[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Rootkit Removal Tools
From: InfoSec News <alerts () infosecnews ! org>
Date: 2006-08-31 6:04:42
Message-ID: Pine.LNX.4.61.0608310104090.19491 () conundrum ! infosecnews ! org
[Download RAW message or body]
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
How to Improve Network Security Without Extra Staff or Busting Your
Budget
http://list.windowsitpro.com/t?ctl=369C9:7EB890
Symantec Webcast : Symantec Packager - Tap into the Power
http://list.windowsitpro.com/t?ctl=369E3:7EB890
Manage Vulnerabilities. Defend Against Threats.
http://list.windowsitpro.com/t?ctl=369E4:7EB890
=== CONTENTS ===================================================
IN FOCUS: Rootkit Removal Tools
NEWS AND FEATURES
- Time to Upgrade SUS to WSUS
- Big Blue to Pay $1.3 Billion for ISS
- Citrix and Microsoft Team Up to Develop New Appliance
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: IE Bug Worse Than Expected
- FAQ: Block IE 7.0 Installation
- Share Your Security Tips
PRODUCTS
- Managing and Reporting Security Events
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
ANNOUNCEMENTS
=== SPONSOR: AlertLogic ========================================
How to Improve Network Security Without Extra Staff or Busting Your
Budget
Who couldn't use some extra protection? Worms and malicious
intruders can attack your network anytime, so make sure that your
defenses are at their strongest, especially for your small- and medium-
sized businesses. If IDS/IPS appliances are too costly and difficult to
maintain, learn how a turn-key solution can provide the protection you
need at a price you can afford.
http://list.windowsitpro.com/t?ctl=369C9:7EB890
=== IN FOCUS: Rootkit Removal Tools =============================
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Rootkits are a growing problem, and as you might expect, the list of
tools that can help you prevent rootkit infiltration is also growing.
The list of standalone tools that can help with rootkit detection and
removal is also expanding. This week, I give you a list of the
standalone detection and removal tools that I know about.
The alphabetical list below can be a resource to help you add some
useful tools to your security toolkit. As with antivirus and
antispyware tools, using multiple rootkit detection and removal tools
is a good idea because not every tool can detect and remove every
rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight,
Sophos Anti-Rootkit, and IceSword, all of which are from entities that
I'm familiar with and trust to some extent or other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker)
look interesting, but I have no idea who the authors are, nor do their
Web sites offer much information to lend insight. So although I
included them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not aware
of; if you know of one, please send me an email with details. If you've
tried one of the tools below, let me know about your experiences with
it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising,
particularly because it's from SoftWin, makers of BitDefender.
http://list.windowsitpro.com/t?ctl=369CC:7EB890
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm
unfamiliar with. The download page for the tool says, "Use at your own
risk," and you'd be wise to take that advice; however, it might give
you a little comfort to know that this tool was recently mentioned in
the SANS Internet Storm Center's Handler's Diary. Click the second URL
under the Helios entry below to link to that mention.
http://list.windowsitpro.com/t?ctl=369DB:7EB890
F-Secure BlackLight
This is a standalone "trialware" tool, meaning that it periodically
expires after a certain date--currently October 1. It's also a standard
component of F-Secure's Internet Security 2006 package.
http://list.windowsitpro.com/t?ctl=369D6:7EB890
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed
this tool, its Web site has several screenshots and some movies (in
.wmv and .avi format) that show the tool in action. So you can get a
good idea of what it's like before using it.
http://list.windowsitpro.com/t?ctl=369EB:7EB890
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks
promising. For some good insight into Helios, go to the second URL
below to read the SANS Handler's Diary entry for July 26, in which you
can also see some screen shots of the tool in action.
http://list.windowsitpro.com/t?ctl=369E9:7EB890
http://list.windowsitpro.com/t?ctl=369DF:7EB890
IceSword, by Xfocus Team
IceSword has proven useful to many security administrators. Xfocus
is a group of Chinese security researchers, and while the site is
written in Chinese, you can use AltaVista's Babel Fish Translation
engine (at the second URL below) to view it in English. You can also
use Babel Fish to translate the Chinese documentation.
http://list.windowsitpro.com/t?ctl=369E6:7EB890
http://list.windowsitpro.com/t?ctl=369EC:7EB890
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an
Import Address Table (IAT) analyzer. The file system analyzer scans the
file system and registry, and the IAT analyzer scans memory space for
alterations that would allow rootkits to hook into the system. Screen
shots are available to give you a good idea of what the tool looks
like.
http://list.windowsitpro.com/t?ctl=369EA:7EB890
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the file
system, the registry, user accounts, and so on, this particular tool
focuses exclusively on kernel hooks.
http://list.windowsitpro.com/t?ctl=369E1:7EB890
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very well
known Windows experts.
http://list.windowsitpro.com/t?ctl=369D4:7EB890
Rootkit Unhooker, from UG North
Although I have no idea who UG North is, the tool looks promising.
