Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I run a rootkit scanner from a boot CD


  • Please log in to reply
1 reply to this topic

#1 MaryBet82

MaryBet82

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:04 PM

Posted 04 January 2010 - 10:01 PM

I ran a Trend Micro Housecall scan right after a regular daily scan w/ my installed av [AVG 9 free] and it reported 3 rootkits w/ variations of the name "absence" and 6 trojans of Troj IFrame CP type. Housecall reported all problems fixed after I clicked the fix button.

I had been reading about rootkits and was intending to make a boot CD w/ a rootkit scanner to scan both of my computers since several of the articles said this was the only way to detect some rootkits. I haven't found a how-to article, tho, with the name of a current rootkit scanner that works from a bootable CD, whether I should scan w/ more than one scanner and how I interpret the scans.

I read about rootkits as part of my research on how to figure out why my computers run so slow - I wanted to rule out any infections before beginning hardware and configuration diagnostics. [I was just trying to figure out what combination of antiviral and antimalware scans to run and ran into rootkits info and freaked out :thumbsup: ] These computers were slow out of the box, but that doesn't mean they didn't pick something up while I've been researching how to fix them while trying to use them.

Some of the articles I read were from 2005 and current rootkit scanners seem more confident about detecting rootkits from scans inside of the running OS. However, as far as I know, to be sure one has to scan for rootkits outside of the OS.

So, can I just put root revealer on a bootable CD or does it have to be installed into an OS? Do I have to actually know what I'm doing to do a reliable scan or will the scanner know?
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

BC AdBot (Login to Remove)

 


#2 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:04 PM

Posted 16 January 2010 - 08:41 PM

This is an edit, but I can't find an edit option.

After more reading:
* RootKitRevealer installs itself as a Windows service and is meant to work within the running OS. I haven't found any “outside the box” scanners currently available, despite all the articles that said such scans were the most reliable [many articles said only] way to make sure a rootkit was not present. I also haven’t found a description of how such a scan is done. If rootkit code – even unpublished/unknown rootkit code – were readily and reliably identifiable when the Master Boot Record and other files were read or parsed or whatever from outside the OS then I’d think bootable rootkit scanners would be readily available and they’re not.

* From reading articles I mostly don't understand, there currently seem to be two basic types of rootkit scanners available. One type looks for the signatures of rootkits whose code is publicly available and I'm guessing of rootkits found by the antimalware people. I'm assuming Trend Micro, avast, avg, bitdefender, etc., scan for signatures.

*The second type of scanner, which I think is called a cross-view scanner, does two types of scans from within the running OS - a "high level" scan that uses the win api to list files and a "low level" scan that obtains its file list by reading from the ntfs directly. The results of the two scans are compared looking for files listed in results from the "raw content" scan that are not listed [therefore possibly intentionally hidden] in the high level scan. Cross-view scans have the capability of finding rootkits w/out known signatures but their results apparently require considerable expertise to interpret.

* Rootkitrevealer and Blacklight [no longer a free download] are cross-view scanners. The technet rootkitrevealer article dated 2006 said it was possible, but very unlikely, that a rootkit could fool rootkitrevealer [http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx]
I don't know if that still holds true in 2010.

* RootRepeal scans for signatures. Since it looks for “typical symptoms” it may also use heuristic methods. Since it IDs hidden files it sounds like it also does cross-view scans comparison – unless it crashes and you change the disk access level. I’m assuming [again] that “disk access level” refers to gaining kernel-level access to read the MFT & registry hives directly – what Rootkitrevealer calls “raw content’- to generate its "low level" file list.

* Most actual-information articles that aren't completely technical greek that I've found about rootkits and non-signature antirootkit detection methods are from 2005-2006. I hope that's because current AVs w/ signature-type antirootkit protection are effective for home computers.

* I would think/guess the average home computer would be much more likely to encounter rootkits w/ a published code than be targeted by someone capable of writing their own rootkit code. I haven't, however, found any good rootkit articles that provide info/recommendations based on risk probability/threat type for home computers. Maybe no one has that data.

* Having done a LOT more reading about rootkits I now know a lot more about what I don't know. :thumbsup:
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users