Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scan for rootkit from livecd?


  • Please log in to reply
7 replies to this topic

#1 Ninja Raccoon

Ninja Raccoon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 07 April 2009 - 11:53 AM

I was wondering what everyone thinks about using a live cd to do a rootkit scan?

Would it be more reliable?
Is it even possible?
If so, any recommendations?

Rootkits are the one area that I'm not really familiar with and trying to find ways to scan for them?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:33 AM

Posted 07 April 2009 - 01:31 PM

Although I wouldn't recommend doing it yourself, This is common knowledge and the is a tutorial for it
http://www.malwarebytes.org/forums/index.php?showtopic=12709

All I will say, unless you are absolutely positive of what it is that you are going to delete, ask for help

Edited by garmanma, 07 April 2009 - 01:33 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 07 April 2009 - 02:41 PM

Hello.

It is important to remember that a rootkit is a program that hides from Windows.

Rootkit scanners work by comparing what Windows sees, tainted, with an untainted view and identifying the differences.

If using a bootable disk that runs when Windows is not, then you can't distinguish between hidden and not.

With Regards,
The Panda

#4 Ninja Raccoon

Ninja Raccoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 07 April 2009 - 02:57 PM

If using a bootable disk that runs when Windows is not, then you can't distinguish between hidden and not.


Thanks for the response,

That's pretty much the way I've understood rootkits, but never hurts to ask in my opinion.

#5 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 PM

Posted 07 April 2009 - 05:56 PM

Ok Rootkits, are like trojans, or worms... They do much more then just hiding and concealing themselves... Any kind of program malicious or not can hide it's self from Windows, any trojan, virus, worm, malware, spyware, can hide it's self from windows, any of which can also be polymorphic, or shut down scanners, or cloak themselves from scanners... But that does not make a rootkit..
A Rootkit, is a program like a trojan or worm, that provides an immediate back door to the system, while also granting root, or administrative privileges... Though, in the recent years past, rootkits have become more and more coded for Windows operating systems... They were originally used to take over a Linux operating system, by providing the cracker, or script kiddie, root access to the computer/server; hence where the name "Root-kit" came into play...

Also for a bit of clarification... Scanners do not use an untainted verses tainted view... Scanners find spyware, virus's, malware, ect. ect. by scanning the program, or file it's self... Some of these scans use section comparison, meaning if any section of code in a program or file, matches this section, then we have a possible infection... Some use statement comparisons, meaning if any statement in a program or file, matches this statement, then we have a possible infection... Some may even use binary comparisons, which binary comparisons are pretty much everything I have just stated, in a binary sense, or being the fact that with different formatting one single binary byte can have or do a vast variety of different things... It can check for specific structures in bytes, kilo-bytes, ect... If a program or file is flagged with any of these, it will then be put into a deeper scanning process, until it is either identified as one in it's database, or it is not able to be identified, for some they may even present the flag to the end user...

Here is something else, those programs that hide from windows have a variety of different ways that they do this... They can be running in the memory (RAM), and within the programs area of ram, could set the permissions to where no one or nothing is aloud to access it, causing for it to not be scanned, some can move around, say when a scan is initiated, when the anti-virus/spyware, has gotten into the directory of which the program resides it will jump to a different directory, until the AV/AS has left that directory, then jump back... Some can even splice it's self among multiple files, some can change the way it looks (these are polymorphic)... What they do is, when it is about to be scanned, it will splice off anything that might be flagged by the AV/AS software, put it in a different file, this way once scanned, it doesn't set off any flags, and then returns it's spliced off sections once the scan is complete... (most of the time these polymorphic programs, would have to be running in your RAM, to be able to defend it's self against AV/AS software)...

Doing a scan on a Live Linux cd, I have found to be some of the best ways to scan for spyware, or virus's or anything really... Why, cause programs that are programmed for windows, would need windows to run... So there for they are not able to run in a Linux Environment... Then when you do a scan, it is 10 times easier to find the program, it's kind of like putting the entire windows operating system into a box, and then closing that box, while doing an x-ray scan, and nothing can escape the box... But I guess I should also warn and urge those who do not know anything about linux, to be more then just cautious when using any Linux OS to work on a windows OS...

#6 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:01:33 AM

Posted 08 April 2009 - 03:49 PM

From Avast! website :

Like avast! for Windows, the avast! engine for Linux also features outstanding unpacking support. It can scan inside almost the same number of archives as under Windows, with the exception of MAPI, CAB, ACE, CHM, 7ZIP and NTFS streams.


Reference:
http://www.avast.com/eng/avast-for-linux-workstation.html


In my opinion, Linux Antivirus products are designed to scan viruses and other malware coded for linux. It would be waste of RAM and CPU power scanning for viruses coded for Windows only. These viruses cannot infect Linux.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:33 AM

Posted 08 April 2009 - 04:12 PM

Hello.

From what I understand rootkit scanners use the comparison method for files, processes, and registry entries to identify rookit hiddin items, not to find whether a file is infected or not.

I haven't heard of malware being able to dodge scanners in that way before. Could you please provide a source for this info?
---
There are bootable disks designed to scan for files on Windows systems. This is effective because as mentioned the infections are not active.

With Regards,
The Panda

#8 burn1337

burn1337

  • Banned
  • 311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 PM

Posted 08 April 2009 - 06:09 PM

Romeo - That is kinda funny, I never noticed that Avast 4 Linux wasn't for NTFS streams, yet I have scanned multiple NTFS formats with it on my linux box... And if I remember correctly, the only time I ever had any problems was on a hard drive that had so many bad sectors and cylinders it was not even able to be used period lol...
Eidt: That reminds me, I think using the kernel libraries can make a difference, cause when I was scanning my NTFS formats, I had the kernel libraries... Not sure though...

Panda - Well I am sorry I am not able to provide any link references, but I can tell you that if you take a look at some good security books, they will tell you a lot more then you think you know (did so even with me)... Though I wouldn't recommend "Steal this Computer Book" as a great reference, it is still a very good reference... "Hacking: the art of exploitation" that is a very great reference, though not one for computer illiterate people, it is best to have programming experience prior to reading... "Guide to Linux Networking and Security", though not the very best as for Windows users, but still a very good, and in depth book of everything from protecting against hackers, spyware, rootkits, anti-virus ect... When I get a chance to look for some more good references I will let you know... Those are just the books within 3 feet of me lol...

Also good scanners will scan each file to make sure it is not infected... Looking for just malware, or just spyware ect... Would not need to scan every file, but rather just scan for discrepancies that would lead to those files... Virus's, trojans, worms (though rare for worms), as well as some root kits, can infect other files on the system to help hide itself... Some sophisticated programs might even splice off it's self and hide remnants in other files...
Edit: Also it is good practice to scan all files, because any kind of program, malware, spyware, batch, exe, or anything can also be spliced into some other kind of file, including pictures, videos, text, ect...

Edited by burn1337, 08 April 2009 - 06:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users