Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: Wes Young <wcyoung () BUFFALO EDU>
Date: Tue, 27 Jun 2006 07:51:04 -0400
Unfortunately, all I am seeing in the Windows-side is “RootKit Revealer”, which is sketchy IMO because it is run in a live environment.
Sometimes thats what you need to determine what is or isn't a rootkit, how it behaves in a live environment. If (and it usually is) a custom job, there probably isn't a live signature out there to find it, so the tool needs to be able to read/write live data and interact with the API to see how it responds. IMO, blacklight via F-Secure is probably one of the best out there, I can't remember the pricing off hand, but def worth it.... see: http://hxdef.org/antidetection.php, and www.rootkit.com for more info.... Rootkit detection is a behavioral study, not a signature analysis. -- Wes Young Network Security Analyst University at Buffalo GPG Key ID: B0E1E99D GPG Fingerprint: 5CFE B28C E015 E03F F19D B4A8 E753 7659 B0E1 E99D ----------------------------------------------- | My Security Blog: | http://tinyurl.com/9av4k | | My RSS: | http://tinyurl.com/ceopv | | My Life: | http://tinyurl.com/l18g | | CPAN: | http://tinyurl.com/mujm5 | -----------------------------------------------
Current thread:
- Rootkit discovery tools John Tooley (Jun 26)
- <Possible follow-ups>
- Re: Rootkit discovery tools Wes Young (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Caroline Couture (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
(Thread continues...)