Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rootkit discovery tools

From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 27 Jun 2006 10:26:09 -0400
I thought I had responded to the list, but it seems that I just responded to John's initial post.

One tool that I like as a first responder (on the window's platform) is Neuber's "Security Task Manager"  In my 
opinion, it is a good systems admin tool.  It is not as fine grained as some of the Sysinternals tools, but sometimes 
produces a sharper "big picture".  I like it enough, I bought it for home.

It has a task manager type of interface.  It finds how processes are started (checks basic ways), and looks for code 
signing, manufacturer's name, if it visible, etc.  It also gives things a "score" , so if it is hidden, not signed, no 
listed manufacturer ... it highlights that you should investigate it.  And it even helps there, you can click on the 
process and ask for a google search, or the search of their archives that identify what it belongs to.  Also, displayed 
by default, is a "strings" pane, where strings are extracted from the file.  Rootkits usually cause a "File Not Found" 
error in this pane.  

Hmm, a running process, started from this path according to the registry, but you can't find it to pick strings out of 
it.  Got Rootkit? 

More information is at  "Security Task Manager" http://www.neuber.com/taskmanager/taskmanager.html   

Downloadable Trial version from http://www.neuber.com/taskmanager/download.html

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating information security best practices, as hackers and 
criminals are at sharing attack information"  - Peter Presidio




________________________________

From: David Boyer [mailto:David () BVU EDU] 
Sent: Tuesday, June 27, 2006 10:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Rootkit discovery tools

 

you run netstat -nao from the command line on the computer whose ports you want to scan.

 

Computer Management is an MMC snapin for Windows. 


caroline () POBOX UPENN EDU 8:42 AM 6/27/2006 >>>

Hey Dave,

I saw this post on the security list and I had some questions about it.


Quoting David Taylor <ltr () ISC UPENN EDU>:
[snip]

Do a netstat -nao on the local machine and then do a remote port scan with a
tool such as nmap.  If something shows up in the nmap scan that doesn¹t show
as listening on the netstat there is likely a rootkit
Previous By Date Next
Previous By Thread Next

Current thread: