Rootkit Detection Coming to Windows AntiSpyware
Posted by malebolgia on 19 July 2005 - 20:37 · 27 comments & 2206 views
About the Author
Full name: Unknown
Forum name:
malebolgia
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
malebolgiaContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(2 replies)
#1 Posted by joekr on 19 Jul 2005 - 20:40
- Would someone be kind enough to explain what a rootkit is?
-
#1.1 Posted by deadmonkey on 19 Jul 2005 - 20:50
- http://en.wikipedia.org/wiki/Rootkit
-
#1.2 Posted by dotRoot on 20 Jul 2005 - 13:28
- The article is a little misleading. At least for the history. A rootkit wasn't specifically used to hide a cracker and thereby being "root" in the system.
A rootkit would take over the actual Root account. The Root account in nix is the SuperAdmin account. What makes a rootkit different from a trojan is that usually it was ran by the cracker from a lesser priveledged account. It had nothing to do with being "rooted" in the system as in being hidden from the admin. Because the cracker would be the admin. Of course some rootkits would hide certain things, however that wasn't the main function.
-
#2 Posted by Co_Co on 19 Jul 2005 - 21:25
- sounds promising
-
#3 Posted by slimy on 19 Jul 2005 - 22:25
- good news
-
#4 Posted by ev0| on 19 Jul 2005 - 22:48
- finally, because nothing else (as an all in one antispyware app) detects rootkits
to be honest, MS Antispyware should be running as a system service.
-
(5 replies)
#5 Posted by Gowcra on 19 Jul 2005 - 23:40
- isnt ms antispy a resource hog? btw my specs are top notch, its just what ive heard.
-
#5.1 Posted by ev0| on 19 Jul 2005 - 23:50
- i guess, if you're one of these people with gigabytes of memory who want to run the least about of things so they can leave all their memory free doing nothing at all (wasting it)
-
#5.2 Posted by rm20010 on 20 Jul 2005 - 01:45
- Well as long as it doesn't steal CPU cycles used for my foreground applications, I don't care how much memory it uses. I usually have 800 MBs of memory unused.
-
#5.3 Posted by ev0| on 20 Jul 2005 - 02:11
- that's what i'm getting at. If the app is using 00 CPU, who cares how many processes it spawns ? more processess are better since dualcore and dual CPU machines can run em at the same time (yes, i know processess are not the same as threads, but each processs is at least one thread, so there)
-
#5.4 Posted by TheSarge on 20 Jul 2005 - 05:38
- Keep in mind that some people are doing more with their machines than logging into Neowin and trolling.
Some people need their machines to do their jobs well, and they'd like it if their computers were fast: They don't need things that slow their machines down unnesisarily.
Dual-Core (or HT) CPUs do not nessisarily process two seperate processes at the same time. The two threads it's processing may actualy come from the same process: That's why it's called a thread, not a process.
-
#6 Posted by lozbrown on 19 Jul 2005 - 23:56
- all anti-spyware use resources if there garding the system, despite what MS haters will say it's actually pretty good, but then i sposed it wasnt developed by MS
-
#7 Posted by EduardValencia on 20 Jul 2005 - 00:26
- wowowowowow this is awesome!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
#8 Posted by Gowcra on 20 Jul 2005 - 00:43
- Not really, just wondering. I MIGHT give this a try when im sober! :ROFL:
-
#9 Posted by ev0| on 20 Jul 2005 - 01:34
- There's just something about the antispyware logo that makes me want to bite it, or grab it, shoot a goddamn arrow into it or something.
-
(2 replies)
#10 Posted by thunderrooster on 20 Jul 2005 - 01:43
- Your antivirus should detect them. Pestpatrol,counterspy and spysweeper detects them to if I am not mistaken. There is also free programs that will detect to.
-
#10.1 Posted by Structured on 20 Jul 2005 - 02:34
- Read up on exactly what rootkits are. Sysinternals' RootkitRevealer has been the only program I've seen to search for them.
-
#10.2 Posted by thunderrooster on 20 Jul 2005 - 05:42
- If you look on http://www.sysinternals.com/utilities/rootkitrevealer.html it says it finds all the rootkits listed rootkit.com pestpatrol has allot of hits on rootkits http://search.ca.com/search/ca?col=&qp=&qs=&qc=&pw=730&ws=0&qm=0&st=1&nh=10&lk=1&rf=0&rq=0&qt=rootkit&image1.x=0&image1.y=0 even the afx rootkit so does mcafee do a search on mcafee here http://us.mcafee.com/virusInfo/default.asp?id=glossary for rootkit. I might be wrong but looks like mcafee and pestpatrol finds at least some rootkits. From what I have read in several forums most av's will detect some and them antispyware programs will to. But like always no one product will find every single thing.
-
#11 Posted by Structured on 20 Jul 2005 - 02:32
- Microsoft innovating? wtf??
(heh)
-
#12 Posted by soothsayer on 20 Jul 2005 - 03:04
- I'm assuming that this will become increasingly important when longhorn arrives, and administrator privileges aren't doled out to anyone who makes a local account on the computer.
-
(4 replies)
#13 Posted by jimbo11883 on 20 Jul 2005 - 03:14
- MSAS is written in VB6 so that's one reason it uses so much memory... If MS was to re-write AS in C++ it would use much less memory, and could be integrated as a driver...
