ESET Rootkit Detector beta 1


Recommended Posts

goretsky

Hello,

 

ESET Rootkit Detector beta 1 is now available for testing.  This is a new program from ESET's researchers for detecting malicious kernel extensions that hook into system functions and modify the kernel's memory space in order to redirect disk and file I/O (i.e., stealth mechanisms typically used by rootkits).  If a rogue kernel extension is found, the user will be prompted to submit it to ESET's researchers for analysis.

 

Changelog

?  None (initial release)

 

For more information or to download a copy, see:

 

ESET Beta Tester's Portalhttp://www.eset.com/us/beta/rootkit-detector/

ESET Blog Posthttp://www.welivesecurity.com/2013/09/23/known-unknowns-detecting-rootkits-under-os-x/

ESET Knowledgebasehttp://kb.eset.com/esetkb/index?page=content&id=SOLN3436

Direct download linkhttp://download.eset.com/special/erd/ESET_Rootkit_Detector.zip

 

Regards,

 

Aryeh Goretsky

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Hamza Jawad
      Microsoft 365 gets next generation Compliance Manager and more
      by Hamza Jawad



      At its Inspire event in July, Microsoft introduced a slew of compliance and security additions to its platforms. Today, at the the Ignite 2020 developer conference, the Redmond firm has announced even further compliance features for the Microsoft 365 platform, and beyond.

      The Compliance Manager tool has been overhauled, bringing a larger library of assessments to cater to regulatory concerns, built-automation for detection of tenant settings, and more. Over 150 out-of-the-box assessments will be made available. Although initially only a part of Microsoft 365, compliance management is now being extended in the form of custom assessments for other services as well.

      Moving on, other new compliance capabilities are being added to the ecosystem as well, including new third-party connectors through Microsoft partners Globanet and TeleMessage. These assist customers in protecting and governing data that is arriving from other Microsoft 365 services. In conjunction with these, new Graph APIs including Microsoft Teams Data Loss Prevention (DLP), Teams Export, and eDiscovery automation have reached general availability as well.

      There are some more security-related features as well, particularly with regards to Microsoft Teams. The service now has Customer Key support - like in Exchange Online, SharePoint Online, and OneDriver - providing an added layer of encryption using customers' own keys. Compliance features for Teams include native integration for Insider risk management, support for live documents and links using advanced eDiscovery, new retention policies for meeting recordings, and Teams-specific actions in compliance manager.

      Finally, Microsoft 365 has integrated Application Guard with Office, allowing Microsoft 365 E5 customers to get hardware-backed security even when editing, printing, and saving changes to Office documents from outside their organizations. Any documents will be opened in a secure, virtual container in a separate copy of the kernel. The Windows platform Antimalware Scan interface (AMSI) can now scan Excel 4.0 macros as well, tackling any evasion tactics that may be employed by malicious actors.

    • By Fezmid
      Building a secure browsing environment with virtualization: How to use VirtualBox
      by Christopher White

      If it seems like security is in the news on a daily basis, that's because it's is. It's also true that one of the easiest, and most successful attacks is from phishing, where the attacker sends an email with a malicious link, you click on it, and your computer automatically downloads and executes code that takes over your machine. There's also concerns around "malvertising," or malware that is embedded in advertising on websites, in addition to potentially malicious software you download and install yourself.

      So how do you protect yourself? The first line of defense is make sure you keep your systems patched - update the operating system whenever new patches are released, keep your browsers and other software up to date, and don't visit unknown sites. Unfortunately, all it takes is one slip to compromise your system, so you might want to employ a better solution: A virtualized, or sandboxed, browser environment. I'll walk you through the entire process. Best of all, the solution is completely free!

      These are the areas I'll cover, and I welcome any comments, questions, and feedback in the comments section below!

      What is Virtualization?: A discussion of what virtualization is and why it is helpful for secure browsing Installing VirtualBox: Tutorial on how to download and install a free hypervisor on your computer Setting up a Virtual Machine: How to install a VM in VirtualBox, including tuning processors, memory, networks, and the like Installing the Operating System: How to install the operating system on the VM you setup Configuring the VM: What steps should you take in the VM to help make it secure for the rest of your network Utilizing Snapshots: The secret sauce of using a VM for safe browsing And if you don't want to read all of this, but just want the meat, there's a tl;dr section at the end of the article!

      What is Virtualization?
      Before digging into the "how to" portion, I'm going to step back and explain what virtualization is and what we hope to achieve with this solution.



