Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SysInternals Releases RootkitRevealer

CmdrTaco posted more than 9 years ago | from the have-you-been-pwn3d-lately dept.

260

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

cancel ×

260 comments

Sorry! There are no comments related to the filter you selected.

Strange... (5, Funny)

bigtallmofo (695287) | more than 9 years ago | (#11755236)

Every time I try to go to www.sysinternals.com to find the new Rootkit removal application, my system shuts down automatically.

Probably nothing to worry about.

Re:Strange... (1)

adlaiff6 (810221) | more than 9 years ago | (#11755254)

My Winbox shuts down whenever I put in my Slackware disc. Really.

Re: Strange... (0)

Alranor (472986) | more than 9 years ago | (#11755351)

Let me guess, the mods have been at the crack pipe again, how exactly is the parent off-topic??

Idiots.

Re:Strange... (-1)

Anonymous Coward | more than 9 years ago | (#11755358)

Is it just me or do people with mod points not get jokes unless they begin with "A guy walks into a bar..."?

Before you mod something off-topic, try to realize it might be subtle humor that maybe you're having an off day and just didn't pick up on.

Re:Strange... (0)

Anonymous Coward | more than 9 years ago | (#11755457)

Subtle humor

I guess it might be an attempt at subtle humor.

Or perhaps, a subtle attempt at humor.

Could even be a subtle attempt at subtle humor.

What it definately is not, is subtle humor.

The warning bells were positively clangling at the first reading of the title Strange . . .

If that weren't enough, there was a nudge and a wink with the line Probably nothing to worry about., whilst the would be comedian was jumping up and down, vigorously pointed with their free hand to the apparently innocuous winking action they were making.

If that's subtle to you, then fair enough.

By the way, when people flee the room when you enter, that is not actually a coincidence.

Re:Strange... (0)

Anonymous Coward | more than 9 years ago | (#11755538)

If that's subtle to you, then fair enough.

As far as I can tell most /. moderators would find Benny Hill too subtle.

Re:Strange... (5, Informative)

SpinJaunt (847897) | more than 9 years ago | (#11755406)

If you are using Windows XP SP2 or Windows 2003 SP1, you'll need to turn off DEP (Data Execution Prevention) by editing your BOOT.INI and have change from
/noexecute=optin
to
/noexecute=AlwaysOff
http://msdn.microsoft.com/library/default.asp?url= /library/en-us/ddtools/hh/ddtools/BootIni_aff45176 -bd02-43cf-9895-c212fa392de2.xml.asp [microsoft.com] I had this problem with Daemon tools and Acohol 120%

Re:Strange... (5, Funny)

Anonymous Coward | more than 9 years ago | (#11755482)

Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.

Re:Strange... (0)

Anonymous Coward | more than 9 years ago | (#11755585)

I think you'll find someone gave a useful solution to a problem

And how many Average Joes, actually set a password on the Administrator account? also, everyone is an Administrator by default on XP Pro

Also, how many people actually disable Windows Firewall? which IMO, is pretty good for "free".

Re:Strange... (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#11755510)

...which is what the rootkits expect you to do so they can achieve their fiendish ends, thereby revealing themselves anyway, requiring little use for the Sysinternals tool. /from the Ministry of Silly Tin foil hats

Re:Strange... (0)

Anonymous Coward | more than 9 years ago | (#11755626)

To be fair, not everyone is as Paranoid as you and me?

They could in actual fact renable DEP after they installed RootkitRevealer - and maybe do this whilest you're NOT connected to a network?

Re:Strange... (0)

Anonymous Coward | more than 9 years ago | (#11755526)

You, sir, are an idiot. Everyone that modded you +3 Informative is an idiot too. The original comment was a JOKE you ignoramous.

BABYHUEY (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11755244)

FIRST POST!!!

Sysinternals is great (5, Informative)

Dr.Opveter (806649) | more than 9 years ago | (#11755252)

I love their stuff [sysinternals.com]

No really, they have class utilities for free, thanks Sysinternals

Re:Sysinternals is great (1)

Triumph The Insult C (586706) | more than 9 years ago | (#11755273)

i agree

regmon is perhaps the best utility out there for trying to get old apps to work on newer operating systems. where i work, that happens a lot

if this new tool is anything like their others, i'm sure it will be quite good

Re:Sysinternals is great (4, Insightful)

cnettel (836611) | more than 9 years ago | (#11755335)

Agreed.

One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

Incompatible? (4, Insightful)

gr8_phk (621180) | more than 9 years ago | (#11755557)

"It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

How paranoid am I? (1)

clowe (170667) | more than 9 years ago | (#11755598)

Given the incestuous relationship between Microsoft and Intel, I find myself more than a little suspicious of code MS releases only for the AMD64 core. But I'm sure it will all be fine...

Re:Sysinternals is great (2, Informative)

gowen (141411) | more than 9 years ago | (#11755705)

A screen saver that fakes Windows system crashes? xscreensaver has had one of those [brown.edu] for years. (It also simulates Linux and Solaris kernel dumps, Macintosh Bombs, Amiga Guru Meditations and others)

great (1)

Boeboe (815330) | more than 9 years ago | (#11755256)

Wikipedia got slashdotted. What did they do to deserve this?! *shakes fist*

A level of sophistication? (0, Troll)

NoelWeb (797393) | more than 9 years ago | (#11755259)

Quoting the article... "Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer..."

It's just a matter of time. I don't see how this can be defeated, just like anything else in the Windows world.

Re:A level of sophistication? (2, Insightful)

LiquidRaptor (125282) | more than 9 years ago | (#11755308)

Yeah, but at the moment this is a BIG help for people, plus I'm sure that as new rootkits become availible they'll update this puppy. But it's not like linux doesn't have it's own rootkit detector http://sourceforge.net/projects/checkps/ [sourceforge.net] . Any server operating system is eventully going to have exploits if it's got any use, it's a fact of life, this tool helps find out if you got rooted, no more no less.

Re:A level of sophistication? (5, Informative)

johndiii (229824) | more than 9 years ago | (#11755330)

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

Re:A level of sophistication? (1)

dasunt (249686) | more than 9 years ago | (#11755501)

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

Always a good suggestion.

That being said, what is preventing a trojan from digging into the MBR (old virus-style), then running in memory upon HDD boot and launching the rest of its code from an "unused" section of the drive?

Of course, there are problems: Not much room in the MBR, and the OS may actually use the empty sector unless steps are taken to prevent it. Would be an interesting proof-of-concept code.

*boot from CD, scan drive, find no trojans, boot from HDD, scan drive, trojan runs.

Re:A level of sophistication? (2, Insightful)

Anonymous Coward | more than 9 years ago | (#11755745)

What is to stop a rootkit from putting itself in the BIOS or the firmware of your hard drive or CD drive? How would you detect a rootkit living in the flash memory on your Nvidia card? I doubt most people are going to be desoldering chips to check for rootkits which is what would be required.

Bloated Software Giant Ahead of the Curve Again (5, Funny)

Anonymous Coward | more than 9 years ago | (#11755275)

Wow. Pop-up blocking, rootkit detection, basic network security... isn't it amazing how an enormous patent library and billions of dollars encourages so much innovation? It's like they're ten years ahead of everyone else.

Wait... no, the other way around...

Free Sony PSPs [tinyurl.com] . It's real. It's here.

Microsoft trawls a big net. (0)

Anonymous Coward | more than 9 years ago | (#11755620)

As a side effect, they kill a lot of dolphins.

Does the size of the marketplace they create outway the risks of participating in it? Well, we all have our opinions, and ultimately it's a question for every potential customer to evaluate on their own.

Better solution. (0, Flamebait)

jcr (53032) | more than 9 years ago | (#11755279)

If you must run MS-windows, run it under VM ware on Linux. If you detect an infection, throw away the infected image.

-jcr

Re:Better solution. (1)

MSFanBoi (695480) | more than 9 years ago | (#11755303)

How is it better? VM's under linux don't carry over all my hardware. It's not going to do me any good if my modem chassis don't work, or if my video adapter doesn't work, or if my DVD burner doesn't work... So this isn't really a good solution...

Re:Better solution. (1)

jcr (53032) | more than 9 years ago | (#11755342)

Burn your DVDs under Linux, and choose supported video cards. Linux's coverage of current ATI and NVidia cards is very good.

-jcr

Re:Better solution. (1)

Taladar (717494) | more than 9 years ago | (#11755385)

But AFAIK VMware's is not.

