Detecting RootKits

[sajman99]

Lots can change in two years, particularly in a security-related field like anti-rootkits (ARKs). I readily admit I'm not an "expert" in this security area, but I've searched in the effort to find some newer ARKs.

One of the most recommended ARKs out there is GMER at http://www.gmer.net . It's been updated several times lately and is well regarded.

In addition, I really like this ARK I had not previously heard about- GamingMaster's Kernel Detective (latest version 1.30). It runs fast, stable, and provides a wealth of information.

The development details and Kernel Detective download link is available here: http://www.at4re.com...hp?p=51875#post51875  
Relevant Sysinterals forum thread for those interested can be found here: http://forum.sysinte...p?TID=19056&PN=1

If somebody has some more ARK recommendations, I am definitely interested. 

[cmpm]

A paragraph from wikipedia on rootkits.
Which seems to make good sense.
It's not up to date as it could be.

The best, and most reliable, method for operating system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash drive)[citation needed]. A non-running rootkit cannot actively hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed. Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run.[citation needed]

Just to complicate my sense of secure computing, I read up on it a little.

[Steven Avery]

Hi Folks,

That makes a lot of sense, looking at the root from the outside. 

Any other rootkit attempts generate concerns.  They tend to have to work on a low-level on your system, and the less low-level manipulation you have (even if in a "good cause") the more stable your system.

Also the small group of Russian anti-rootkit technophiles seem to be at war with one another, reading the history of the field does not give me confidence.  I wonder how many of these guys might be "highest bidder" oriented, Microsoft affiliates one month, Thin Line Associates the next.

I like the occasional external view thing, probably using whatever is available in UBCD4.  And if more is needed there, letting UBCD4 know.

Shalom,
Steven

[sajman99]

Thanks for the ARK information, folks.

I checked out the ARK RootRepeal at http://rootrepeal.googlepages.com, and it's a nice tool which can quickly display stealth objects, hidden services, etc.
I'll be keeping it in my ARK collection FWIW. But that's all I've been able to find so far.

Surely somebody has some specific ARK tools which they use and recommend? Maybe some ARKS that are newer and not well-known to the average user?
As suggested by Curt, I've read Gizmo's page at http://www.techsuppo...-scanner-remover.htm , but (as noted by one of the first comments on that page) some of those ARK recommendations haven't changed in a long time while rootkits have continued development.

Look forward to any suggestions, sajman99