      Virtualization, for those who may not be familiar with the term, is a way to abstract the hardware layer so that you can run multiple computers on a single piece of hardware. You install what's called a hypervisor on your physical computer, and then install different virtual machines, each with their own operating system, within that hypervisor. This gives you the capability of allocating resources to each of the different operating systems, giving one of them four CPUs and a couple gigabytes of RAM, while allocating eight CPUs and four gigabytes of RAM to a second system, for example. They have no direct access to your base operating system, nor can they see any of the other virtual systems you're running.

      There are many different hypervisors available. The most common is probably VMware ESXi, but Microsoft has Hyper-V, and there are a bunch of others. Some run as the main operating system on the hardware, while others run on a pre-existing operating system.

      This is safer for browsing the Internet because of the fact that the virtual machine that runs in the hypervisor has no access to your physical machine, and therefore can't directly infect it. Although it potentially could infect other machines on your network, I'll show you how to prevent that from happening as well, by blocking all network access between your LAN and the VM.

      If you want to get more advanced than virtualization, you can look into containers such as Docker and Kubernetes, a topic I dug into last month.

      For this discussion, we're going to assume you're running Windows 10 as your base OS and will show you how to install Oracle's VirtualBox to create a secure browsing environment. The same steps should work for MacOS and Linux as well, but have not been tested.

      Installing VirtualBox
      While installing a hypervisor on bare metal can be difficult, installing one on an already running operating system is just as easy as installing any other program on your computer. Let's walk through the steps.

      Gallery: Installing VirtualBox
      First, go the VirtualBox website and click the big "Download" button in the middle of the screen. They make it so clear that it's impossible to miss. Note that the top-level domain is .ORG and not .COM.

      Next, you have to select what platform you want to download for. Windows, OS X, and Solaris will automatically download the package you need, but if you're installing on Linux, you'll have to click through and pick which distribution you're using.

      After downloading the package, simply double-click the executable to begin the installation process. The first screen is your typical setup page explaining what you're going to be installing.

      The next page asks what pieces of the application you want to install. Just leave the defaults and install it all since you may need USB support and will definitely need some type of networking. In the future, after you understand what these components do as well as how you intend to use VirtualBox, you may change your mind, but I've always kept the defaults to avoid confusion.

      The next menu contains your typical questions about whether you want icons on the start menu, the desktop, and the Quick Launch bar. I usually uncheck the desktop and leave the other two, but that's a personal preference for you. You definitely want to check to register the file associations though.

      The next window provides you with a warning in big red letters. Don't worry though, it's not as scary as it sounds. Basically in order to provide virtualized networking (i.e.: letting VirtualBox pass network details to your new virtual machines), you have to let it install some networking features, and this installation process will disconnect you from your LAN (and thus the Internet) for a few seconds. If you're in the middle of transferring a file, you'll want to wait before doing the installation, but otherwise just click through.

      The last menu asks you to confirm installation of the USB drivers. Like the previous networking section, this will allow your virtual machines to access USB devices, so click yes.

      Congratulations, you're done and now have a fully functioning hypervisor installed on your computer! So now what? Read on!

      Setting up the Virtual Machine
      You now have a hypervisor installed, but that's just another piece of software that lives on your computer. The next step is to build a new virtual machine.

      Start by deciding what operating system you want to run. A great thing about virtualization is that you can install a new operating system and play around with it to see if you like it, so if you've always wondered what Linux is like, go for it. For this technical deep dive, we'll assume Windows (which requires you to have another license), but I've used Ubuntu as a private browsing machine in the past as well.

      I will assume that you already have a Windows ISO. If you don't, you can always download one from Microsoft, and can even just use it to test virtualization although I don't know if that's technically allowed from the terms of service.

      The first thing you'll do is click the "New" button from the interface to bring up the "Create Virtual Machine" wizard that will step you through the process of making your new system. The screenshots from that process are below, but I'll explain each step and what it means.

      Gallery: Creating a VM in VirtualBox
      ​ ​ ​ ​ ​ ​ ​ ​ After starting the wizard, you're prompted to give your new virtual machine a name and a folder where the files should be stored. You'll also need to tell VirtualBox what operating system you're running as well as the version. I selected Microsoft Windows for the Type and Windows 10 (64-bit) as the Version.

      Next, allocate memory that your new VM will use. For a browsing-only machine, you're probably fine with only 2GB of RAM, but if your computer has a lot of RAM, there's nothing wrong with providing more. On the other hand, you can always change how much memory it has in the future as well. All that's required is to power off the VM, change the setting, and turn the VM back on! That's the power and versatility of virtualization!

      After memory, you have to allocate disk. The first screen asks if you want to use an existing virtual hard disk, create a new one, or don't add one at all. In our case, we'll create a virtual hard disk so we have somewhere to install our operating system. If you wanted, you could run your machine on a read-only ISO image, in which case you wouldn't need to allocate any disk. However that usually limits what you can do and would be a more advanced topic.