Re:Better solution. (1)

lopingrhondo (186235) | more than 9 years ago | (#11755327)

Yes! Quick and easy! I did this for my grandma and at first she had some trouble with it: She kept picking up the mouse to move the pointer. Once she got that down though, she had no problem running Windows on Linux with VMware. And all was once again right with the world.

only assclowns use linux (-1)

Anonymous Coward | more than 9 years ago | (#11755431)

no, really. Linux user = luser. hahahha I crack me up.

Rootkit? (5, Funny)

Fls'Zen (812215) | more than 9 years ago | (#11755286)

I didn't think people needed rootkits for windows...

Re:Rootkit? (-1)

Anonymous Coward | more than 9 years ago | (#11755300)

I'd give that +5 funny, +5 true if I had the mod points...

Re:Rootkit? (5, Insightful)

slavemowgli (585321) | more than 9 years ago | (#11755328)

Why not? The purpose of a rootkit is usually not so much to take over a box (trivial on a standard windows installation), but rather to hide the fact that such a take-over occured.

Re:Rootkit? (1)

Fls'Zen (812215) | more than 9 years ago | (#11755430)

True, I know a lot of sysadmins who don't get a chance to regularly admire their server logs, processes, etc., though.

Close the blinds! (0)

Anonymous Coward | more than 9 years ago | (#11755605)

and stop displaying your rootkit out of windows...

Call to arms (1, Interesting)

Willeh (768540) | more than 9 years ago | (#11755287)

Good idea, but i'm waiting for the first batch of viruses or whatever to disable this rootkit. Probably won't take long either, stuff like this is begging for a bunch of attacks from the hacker community.

But it's a good start, so that johnny q spammer won't be able to hijack as many sites as he had been doing previously. Good work, sysinternals!

Re:Call to arms (2, Informative)

Taladar (717494) | more than 9 years ago | (#11755398)

Viruses don't disable rootkits, they install them. Rootkits are replacement system programs/libraries to hide the intruder presence/activity on your computer

So this is... (4, Funny)

JustNiz (692889) | more than 9 years ago | (#11755288)

>> RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level,

So this is a rootkit in itself.

I don't know that I'd trust Microsoft anymore than anyone else running rootkits on my ststem.

Re:So this is... (3, Informative)

interiot (50685) | more than 9 years ago | (#11755352)

No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

RootKitRevealer doesn't change any results of API calls at all.

RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

Re:So this is... (1)

conteXXt (249905) | more than 9 years ago | (#11755474)

as a previous poster humourously stated
"I didn't think people needed rootkits for windows..."

Windows is it's own rootkit. This one is for high-availability reasons.

handy (5, Insightful)

diegocgteleline.es (653730) | more than 9 years ago | (#11755289)

This will be interesting as soon as spyware starts using rootkits in windows.

You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)

Re:handy (1)

mytec (686565) | more than 9 years ago | (#11755391)

Speaking of running as Administrator, or having to in some cases, did you ever see the docs that show the hoops you have to go through to run Visual Studio as a non-administrator non-Admin [microsoft.com] ? While I cannot speak for Delphi 2005, Delphi 7 has this same problem to some extent. Sometimes it's a pain in the ass to not run as Administrator. That needs to be fixed.

Re:handy (1)

shufler (262955) | more than 9 years ago | (#11755448)

It should also be noted that "fixing" this problem should not consist of granting higher rights to the User group.

The "Designed for Windows XX" logo signifies (at least in the NT variants) that a program can be run by anyone in the User group. I read somewhere what this entails (not writing to certain portions of the registry comes to mind), but I'm sure someone will followup with that information.

I can understand VS not running under the User group -- there's a need to develop for users who aren't going to be in the User group. That said, they should make an option to change this, orfailing that, never develop with VS on a computer attached to the Internet. Which might be impossible, depending on what you're developing.

Eh. Don't use VS I guess.

Re:handy (3, Interesting)

arkanes (521690) | more than 9 years ago | (#11755579)

Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.

Re:handy (1)

bratboy (649043) | more than 9 years ago | (#11755426)

This is an interesting analogy to the insurgency in Iraq - because Microsoft let things get to the current point, there's too much momentum/mindshare devoted to the problem to easily shut it down. If it had been extremely hard to crack the system in the first place, the rewards few and the risk significant, then we wouldn't be in the current mess. (I say "we" because no matter what OS you use, you're still going to have to pay for MS's boneheadedness - in spam, increased ISP fees, Internet worms, latency, etc.)

