Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rootkit discovery tools

From: Wes Young <wcyoung () BUFFALO EDU>
Date: Tue, 27 Jun 2006 07:51:04 -0400


Unfortunately, all I am seeing in the Windows-side is “RootKit
Revealer”, which is sketchy IMO because it is run in a live
environment.


Sometimes thats what you need to determine what is or isn't a rootkit,
how it behaves in a live environment. If (and it usually is) a custom
job, there probably isn't a live signature out there to find it, so the
tool needs to be able to read/write live data and interact with the API
to see how it responds.

IMO, blacklight via F-Secure is probably one of the best out there, I
can't remember the pricing off hand, but def worth it....

see: http://hxdef.org/antidetection.php, and www.rootkit.com for more
info....

Rootkit detection is a behavioral study, not a signature analysis.
--
Wes Young
Network Security Analyst
University at Buffalo
GPG Key ID: B0E1E99D
GPG Fingerprint: 5CFE B28C E015 E03F F19D  B4A8 E753 7659 B0E1 E99D
 -----------------------------------------------
| My Security Blog: | http://tinyurl.com/9av4k  |
| My RSS:           | http://tinyurl.com/ceopv  |
| My Life:          | http://tinyurl.com/l18g   |
| CPAN:             | http://tinyurl.com/mujm5  |
 -----------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: