The expert who drew my attention to that particular article commented that
the reason the rootkit was found was that it GPF'd on customers machines.
If it had been perfect, it might not have been found.
Microsoft security staff are well aware of the cat and mouse game involved
in rootkit detection--Sysinternals has already modified the working of their
tool to counter a rootkit which had been designed to detect it. That
feedback loop will continue. Lets hope that the brains on the good side of
the issue can do better than those writing the malware.
The purpose of citing the article is to make it clear that Microsoft
Antispyware does target spyware which uses rootkit technology to hide.
There are a number of other rootkit finding tools becoming available--here's
a list of those I'm aware of:
Sysinternals RootKitRevealer:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
(free, but care needed in interpreting results. Not useful on some servers
that I've tested where standard features result in very large numbers of
alternate data streams.)
F-Secure's Blacklight:
http://www.f-secure.com/blacklight/
Beta free through April 30th.
I haven't seen what a positive result looks like with this one--it works on
the servers where RootKitRevealer found hundreds of thousands of results.
And, finally, Klister:
(I've not used this one yet.)
Subject: [TOOL] Klister - Windows Kernel Level Rootkit Detector
Date: 4 Apr 2005 17:58:48 +0200
From: SecuriTeam <
[email protected]>
To: (e-mail address removed)
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site:
http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Klister - Windows Kernel Level Rootkit Detector
------------------------------------------------------------------------
SUMMARY
DETAILS
Klister is a simple set of utilities for Windows 2000, designed to read
the internal kernel data structures, in order to get reliable information
about the system state (including list of all processes, including those
"hidden" by some rootkits).
Klister consists of a kernel module and some exemplary userland programs
that communicate with the kernel module in order to display some internal
kernel data structures. The most interesting ones are thread lists which
are used by kernel dispatcher (scheduler) code. When reading such internal
list we can be (almost
) sure that we're getting list of all threads in
the system (including those which belong to hidden process) and it also
means that we can create complete list of ALL PROCESSESS in the system.
Download Information:
The tool can be downloaded from:
<
http://www.rootkit.com/vault/joanna/klister-0.4.zip>
http://www.rootkit.com/vault/joanna/klister-0.4.zip
ADDITIONAL INFORMATION
To keep updated with the tool visit the project's homepage at:
<
http://www.rootkit.com/project.php?id=14>
http://www.rootkit.com/project.php?id=14
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: (e-mail address removed)
In order to subscribe to the mailing list, simply forward this email to:
(e-mail address removed)
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
---------------------------------