Re:handy (1)

Tim C (15259) | more than 9 years ago | (#11755732)

Unfortunately, it doesn't matter how secure your system is - if you have a naive user with the admin password using it, you're still going to have it infected with all sorts of nasties.

Re:handy (1)

utexaspunk (527541) | more than 9 years ago | (#11755566)

I think it's a good thing. While the system should've been secure in the first place, it is better that the system gets a trial by fire against (relatively) benign nuisance spyware programs than they go undetected until something really destructive comes along.

think of spyware as the common cold- ever evolving, practically undefeatable, but essentially just a periodic nuisance that keeps the immune system on its toes...

Looking forward... (5, Funny)

Apiakun (589521) | more than 9 years ago | (#11755301)

defeating their tool would require a level of sophistication not yet seen

What, until tomorrow?

Re:Looking forward... (0)

Anonymous Coward | more than 9 years ago | (#11755486)

Yes, tune in tomorrow for another episode of As The Internet Burns... when we learn that Darl wasn't killed in the courtroom trainwreck after all. (Brought to you by SpinWash: "Snake oil? You're soaking in it.")

What about Apple? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11755305)

And what does this have to do with Apple? With the new MacMini, we won't need Windows PEE CEEs anymore at all.

Now that the PEECEE cheapskates buying $500 equipment don't have the "price" to compare to, they have no argument. Just switch over to the Mac already and be done with it. The Mac is the most versatile, most secure and most sexy computer that's ever been invented.

-flarbh

Re:What about Apple? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11755347)

cool so I can play ut2004 on it? Doom III?

how about running all the vertical specalized sales apps we have her at work.

oh wait. I cant run all these important business apps because THEY DONT RUN ON A MAC!

get a clue you apple lover.

macs are for rich idiots (0)

Anonymous Coward | more than 9 years ago | (#11755453)

$500 for a computer (and I use the term loosely, since a 'mac' cannot run windows or any decent games) that doesn't even include a screen or anything? get real.

Re:macs are for rich idiots (1)

mailtomomo (776971) | more than 9 years ago | (#11755568)

500 $ for a silent computer was cheap enough for me
And they include games with it (marble madness gold and nanosaure 2 : not mainstream but enough to play)
As for "decent" games, i still can use my gamecube or my "gaming only" PC (loud as hell but used at most once per week)
(As for the rich part : i'm still unemployed)
It's not perfect but it beat my old linux box ...for nearly the same price

If you run linux (5, Informative)

Apreche (239272) | more than 9 years ago | (#11755307)

If you run linux you can use chkrootkit [chkrootkit.org]

Re:If you run linux (3, Informative)

slavemowgli (585321) | more than 9 years ago | (#11755353)

You don't need to run Linux for chkrootkit. More or less any Un*x or Un*x-like OS will do fine:

"chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."

Re:If you run linux (4, Informative)

Taladar (717494) | more than 9 years ago | (#11755412)

Don't forget to run it from a known-good live-cd, otherwise it won't do you much good since it is just a script that uses several system programs.

Re:If you run linux (1)

slavemowgli (585321) | more than 9 years ago | (#11755434)

Or use a SCSI hard disk with jumper-enabled hardware write protection (enabled after a known-good install, of course). :)

Re:If you run linux (1)

gbjbaanb (229885) | more than 9 years ago | (#11755669)

or a VMWare session with the 'discard changes' option set.

You'd have to keep your home directory on a network or removable drive though, and only install programs when disconnected from the net.

Re:If you run linux (1, Insightful)

nuclear305 (674185) | more than 9 years ago | (#11755372)

Except this story has nothing to do with linux...I know it's hard to accept, but nice try!

Re:If you run linux (0)

Anonymous Coward | more than 9 years ago | (#11755435)

Well it has unix terminology in common, otherwise they would call it "AdministratorkitRevealer".

Re:If you run linux (0)

Anonymous Coward | more than 9 years ago | (#11755497)

Yeah, that'd be the point. The story is about a Windows tool -- here's a Unix equivalent.

Where? (0)

Anonymous Coward | more than 9 years ago | (#11755533)

Really? Where?

(hint: chkrootkit isn't it)

Re:If you run linux (0)

Anonymous Coward | more than 9 years ago | (#11755582)

Informative?

How about just "off topic"?

Crash (-1)

Anonymous Coward | more than 9 years ago | (#11755315)

Does anyone else experience a crash quite soon after starting the scan?

LOL (2, Funny)

http101 (522275) | more than 9 years ago | (#11755316)

"RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com."