It checks for unwanted processes and system hooks and can help
terminate such processes.
http://list.windowsitpro.com/t?ctl=369E7:7EB890
Sophos Anti-Rootkit
This standalone tool offers both a GUI and a command line version
and is similar to the antirootkit technology built into the Sophos
Anti-Virus for Windows solution.
http://list.windowsitpro.com/t?ctl=369D0:7EB890
System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska
These tools specifically look for hidden files and at various system
components that might be modified by various rootkit techniques. Source
code is included. Rutkowska is a well-known researcher.
http://list.windowsitpro.com/t?ctl=369E0:7EB890
UnHackMe, from Greatis Software
While all the other listed tools are free, this tool is priced
starting at $19.95 for a single license. You can view screen shots of
the tool to see what it looks like and download a working demo if
you're interested.
http://list.windowsitpro.com/t?ctl=369E8:7EB890
===
Regional Events Cover 4 Key Interoperability Topics
Are you a Windows fan, a UNIX diehard, a Linux lover, or all
of the above? Check out TechX World, an OS-agnostic event
designed to give you insider tips on coping in a Windows-plus
world.
Designed specifically for IT professionals who work in a
multi-OS environment, TechX World is a four-track, one-day
event featuring technical experts Michael Otey, Gil Kirkpatrick,
Dustin Puryear, and Randy Dyess providing information about OS
interoperability, data interoperability, directory and security
integration, and virtualization.
The regional event series will visit four cities from
October 24 through November 2: Washington D.C., Chicago,
Dallas, and San Francisco. Attendees who register before August
31 will receive early bird pricing and a one-year subscription to
Windows IT Pro. At $129 per person for four tracks and a full day
of learning, it's worth sending the entire team to make sure you
cover all the sessions. For complete agenda and speaker details,
go to
http://list.windowsitpro.com/t?ctl=369D9:7EB890
=== SPONSOR: Symantec ==========================================
Symantec Webcast : Symantec Packager - Tap into the Power
Need to extend your IT administration reach and connect to the devices?
This webcast is designed for IT professionals interested in the
functionality of Symantec Packager. Topics to be covered include
product functionality, the product basics, as well as configuring and
deployment with specific examples for pcAnywhere Host and Remote
installations.
Date: September 7, 2006, 9:00am PDT, 12:00pm EDT
Speaker: Sandra Stamler, Product Marketing Manager
Register now at http://list.windowsitpro.com/t?ctl=369E3:7EB890
=== SECURITY NEWS AND FEATURES =================================
Time to Upgrade SUS to WSUS
Microsoft ceased distributing Software Update Services (SUS) August
24 and will stop delivering updates via SUS December 6. The company
will no longer support SUS after the December date. For administrators
who rely on SUS, it's a great time to upgrade to Windows Server Update
Services (WSUS).
http://list.windowsitpro.com/t?ctl=369C6:7EB890
Big Blue to Pay $1.3 Billion for ISS
IBM announced that it has entered into a deal to buy Internet
Security Systems (ISS) for $1.3 billion in cash. Upon closing of the
acquisition, ISS will become a security business unit at IBM within the
company's Global Services organization.
http://list.windowsitpro.com/t?ctl=369CF:7EB890
Citrix and Microsoft Team Up to Develop New Appliance
The new Citrix WANScaler appliance is aimed squarely at improving
delivery of applications to branch offices and will be based on
Microsoft Windows Server 2003, Internet Security and Accleration (ISA)
Server to provide added security, and WANScaler technology to improve
network and application performance.
http://list.windowsitpro.com/t?ctl=369D5:7EB890
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=369CE:7EB890
=== SPONSOR: Core Security =====================================
Manage Vulnerabilities. Defend Against Threats.
