thing that's going to happen is you get reinfected so that's got to be solved).

It would have to delete any application that isn't on a known-good list. So you need a "known-good" list covering every Windows application known to man, and you also need to account for those rare cases where you're dealing with a software developers machine and there are executables on there that aren't known to man.

And remember what I said earlier about "there have been vulnerabilities in code that reads JPEGs"? Well, that means you need to delete any JPEG which isn't known-good, And any other file for which similar vulnerabilities in decoding have been found. Or it's possible that the first thing that will happen on reboot is the user will email out this "kewl JPEG" to all their friends, forwarding the malicious payload in the process.

And you need to do all this without breaking anything in the process. Or else if you do, you might just as well have wiped and rebuilt the system.

Re:I don't even bother trying to clean them up. (1)

Z34107 (925136) | more than 6 years ago | (#23408982)

What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.

But, a better way is to make a BartPE image with all of your tools (HijackThis, AdAware, SpyBot S&D, AVG, etc.)

And while I'm giving out advice: Partition your Windows disk into C: and D: partitions. Install programs and Windows on C; save your irreplaceable personal things (music, homework, etc.) on D. If you ever have to reinstall Windows (assuming you also clean the viruses off of D too!) you won't have to backup/restore anything.

Killing rootkits. You're doing it wrong. (5, Interesting)

khasim (1285) | more than 6 years ago | (#23407242)

Every time this subject comes up, I say the same thing.

The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.

With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?

Anything that cannot be identified can be moved to a different drive. A drive without run permissions.

Problem solved.

Re:Killing rootkits. You're doing it wrong. (4, Insightful)

sm62704 (957197) | more than 6 years ago | (#23407572)

One of the things I hate about Microsoft software (indeed, almost all software thet runs in Windows) is non-descriptive file names. Back in the DOS days XR2732A.DLL might have made sense, but wouldn't "Run-time library of graphics functions for Word.DLL make a whole lot more sense? If in fact you had removed Word (or some game or whatever) you would know that you could delete the file with impunity.

Re:Killing rootkits. You're doing it wrong. (3, Interesting)

Wierdy1024 (902573) | more than 6 years ago | (#23407972)

Um how exactly do you do this? How can I run a scan and get a list of all files on the entire system that don't match the MD5's in their packages?

Re:Killing rootkits. You're doing it wrong. (2, Informative)

Maximum Prophet (716608) | more than 6 years ago | (#23408696)

Use tripwire on another box to check your boot drive periodically.

Re:Killing rootkits. You're doing it wrong. (1)

BradleyUffner (103496) | more than 6 years ago | (#23408590)

This is the whole point behind driver and executable signing in windows.

Re:Killing rootkits. You're doing it wrong. (1)

hesaigo999ca (786966) | more than 6 years ago | (#23408754)

I like this...especially if your boot cd has tripwire installed as well and the original checksums for the files !!

Re:Killing rootkits. You're doing it wrong. (1)

timeOday (582209) | more than 6 years ago | (#23408758)

The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.
It's unrealistically limiting to imagine that you can know ahead of time what every file on a computer should be.

Also, rootkits can lie about checksums.

Re:Killing rootkits. You're doing it wrong. (1)

sukotto (122876) | more than 6 years ago | (#23408772)

Not if your package manager and/or checksum software is compromised.

Re:Killing rootkits. You're doing it wrong. (1)

sukotto (122876) | more than 6 years ago | (#23408824)

And before you say "compile from source" read up on Ken Thompson's work on compiling trojans via subverting gcc.

Re:Killing rootkits. You're doing it wrong. (0)

Anonymous Coward | more than 6 years ago | (#23409006)

Not if your package manager and/or checksum software is compromised.

Therefore, the Live CD used should be downloaded, checked, and burned on an uncompromised system. (Although I doubt most rootkits modify the image before burning.)

On a personal note, I always pick the ISO image and the corresponding md5sum from different servers. The ISO image I take from a regional mirror, the corresponding md5sum I copy from some arbitrary server which serves for some other part of the world. I know this doesn't help if both (or all) mirrors used are compromised, but still ... it's not too much hassle for me.

Re:Killing rootkits. You're doing it wrong. (0)

Gnavpot (708731) | more than 6 years ago | (#23409020)

Not if your package manager and/or checksum software is compromised.