-
#13.1 Posted by Post-It Note on 20 Jul 2005 - 04:32
- I find that hard to believe. Sure, the GIU probably could be written in VB6, but the core components that search for the spyware and the live detection must be written in a language lower than VB6, like C++.
-
#13.2 Posted by jbenhm on 20 Jul 2005 - 07:27
- As far as I know VB6 can't create DLL files, though I could be way off base on that one.
-
#13.3 Posted by Jeremy1 on 20 Jul 2005 - 07:27
QUOTE MSAS is written in VB6
Lies, lies, lies. I don't have anything against VB6, it's got it's place. But an AntiSpyware application is not one of them, and MSAS is not written in VB6.-
#13.4 Posted by chanvw on 21 Jul 2005 - 04:24
QUOTE Quote this comment
As far as I know VB6 can't create DLL files, though I could be way off base on that one.
VB6 can create DLL files, but I doubt that it was used to make MS Antispyware - I'm pretty sure Microsoft's developers are capable of using more powerful/efficient tools to do this.
-
#14 Posted by tiwaris on 20 Jul 2005 - 09:03
- It's a wise step by microsoft.
Strider Ghostbuster, a prototype tool developed by Microsoft Corp.'s Cybersecurity and Systems Management Research Group, provides a straightforward way to detect Windows rootkits by comparing scan results between a clean system and one that may potentially be compromised. Details of Microsoft's plans remain scarce, but sources say the company has grown increasingly worried about the threat from stealth rootkits.
Cont...
Previously, when game hero Carl "CJ" Johnson successfully wined and dined one of several girlfriends a certain number of times, she would ask him into her house for "coffee." After entering, the game shows an external shot of the house with muffled sounds of a couple emitting moans in flagrante delicto. PC versions of San Andreas with the "Hot Coffee" mod installed show what goes on inside the house, treating players to a sexually graphic minigame of CJ fornicating with his girlfriend.
According to its creators, the Hot Coffee mod merely unlocks hidden, preexisting code inside San Andreas. The game's publisher, Rockstar Games, appeared to vehemently--but carefully--deny that charge in a statement earlier this week. "So far we have learned that the 'Hot Coffee' modification is the work of a determined group of hackers who have gone to significant trouble to alter scenes in the official version of the game," the company said. "In violation of the software user agreement, hackers created the 'Hot Coffee' modification by disassembling and then combining, recompiling and altering the game's source code."
Rockstar's statement also claimed that the mod was the product of complex technical tampering. "Since the 'Hot Coffee' scenes cannot be created without intentional and significant technical modifications and reverse-engineering of the game's source code, we are currently investigating ways that we can increase the security protection of the source code and prevent the game from being altered by the 'Hot Coffee' modification," read the statement.
However, Rockstar Games' argument has been undermined by an increasing number of reports that claimed the sex minigame is in the PlayStation 2 version of San Andreas. Since the PS2 version comes on an unmoddable DVD, it cannot have any content added to it, although cheat codes--created either by the publisher or third parties--can unlock preexisting code on the disc. While devices such as GameShark and Action Replay Max can tweak preexisting variables in system memory with cheats, they cannot inject new models, animations, and/or code into a game.
To prove or disprove rumors that the PS2 San Andreas contains a sexually graphic minigame, GameSpot decided to test the cheat codes circulating around the Web on a sealed, first-edition copy of San Andreas. After acquiring the "Uncensored Hot Coffee" codes from the respected tech-blog Kotaku, we entered them into an easily obtainable Action Replay Max cheat device. After entering the "Enable all Girlfriends" cheat, we began the game and then gave CJ maximum sex appeal, via a cheat from GameFAQs that requires no external code.
After saving, our test editor had Carl visit the house of his nearest girlfriend, Denise in Los Santos. Carl then took Denise on a series of dates to the nearest bar. After a few complications--including being busted for two-timing by another of CJ's girlfriends--we completed a fourth date with Denise, after which she invited us into her house for "coffee."
The next screen proved that the PlayStation 2 edition of the game does indeed include a sexually graphic minigame, which plays almost exactly the same as the Hot Coffee mod. It begins inside a bedroom with Denise, wearing only a pink thong and a cutoff T-shirt bearing the Rockstar logo, performing simulated fellatio on CJ, who is fully clothed in jeans and a "wife beater"-style tank top.
After a few seconds, the minigame proceeds to semi-explicit simulated copulation. Although players can change the camera angle with the circle button, as well as cycle though three sexual positions with the square button, no genitalia are ever seen. To win, players must maintain a steady rhythm with the left analog stick to build up an "excitement meter" on the right of the screen. Fill the meter and Denise becomes very excited, telling CJ he is "the man" before the game congratulates you with the words "Nice guys finish last!" Let the meter drop to empty and the game admonishes you with "Failure to satisfy a woman is a CRIME!"
Given that the minigame is about as raunchy as an episode of Sex and the City, cannot be accessed without entering a long string of cheat codes, and takes several hours of effort to access, charges that San Andreas is "pornographic" may seem extreme to some. However, its existence does appear to contradict Rockstar Games' carefully worded statement blaming hacker mischief for the existence of the Hot Coffee mod.