Your IT and Security budgets are tight. This White Paper shows real-
world case studies demonstrating the ROI potential of automated
penetration testing.
http://list.windowsitpro.com/t?ctl=369E4:7EB890
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: IE Bug Worse Than Expected
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=369DD:7EB890
Microsoft Security Bulletin MS06-042--Cumulative Security Update for
Internet Explorer has now been re-released to fix an exploitable
vulnerability introduced by the original patch. The vulnerability
involves long URLs in conjunction with HTTP 1.1 and compression. Be
sure to read the updated bulletin and apply the latest version of the
patch.
http://list.windowsitpro.com/t?ctl=369D1:7EB890
FAQ: Block IE 7.0 Installation
by John Savill, http://list.windowsitpro.com/t?ctl=369D8:7EB890
Q: How can I block Microsoft Internet Explorer (IE) 7.0 installation
via the registry?
Find the answer at
http://list.windowsitpro.com/t?ctl=369D2:7EB890
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's
Reader to Reader column. Email your contributions to
r2rwinitsec@windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com
Managing and Reporting Security Events
CrossTec has released version 3.5 of its Activeworx Security Center
event management software. The upgrade contains a new internal
reporting center instead of the Crystal Reports software in previous
versions (Crystal Reports will still be optional). Activeworx 3.5 lets
users control parameters and schedule automated reporting tasks and
comes with more than 200 new PCI, SOX, GLBA, and HIPAA reports.
Integration with the Snort intrusion detection system (IDS) provides
event information. Activeworx 3.5's correlation engine has been
benchmarked at more than 15,000 events per second. Activeworx 3.5's
console is customizable and can be modified to display the entire
network or just portions of it. An Activeworx deployment starts at
$2500. For more information, visit
http://list.windowsitpro.com/t?ctl=369E2:7EB890
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
whatshot@windowsitpro.com and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS =======================================
Gear up for TechX World Roadshow
Hear first-hand from leading interoperability experts, vendors, and
peers at this exclusive one-day event. You'll learn about managing OS
interoperability, directory migration, data interoperability, and much
more. This event provides in-depth information on how Windows and other
systems cooperate with each other.
http://list.windowsitpro.com/t?ctl=369DA:7EB890
Does your company have $500,000 to spend on one email discovery
request? Join us for this free Web seminar to learn how you can
implement an email archiving solution to optimize email management and
proactively take control of e-discovery--and save the IT search party
for when you really need it! Live Event: Tuesday, September 12
http://list.windowsitpro.com/t?ctl=369C8:7EB890
You know you need to manage your email data; how do you do it? What
steps are you taking? What additional measures should you enact? What
shouldn't you do? Learn the answers to these questions and get control
of your vital messaging data. Download the free eBook today!
http://list.windowsitpro.com/t?ctl=369CB:7EB890
Dramatically simplify Exchange troubleshooting with an in-depth look at
built-in troubleshooting tools and third-party applications. Join us as
we analyze a typical troubleshooting process, address the problems with
using standard tools, and learn how automated troubleshooting can solve
these challenges. Live Event: Thursday, September 14
http://list.windowsitpro.com/t?ctl=369C7:7EB890
Are you protected company-wide against spyware, keyloggers, adware, and
backdoor Trojan horses? Test the state-of-the-art scanning engine that
uses threat signatures from multiple sources to track down the culprits
that antivirus solutions alone can't protect you against. Download your
free 30-day trial of CounterSpy Enterprise today!
http://list.windowsitpro.com/t?ctl=369CA:7EB890
=== FEATURED WHITE PAPER =======================================
Help your small or midsized business protect one of its most valuable
assets--business information. Easily store, manage, protect, and share
information by using hardware designed with the needs of your business
in mind. Manage IT without the large staff and extensive training--
learn how today!
http://list.windowsitpro.com/t?ctl=369CD:7EB890
=== ANNOUNCEMENTS ==============================================
Invitation for VIP Access
For only $29.95 per month, you'll get instant VIP online access to
ALL articles published in Windows IT Pro, SQL Server Magazine, and the
Exchange and Outlook Administrator, Windows Scripting Solutions, and
Windows IT Security newsletters--that's more than 26,000 articles at
your fingertips. Sign up now:
https://store.pentontech.com/index.cfm?s=1&promocode=eu2768um
Save $40 off Windows IT Pro
Subscribe to Windows IT Pro today and SAVE up to $40! Along with
your 12 issues, you'll get FREE access to the entire Windows IT Pro
online article archive, which houses more than 9,000 helpful IT
articles. This is a limited-time offer, so order now:
https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw
================================================================
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and the Windows IT Security newsletter
(subscribe at the second URL below).
http://list.windowsitpro.com/t?ctl=369DE:7EB890
https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb
Subscribe to Security UPDATE at
http://list.windowsitpro.com/t?ctl=369D3:7EB890
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=369E5:7EB890
About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
_________________________________
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic