Re: Release of Rootkit Hunter 1.0.0

[Mike Parkhurst <myname17 () bellsouth net>]

I wish you were right, but there are things that get through that
Norton doesn't get.  For example, one of my users has some type of back
door on his laptop.  Norton does not pick it up, but when someone sends
virii through it, Norton alarms.  Sometimes dozens of times at once. 
Needless to say, my user is annoyed. 

Another user wasn't thinking and opened one of the virii that went
around last week or so.  Norton did pick up on it and claimed to clean
the PC.  Unfortunately, it did not clean the back door (he had symptoms
similar to the above user).  Since this user is local, and I knew where
the back door came from, I was able to manually edit the registry to
kill the back door portion of the virus.  This is not an automatic
process, I used the directions on Norton's website.

There is also the spyware problem.  Some spyware is pretty much
impossible to kill.  Ad Aware and the like will not do it.

To me both of these are rootkits.  Out of 25 users, I have two that
have managed to get something that I can not clean without fdisking the
systems.  The installed Norton will not clean them.

Note: I am not claiming that Norton does a bad job, it's just that
there are some things it can not or will not fix.

Mike



Chris Moody wrote:

> The names McAffee and Norton seem to ring a bell to me.
>
> ~Chris
>
>
>
> On Mon, 22 Mar 2004, Mike Parkhurst wrote:
>
>  
>
> > That's a cool project.  Does anyone know if there is a similar project
> > for Windows systems?
> >
> > Thanks,
> > Mike
> >
> > M. Boelen wrote:
> >
> >    
> >
> > > Hi,
> > >
> > > After three RC's (release candidates), a lot of bug hunting and a lot
> > > of 'Big thanks'
> > > I'm proud to present you a new release of Rootkit Hunter. This release
> > > incorporates extra support for a operating systems like AIX, improved
> > > support for rootkits, new 3rd party support, extra program parameters,
> > > better
> > > logging support and code cleanups.
> > >
> > > Of course I want to thank all of you who tested previous releases,
> > > send comments
> > > or helped me by giving extra (code) tips to improve this release!
> > >
> > > Project page:
> > > http://www.rootkit.nl/projects/rootkit_hunter.html
> > >
> > > Download location:
> > > http://downloads.rootkit.nl/rkhunter-1.00.tar.gz
> > >
> > > Project description:
> > > Scanner for detection of known and unknown rootkits, backdoors and
> > > sniffers. See features below for more information.
> > >
> > > System requirements: UNIX (clone), BASH shell, Perl (optional)
> > > Audience: System administrators, IT security experts
> > >
> > > Extended information:
> > > -----------------------
> > > Some features:
> > > - 'Known good' hash compare
> > > - Default file location scan
> > > - Hidden files scan
> > > - OpenSSH configuration check
> > > - Colored layout
> > > - Support for cronjobs
> > >
> > > Rootkit Hunter has been tested (and/or confirmed to work) on Red Hat
> > > (normal and Advanced Server), Slackware, Fedora, SuSE, Gentoo,
> > > Debian, Mandrake, FreeBSD (4.x and 5.x), AIX, OpenBSD and others.
> > >
> > > Support for NetBSD and Solaris is in development stage.
> > >
> > > Known issues:
> > > - Not all Fedora core 1 hashes are updated (but will be happen soon)
> > > - manpage not yet available (although it's already finished)
> > > - Installation uses preconfigured (static) file paths
> > >
> > > -----------------------
> > >
> > > Want to get notified when new releases are available? Subscribe
> > > to the Freshmeat Project page (http://freshmeat.net/projects/rkhunter)
> > >
> > > Have some questions (or comments)? Fill in the contact form at
> > > http://www.rootkit.nl.
> > >
> > > Best regards,
> > >
> > > Michael
> > > Rootkit.nl
> > >
> > > p.s. this message is cross posted to several (security ) related
> > > mailinglists.
> > > If you get this message a few times, you have been subscribed to the same
> > > mailinglists as I am. In this case, sorry for the multiple messages. No
> > > spamming was intended =)
> > >
> > > ---------------------------------------------------------------------------
> > >
> > > Test your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out by easily testing it with real-world attacks from CORE IMPACT.
> > >
> > > Visit: www.coresecurity.com/promos/sf_eids1 to learn more.
> > > ---------------------------------------------------------------------------
> > >
> > >
> > >
> > >      
> > ---------------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------------
> >
> >
> >    
>
>  


---------------------------------------------------------------------------

---------------------------------------------------------------------------