In Soviet Russia, live CDs boot YOU.

Apparently, a lot of people have trouble understanding these words from the GP:
"With Ubuntu, I can boot from a LiveCD and check any file on my hard drive."

Re:In other news... (1)

WaroDaBeast (1211048) | more than 6 years ago | (#23407754)

Pope is Catholic
Pope is Orthodox too -- you insensitive clod.

Windows *is* a rootkit (1)

Lumenary7204 (706407) | more than 6 years ago | (#23406536)

Quote: ... had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare ... Whadd'ya talkin 'bout? Isn't everything on Windows a potential rootkit?

Confusingly worded... (1)

BUL2294 (1081735) | more than 6 years ago | (#23406538)

[...] A few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121.
Yes, I know there's a comma, but it really sounds like both products are rootkits themselves. (I guess given that M$ created the rootkit market in Win32, they can do whatever they want with it...)

What a title! (5, Funny)

Svet-Am (413146) | more than 6 years ago | (#23406632)

from the article:

Dan Kaminsky, Director - Penetration Testing

Re:What a title! (1, Funny)

Anonymous Coward | more than 6 years ago | (#23406700)

"Hey babe, I've got a good paying job."
"Really? What is it?"
"Penetration tester."
** SMACK **
"Ouch..! I do not think that word means what you think it means."

If you think that's bad (5, Funny)

Anonymous Coward | more than 6 years ago | (#23406882)

Try working in an area of the building labeled "Mail Insertion" (for stuffing envelopes.) It doesn't come off too well when you tell someone you work over in mail insertion, no matter how you try to emphasize the 'i' in mail.

Re:If you think that's bad (3, Funny)

Vectronic (1221470) | more than 6 years ago | (#23407154)

use a french accent and pretend like yer learning english.

Female: "What Is Your Job?"
Male: "Souffler Le Travail?, nah... how do you say... May I l'Insertion?

Re:What a title! (5, Funny)

Red Flayer (890720) | more than 6 years ago | (#23407144)

I hear it's a temporary title, as he changes positions often.

I wonder if promotion to the position came with a raise.

I heard he reports to the VP for Internal Affairs.

His responsibilities include data massage, internal handling of customers, and staff management.

I could do this all day...

Re:What a title! (2, Funny)

geekoid (135745) | more than 6 years ago | (#23407548)

I think he got the position because of his anal tendencies.

Please, go on.

Re:What a title! (4, Funny)

Red Flayer (890720) | more than 6 years ago | (#23408296)

Please, go on.
Since you insist...
Performance review:

His performance metrics primarily include duration of uptime and average time need to recover from downtime. He has expanded the scope of his role to fill the requirements.

He is able to handle repetitive tasks well.
He does not think outside the box.
He is good at getting his workgroup to multitask.
His staff responds well to stress.
Work/life balance may be an issue -- he always makes his work come first.

I think that's enough for now :)

Re:What a title! (1)

witherstaff (713820) | more than 6 years ago | (#23408488)

I could do this all day...
now you're just bragging

Re:What a title! (0)

Anonymous Coward | more than 6 years ago | (#23407556)

Yea, and his catch-phrase is "Are you kamin'(sky)? - No no no - *I* am Kaminsky!"

Re:What a title! (1)

Deanalator (806515) | more than 6 years ago | (#23407826)

Duude.. you're going to be getting some Rick Astley in your DNS responses if you aren't careful.

Grammar (0, Redundant)

sexconker (1179573) | more than 6 years ago | (#23406684)

"AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

I hate when McAfee doesn't detect Live OneCare, and vice versa!

HSpon6e (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23406744)

486/I66 with 8 [goat.cx]

Re:HSpon6e (1)

dotancohen (1015143) | more than 6 years ago | (#23406850)

Just stating the obvious:
If you're new to /., then don't click that link.

Re:HSpon6e (1)

Lord_Frederick (642312) | more than 6 years ago | (#23407516)

If I know what it is and I still click the link, does that mean I'm sick in the head?

AV's actually doing quite well (5, Insightful)

Conspicuous Coward (938979) | more than 6 years ago | (#23406796)

If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

Re:AV's actually doing quite well (5, Insightful)

Carnildo (712617) | more than 6 years ago | (#23407192)

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).


It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.

Naturally, (on first) (1, Troll)

dotancohen (1015143) | more than 6 years ago | (#23406832)

Rootkits are not viruses. So what does antivirus have to do with defending against rootkits? Or is all malware today called 'virus' no matter what it does? I've been on a malware-free OS for so long that I don't even know the terminology anymore.

Re:Naturally, (on first) (3, Informative)

wizardforce (1005805) | more than 6 years ago | (#23406924)

"Security suites and online Web scanners detect only a little more than half of all rootkits
security suites/online web scanners != antivirus only. as for why

AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits
I would have to say that a lot of scanners that are referred to as being antivirus target several types of malare, viruses especially so but not exclusively. havng to develop separate scanners for each type of malware and actually charging for them would be enormously expensive, not that they won't be doing it soon.

Not really surpirsed (5, Interesting)

neokushan (932374) | more than 6 years ago | (#23406872)

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....

Re:Not really surpirsed (1, Funny)

UnknowingFool (672806) | more than 6 years ago | (#23407114)

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.

I would say you have a few choices here:

  1. a) Replace your OS
  2. b) Replace your friend
  3. c) All the above
  4. d) ????
  5. e) Profit!!!

Re:Not really surpirsed (1)

GogglesPisano (199483) | more than 6 years ago | (#23408244)

In that case, your REAL friends should be either Firefox with NoScript or Opera with JavaScript disabled.

Better yet, set up a dual boot with a more secure OS to use for your "friend's" surfing. Ubuntu, for example, makes it dead easy.

Re:Not really surpirsed (5, Informative)

Hatta (162192) | more than 6 years ago | (#23407170)

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.

Re:Not really surpirsed (1)

neokushan (932374) | more than 6 years ago | (#23407272)

When MY FRIEND looks at porn, HE goes bareback.

Re:Not really surpirsed (1)

neokushan (932374) | more than 6 years ago | (#23407374)

Actually...
Since when the fuck has bittorrent ever been devoid of viruses and trojans?
It's P2P, by definition P2P is chocked full of that sort of crap.
Perhaps I was too subtle for you, but "porn" is a just another way of saying Warez. Perhaps I should have said "Thanks to all the LINUX ISO SITES my FRIEND goes on..." but I fear that might have started an entirely different flame war...
Either way, the point is there's only so much noscript (Which I do run, thankyouverymuch) can stop, the second you go near P2P or anything even vaguely unscrupulous, you're always likely to get a virus or a trojan. It's why I run AV, to be safe, it's why I laugh at all those people going "lol I dun need AV, I'm smart" because unless they're either running something like AmigaOS, or do everything through a VM, they're at risk of getting infected all the same.

Re:Not really surpirsed (0)

Anonymous Coward | more than 6 years ago | (#23407682)

Just get mpegs only when downloading porn from p2p - problem solved. Also if you're using windows and WMP - make sure you don't let it open WMVs renamed to MPEG (just click no when it asks) Always make sure the file really does have .mpg on the end - not just in the middle somewhere with a lot of spaces after it...

Re:Not really surpirsed (0)

Anonymous Coward | more than 6 years ago | (#23408282)

use sandboxie, its like a condom for your computer.

you open your browser from inside, invite your FRIEND to surf wherever he wants, and when you're (he's) done you close the browser and delete the sandbox you were in. now anything that was written to disk from inside is gone.

CAPTCHA hungry. why yes i am.

Re:Not really surpirsed (1)

houstonbofh (602064) | more than 6 years ago | (#23407690)

My FRIEND likes to look at port too. I don't know how he sees it from under the desk...

Re:Not really surpirsed (2, Funny)

ConfrontationalGrayh (1199233) | more than 6 years ago | (#23407854)

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.
Come on, you can admit that you're the "FRIEND" and that you surf porn. :)

Re:Not really surpirsed (1)

tokul (682258) | more than 6 years ago | (#23407884)

you actually tell it to delete the bloody thing, it refused to do anything.
Turn off System Restore

Re:Not really surpirsed (1)

BForrester (946915) | more than 6 years ago | (#23408022)

My money will go to the first AV product that detects a virus that cannot be removed (due to files being locked down by the OS / in use / etc), tells me that it needs to shut down in order to fix the problem, and then boots into a PE environment to clean the bugger out.

Bootable antivirus discs? (1)

tsvk (624784) | more than 6 years ago | (#23407010)

A slightly related question:

Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?

Scenario: Aunt Tilly phones that she suspects viruses on her Windows computer. She got afraid so she shut down the computer. You arrive, but don't want to boot the computer up as it will activate the virus, too. You insert your bootable disc, the antivirus program boots up, auto-downloads the latest program updates along with the newest virus and malware definitions from the Internet, and you can successfully disinfect the computer without having to run any code from the infected computer's hard disk. Does a solution like this exist? I tried to search the net but found only instructions how to make your own bootable antivirus floppy disks or making your own bootable rescue CD-ROM by combining different utilities with preinstalled Windows using BartPE, and so on.

But are there any supported products available?

Re:Bootable antivirus discs? (2, Interesting)

Carnildo (712617) | more than 6 years ago | (#23407292)

A slightly related question:

Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?


I haven't looked at Windows antivirus products in a few years, but all antivirus products used to do this. Originally, it was a boot floppy; later, a boot CD. The neccessity of an internet connection to get the latest virus definitions would make this harder these days, as you'd need to support an incredible variety of network cards.

Re:Bootable antivirus discs? (3, Informative)

houstonbofh (602064) | more than 6 years ago | (#23407736)

http://www.ubcd4win.com/ [ubcd4win.com]

It is not totally burn and go, thanks to Microsoft and the EULA, but very close. I was just updating my images today, as a matter of fact. Several clients have the latest "It burns when I pee" support calls scheduled.

Re:Bootable antivirus discs? (1)

warmotor (1153299) | more than 6 years ago | (#23407748)

I'm sure there is a LiveCD distro out there that comes with ClamAV. If you don't know what I'm talking about then you need to brush up on Linux before coming to Slashdot - we effing love Linux here, son!

Re:Bootable antivirus discs? (1)

deepsky (11076) | more than 6 years ago | (#23408174)

Gdata antivirus [gdata.de] is a pretty good antivirus for Windows which has a bootable disk (linux-made, btw).
Even if I've bought the online version, they sent me the disk by mail anyway. I was not allowed to refuse it, it seems. For my safety, I suppose :-)

ESL? (0, Redundant)

Zero__Kelvin (151819) | more than 6 years ago | (#23407128)

" ... a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 ... "
I knew OneCare was an active rootkit!

Good to See Bitdefender. (0)

Trashman (3003) | more than 6 years ago | (#23407156)

I'm glad I chose Bitdefender as my AV scanner. Which the article states did very well. (not perfect) I it use on my Windows machines and I've been very pleased with it.

I recommend it to anyone who asks, as it's very resource friendly unlike McCaffe and Norton.

Rootkits are hard to kill? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23407158)

Rootkits are actually very easy to kill, and the tool to kill them can be found here [ubuntu.com] or here [kubuntu.com]

Re:Rootkits are hard to kill? (3, Insightful)

stratjakt (596332) | more than 6 years ago | (#23407352)

Guess you missed the news about the guessable passwords.

All it takes is one bad/ignorant/rogue package manager, and the whole house of cards can come down.

Remember, the world "rootkit" comes from the *nix world, not the windows one.

Well, DUH! (5, Informative)

Todd Knarr (15451) | more than 6 years ago | (#23407258)

First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

Info - Anti rootkit tools (3, Informative)

Fallen Andy (795676) | more than 6 years ago | (#23407356)

For your friends, non tech users:

AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.

Hint: AVG 8 *removes* their old free antirootkit.

For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...

(oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).

Andy

Re:Info - Anti rootkit tools (1)

houstonbofh (602064) | more than 6 years ago | (#23407780)

Also consider rootkitty on the UBCD4win disk. Simple and elegant... It is a diff of a recursive directory list in clean and dirty states. Anything that shows up clean and is hidden dirty is listed. It is very nice.

Bootable ClamAV CD image... Ubuntu live CD? (4, Interesting)

steveha (103154) | more than 6 years ago | (#23407462)

What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.

Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.

I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.

Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.

Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.

I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)

Is there any way to suggest this as a "summer of code" project or something?

steveha

Re:Bootable ClamAV CD image... Ubuntu live CD? (5, Informative)

ma1wrbu5tr (1066262) | more than 6 years ago | (#23407714)

Steveha..
http://www.ultimatebootcd.com/ [ultimatebootcd.com]
http://www.ubcd4win.com/ [ubcd4win.com]
Both have excellent tools on them, including some UPDATABLE AV kits.

Re:Bootable ClamAV CD image... Ubuntu live CD? (0)

Anonymous Coward | more than 6 years ago | (#23408208)

Neither one of those CDs is remotely like what he said... he wants an automatic tool he can freely give away to his non-geek friends

Re:Bootable ClamAV CD image... Ubuntu live CD? (0)

Anonymous Coward | more than 6 years ago | (#23408192)

"Is there any way to suggest this as a "summer of code" project or something?"

Why bother, just make one yourself with Remastersys:

http://en.wikipedia.org/wiki/Remastersys [wikipedia.org]
http://www.remastersys.klikit-linux.com/ [klikit-linux.com]
http://www.remastersys.klikit-linux.com/repository/remastersys/ [klikit-linux.com]
http://loscompanion.com/forums/index.php?board=58.0 [loscompanion.com]
http://klikit.pbwiki.com/Remastersys [pbwiki.com]

Install Ubuntu, install packages you want, use Remastersys to create your own liveCD or liveDVD

It's easy! If you want to create your own distro with scanning aps too you can do this with Remastersys!

A self-hampering problem. (2, Interesting)

kiehlster (844523) | more than 6 years ago | (#23407474)

While there are advantages to features like System Restore and the fact that in-use files are locked by their associated programs, these features are often the only things that come between detection and eradication of many of these rootkitting trojans. AV software still doesn't tell you to turn off system restore before it tries to delete viruses, or close program XYZ that is infected, and rootkit removal tools often forget to delete the other half of a virus when they reboot.

On top of that, Google and other engines are so full of spammy removal tools that finding a legitimate tool is a gamble. Tools that do work (eg Hijackthis) often are not intelligent enough to tell good from bad or don't recognize the correlation between multiple pieces of a rootkit. It sometimes comes down to scanning the system, turning it off without shutting down, and booting the recovery console to delete a laundry list of trojan dll files that one tool could not take care.

If I were a smart AV software developer, I'd make a bootable recover tool that will erase viruses and trojans before they can hide and secure themselves. Such tools existed back in the days of Windows 3.1 and into the early days of Win95, but today we have nothing more than windows apps and web-based housecalls. Windows and third-party developers have let their guard down and have forgotten the history of the problem.

Human Rootkits - Why Bree Olsen Makes Me CUM (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23407478)

Regarding the recent SSL bungle:

I'm not placing blame on anyone, but let us consider for a moment:

How long would it take a member of a rogue organization, a company such as Microsoft, or an intelligence agency to land a spot into such a role as a code monkey at Debian.org, under the guise of a pro-FOSS person? You do know all three examples above are quite savvy when it comes to infiltration, mafias, corporations, and intelligence agencies do this all of the time. So let us suppose this is what happened here, and considering the wide range of impact with this issue, I believe this is exactly what may have happened.

What checks and balances are in place to weed out potential moles? Any? And would you really know what to look for even if such a policy is in place? Perhaps this question is worthy of an "Ask Slashdot" submission?

How do you deal with the most sinister of rootkits: the human mole?

How many Tor hidden services (.onion) were taken down because of MITM attacks related to this issue? Fucking moles!


legalize marijuana - jack herer [jackherer.com] - NORML [norml.org] - MPP [mpp.org]

Quit jailing non-violent marijuana smokers/growers they don't need their hineys plundered and lives ruined by poverty and disease for enjoying nature!

If smoking marijuana makes you lazy, why are a majority of sober Americans fat and apathetic, failing to do anything useful about the land of nothing for free other than posting easily forgotten content to their worthless ego-masturbatory blogs?

But why think when you can masturbate? [tube8.com] After all, the goverMICROSOFTnment knows how to take care of us.

Hard to Kill... (0)

Anonymous Coward | more than 6 years ago | (#23407576)

I'm gonna take you to the bank, Rootkits. To the blood bank! DUN DUN DUNDUNDUN

It is actually quite easy to break a rootkit... (2, Informative)

ma1wrbu5tr (1066262) | more than 6 years ago | (#23407672)

It is actually quite easy to break a rootkit... however, removal from a running Windows install can be quite impossible.
The best way to remove them is to use another OS to hit the files, then break the rootkit code and/or replication routine from Windows itself.
Unfortunately, full removal of the kernel level coding injected by the rootkit tends to break the kernel itself.
In a nutshell, Windows fragility prevents the proper removal of the rootkit, rather than the stealth and/or hooking used by the rootkit.

virtualize! (1)

bmidgley (148669) | more than 6 years ago | (#23407850)

At least on linux, it's possible for a rootkit to hide itself completely from anything you can run in that OS to try to find it.

The only way to be sure without shutting down and booting from trusted media, eg a CD, is to virtualize the OS and examine it from the hypervisor.

This does assume the hypervisor itself is safe from the guest. We've had kernel bugs in the past that might leave it vulnerable. :(

A compromised system can't diag/fix itself (2, Informative)

Sloppy (14984) | more than 6 years ago | (#23407940)

Sometimes it happens to work. If it does, you're lucky. But you can't rely on it, and you never will be able to, and anyone who sells you a product that says it can do that, is deceiving you.

Don't execute the rootkit in the first place. That's the only way to be sure. Once you've run untrusted code, your system is compromised until you boot from read-only media.

Sorry if you don't like hearing that. Sorry if it's inconvenient. Sorry if you're an AV company stockholder and you don't want people to know. But that's just how it is, period.

And when you look at it that way, today's rootkits are actually really easy to kill; you just have to go "far enough" (e.g. nuke the whole damn partition). (I have to say "today's rootkits" because if your BIOS is flashable, well, you've got serious problems.)

Boot CD with live update? (2, Insightful)

davidwr (791652) | more than 6 years ago | (#23408202)

These days *all* the major AV vendors need to ship a boot CD that
1) connects to the Internet
2) downloads the latest version of itself and verifies the download is authentic
3) scans the disk and cleans up malware
4) reports results to someplace that can be read later

Command Virus Anyone? (1)

ginbot462 (626023) | more than 6 years ago | (#23408258)

I'm fixing a computer of my neighbor's who had a tonne of viri (that's a technical term) including Smitfraud and something related to command.exe. I don't know if it replaced command.com with it's own variant, cause I can't seem to get rid of it even in safe mode. Though, I haven't tried turning off system restore ... now that I think about it .. that's probably why it keeps getting resurrected. Thanks for your help me! Now, where is the me that knows how to make a casino ...

Do you know what you call? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23408714)

Do you know what you call a PC with Symantec or McAfee anti-virus?

Slow and infected.

Those two products are the equivalent of banging your head against the ground to prevent the common cold. It doesn't actually help, but it feels like you must be doing something, otherwise it wouldn't hurt so much.

Come on... this is so easy (2, Insightful)

sniperdoc (1027736) | more than 6 years ago | (#23408720)

It's called a USER account. Not admin or power user. USER ACCOUNT. Prevention is key. You're asking for trouble if you cruise potentially bad websites or open bad emails.

So, how do you vet not-yet-trusted binaries? (1)

jemenake (595948) | more than 6 years ago | (#23408968)

This thread is very timely for me because I'm currently trying to develop a way of "vetting" various Windows binaries that I don't yet trust... to make sure that they don't contain any rootkit/keylogger/etc.

My current plan is to start with my linux box and use VirtualBox to install Windows as a guest OS. Last time I checked, VirtualBox and VMWare create virtual network interfaces for providing network capability to the guest OS. So, I can use WireShark (formerly ethereal) to watch all traffic on that interface and see everything that goes into or out of the guest.

Additionally, I want to use some tool that looks at the registry and all files installed and then compares it to some previous snapshot, but I'm still looking for a good free tool that does that.

Two questions: 1) Has anybody else already developed a sandboxing method like this (and, if so, could you describe it and what kind of stuff you catch with it)? 2) Can you recommend a good "snapshot & compare" tool for the registry and filesystem like I mentioned?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?