So its kinda like telling my computer to turn its head and cough, right? *squeeze*

Netcraft has announced; "God exists" (3, Funny)

eatmywake (858118) | more than 9 years ago | (#11755322)

...and goes by the alias "SysInternals".

Forget the vatican and mecca, point your browsers to http://www.sysinternals.com and pay homage.

Um (0)

jb.hl.com (782137) | more than 9 years ago | (#11755329)

Tripwire, anyone?

Re:Um (1, Informative)

Anonymous Coward | more than 9 years ago | (#11755483)

Not even close. rootkits change system innards in such a way that processes magically don't show up in /proc, or 'ps' output, that md5 of 'somefile' returns a false signature, and other bits of magic.

The point of a rootkit is to subvert the system at such a deep level that tools like tripwire are fooled.

I scanned mine.. (0, Troll)

Folmer (827037) | more than 9 years ago | (#11755337)

And it told me that i had a rootkit installed called windows XP SP2. To remove it i had to download something called FedoraHat....

About the software (2, Interesting)

JordanAU (855885) | more than 9 years ago | (#11755382)

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds?? In other words is it foolproof?? I'm sorry that was a bad question. How foolproof is it??

Re:About the software (4, Informative)

Anonymous Coward | more than 9 years ago | (#11755588)

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds??

Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.

It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.

Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.

Re:About the software (1)

arkanes (521690) | more than 9 years ago | (#11755607)

In your case, the answer is simple: don't use this software, it's not for you. It's a tool for skilled admins, not a point & click "removal" tool like Spybot.

Rootkit Ben Kanobi says... (1, Insightful)

ScentCone (795499) | more than 9 years ago | (#11755393)

If you detect my rootkit, I will become more powerful than you can possibly imagine.

This really does feel like raising the stakes (or poking a bear with one, regardless).

Unavoidable, I suppose. <sigh>

Re:Rootkit Ben Kanobi says... (0)

Anonymous Coward | more than 9 years ago | (#11755623)

Yeah, I shouldn't raise the stakes on this issue. I should just let some fucktard do as he pleases with my computer and violate my privacy as Capt Ass Dribbler so desires. No thanks. Let's go ahead and escalate to the next level and the one after that when the time comes. Eventually it will be exceptionally clear that there is not middle ground. You're either breaking the law or you aren't. If you are, you'll not be able to pretend not to have made a significant effort to do so.

Like a partition? (1)

bigattichouse (527527) | more than 9 years ago | (#11755414)

Just waiting for a root kit that fdisks, makes a partition at the end, and hides there. Would standard MBR scans catch that?

Re:Like a partition? (1)

XMyth (266414) | more than 9 years ago | (#11755546)

It still has to modify system files to do anything.

Microsoft BSA (5, Informative)

TheFlyingGoat (161967) | more than 9 years ago | (#11755415)

While you're at it, download the Microsoft Baseline Security Tool [microsoft.com] . It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.

Someone's got root... and I don't think it's me (2, Interesting)

LordCybrid (811339) | more than 9 years ago | (#11755417)

Funny enough, when I tried to run RootKit Revealer, I got the 'Root kit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience.' Error. Not that that's suspicious, or anything like that...

how about a live cd? (2, Interesting)

zerkon (838861) | more than 9 years ago | (#11755420)

waiting for the whoppix project to produce a livecd distro I can just pop in...

RootKit in windows? (1)

Zangief (461457) | more than 9 years ago | (#11755425)

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

Re:RootKit in windows? (0)

Anonymous Coward | more than 9 years ago | (#11755503)

the "Root" of the system

Re:RootKit in windows? (4, Funny)

tverbeek (457094) | more than 9 years ago | (#11755562)

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

For the same reason trackpads, wireless pointing devices, and such are called "mice", even though they look nothing like a mouse.... why solid state storage devices are called "flash disks" or "flash drives", even though there's nothing flat and circular in them and no moving parts... why the stuff in the middle of pencils is called the "lead", even though it's mostly graphite... why magazines featuring stories told with sequential art are called "comic books", even though they're usually not humorous.

Simple, really (4, Informative)

sczimme (603413) | more than 9 years ago | (#11755604)


Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.

Free Rootkit... (1)

Forget4it (530598) | more than 9 years ago | (#11755462)

Is that free as in speech or as in beer?
Free Root Beer!




Ha ha.

Reputation Counts (5, Insightful)

Ridgelift (228977) | more than 9 years ago | (#11755485)

Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals" [sysinternals.com] . They put their name on everything they give away and sell.

When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS [sysinternals.com] have saved my butt in the field.

Way to go Sysinternals.

my office pc is infected = howto remove? (0)

Anonymous Coward | more than 9 years ago | (#11755495)

here I copy and paste the results of the scan on my corporate workstation, running NT4.0

And yes they are out the get me :(

D:\$AttrDef 09.08.02 14:53 35.16 KB Hidden from Windows API.
D:\$BadClus 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\$BadClus:$Bad 09.08.02 14:53 9.30 GB Hidden from Windows API.
D:\$Bitmap 09.08.02 14:53 2.33 MB Hidden from Windows API.
D:\$Boot 09.08.02 14:53 8.00 KB Hidden from Windows API.
D:\$LogFile 09.08.02 14:53 4.00 MB Hidden from Windows API.
D:\$MFT 09.08.02 14:53 25.95 MB Hidden from Windows API.
D:\$MFTMirr 09.08.02 14:53 4.00 KB Hidden from Windows API.
D:\$Quota 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\$UpCase 09.08.02 14:53 128.00 KB Hidden from Windows API.
D:\$Volume 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\WINNT\Profiles\admeier\Anwendungsdaten\Mo zilla\Firefox\Profiles\Default User\Cache\EE31AF68d01 23.02.05 16:13 135.60 KB Visible in Windows API but not in MFT or directory index.

Re:my office pc is infected = howto remove? (0)

Anonymous Coward | more than 9 years ago | (#11755624)

easy [debian.org]

No info on what the results mean! (1)

techmuse (160085) | more than 9 years ago | (#11755500)

Ok. So I ran the utility and got 33 discrepancies. Some look like they are probably default MS stuff (as described on the sysinternals site). But not all. But how do I tell what those other things are? Are they a rootkit, or just a normal part of Windows?

Paranoid? (3, Interesting)

DoChEx (558465) | more than 9 years ago | (#11755514)

Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.

You can download this from Usenet if slashdotted (0)

Anonymous Coward | more than 9 years ago | (#11755548)

Its currently hidden in a naked Christina Augulera avi file so The Man will keep his hands off it. I would install it double quick without taking any time to scan it for viruses. Its just too important to wait.

The key word is... (1)

fatgeekuk (730791) | more than 9 years ago | (#11755565)

not YET found.

Just wait a month/week/day and there will be a new rootkit specifically engineered to be undetectable.

Its like publishing your own personal list of spam filter rules... as soon as you do, all the spammers use this to work out a wrinkle.

I'm not sure if it would help (1)

Gary Destruction (683101) | more than 9 years ago | (#11755591)

But Crucial Security has a tool called Crucial ADS which scans for alternative data streams in NTFS volumes. http://www.crucialsecurity.com/downloads.html

We need forums... (0)

Anonymous Coward | more than 9 years ago | (#11755617)

Looks like somebody's going to have to start a RootkitRevealer forum to go with all the HJT forums, 'cause I sure can't tell what's what on this scan. "Post your RKR scan here and we'll tell you what's hosed."

Google and Sysinternals... (2, Interesting)

scovetta (632629) | more than 9 years ago | (#11755710)

Google and Sysinternals are the only two companies that always make me feel good about being a Computer Scientist.

If I were Google, I'd buy Sysinternals and have them help build GoogleOS.

Sysinternals.com is a Good site (5, Informative)

tristanj (797805) | more than 9 years ago | (#11755734)

Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

Here are some good tools of their that I use frequently

Autoruns

http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml [sysinternals.com] shows a complete list of programs that start up automatically when windows starts. Filemon

http://www.sysinternals.com/ntw2k/source/filemon.s html [sysinternals.com] Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

http://www.sysinternals.com/ntw2k/source/regmon.sh tml [sysinternals.com] Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml [sysinternals.com] Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

http://www.sysinternals.com/ntw2k/utilities.shtml [sysinternals.com]

IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

Got about 15 "Access is denied" results (1)

Nine Tenths of The W (829559) | more than 9 years ago | (#11755735)

Is this normal?

How do you REMOVE a rootkit? (3, Insightful)

Eric_Cartman_South_P (594330) | more than 9 years ago | (#11755743)

This is good and all, but how do you remove a Rootkit if it finds one?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>