      There are a few different types of virtual disks you can create. VMware utilizes VMDK files, but unless you have a specific reason to select something else, stick with the VirtualBox Disk Image (VDI) type.

      On the next page of the wizard, you have to decide whether you want a dynamic or fixed disk. The advantage of a dynamic disk is that you can make it as large as you want, but it will only take up the space the VM itself uses. So if you allocate a 500GB disk, but the VM never uses more than 50GB, your main computer will never lose that space. Note that the disk will never shrink, so if your VM uses 100GB one day, but then never uses that space again, you won't reclaim that extra 50GB. The disadvantage to using dynamically allocated disks is that performance won't be as good when the disk has to dynamically grow. That said, in my experience, I almost always use dynamically allocated disk because the performance hit on today's computers is minimal.

      Finally, you have to confirm the location of the new disk you created and how large it should be. The default file location should be fine, assuming you set it up the folder properly in the first step. If you didn't, I suggest starting over since it's hard to change after the fact. Click the Create button, and your VM is done!

      While you have the framework for the VM complete, you still don't have an actual operating system on the VM, so we have a few more steps to do. Click on the Settings icon and let's fine tune some things and "insert" a disk into the CD-ROM drive.

      Gallery: VM Settings
      The second tab in the General section allows you to configure the folder where your snapshots will live (more on that topic later - the default should be fine), but more importantly, allows you to configure both a shared clipboard and some drag'n'drop functionality.

      By default, your VM has no native connectivity to your host OS. It can't see your hard drive, it can't access the memory, and it can't even see your clipboard. While that's good from a security perspective, it's bad from a usability perspective, so VirtualBox gives you the capability to share both the clipboard, as well as drag and drop files between the VM and your host OS. For a truly secure system, you should probably leave both of these disabled, and only turn them on when you actually need the functionality. Also of note, the Drag'n'Drop feature is occasionally buggy, and has required me to reboot my virtual machine from time to time.

      The next section, System, is where you set things like how much memory your VM will have, what the boot order should be (hard drive vs. optical vs. network), how many processors the VM will have, and some other more advanced features. For now, give the VM at least 2GB of RAM (4GB if you can spare it), between two and four processors, and ensure the Execution Cap is 100%. As an aside, if you have an AMD processor, and want to install a Hypervisor (like ESXi or Hyper-V) as a virtual machine, you'd want to check the box next to "Enable Nested VT-x/AMD-V", but otherwise, leave the rest of the defaults alone for now.

      The next section is Display, and will determine the resolution of your screen and how big you can make the window. With today's computers, it's probably best to max out the video memory to 128MB, leave monitors at one, and use VBoxSVGA as the Graphics Controller. You can check the box for 3D Acceleration if you want, but the feature is still experimental and since this is a VM for browsing the web, it probably isn't needed for your use at this time.

      In the Storage section, you'll virtually load your ISO image into the optical drive so that you can boot from it and install the operating system onto your VM. Under the SATA controller, highlight the image of the CD-ROM, then on the right side of the screen, click the CD-ROM icon that has a drop-down button. Doing so will bring up a menu of options, and you will need to select, "Choose a disk File..." Navigate to the location of your ISO file, double click, and the disk is now virtually loaded into the drive.

      Under the Audio section, make sure Enable Audio is checked.

      The Network section is where we give our VM up to four different Network Interface Cards (NICs). By default, you'll have one. Networking is an advanced topic that I'll cover a little bit later, because there's several options you can select, depending on what you want to be able to do.

      The rest of the sections, including Serial Ports, USB, Shared Folders, and User Interface, can all be left at their defaults for now. I'll cover Shared Folders a little later, but the rest are features you probably won't ever use.

      Now that you have the ISO mounted from the storage section, you can click "OK" to exit settings, and then click "Start" on the VirtualBox Manager window.

      Error When Starting Virtual Machine!
      There's a scenario where you do everything right, but still receive an error after clicking the button to Start your virtual machine, and could require you to do some research about your computer.

      Modern motherboards have a flag that allows virtualization to be enabled and disabled. Years ago, there was some proof of concept code that allowed malware to compromise a host with virtualization enabled, so many motherboard manufacturers ship the hardware with the feature disabled. If you try starting the machine and receive an error, that's probably the issue, so do a search for your motherboard and the word "virtualization" to find an article like this one, because it's not always clear what the setting is in the BIOS.

      Installing the Operating System
      Now that you have the hypervisor installed and the VM setup, it's time to install the operating system on the VM! This part is simple and is based on the OS you install. In our case, for Windows, you'll simply follow the prompts on the screen to install Windows, just like you would do on a laptop.

      Once the installation is complete, you might want to go into the VM settings again and remove the optical disk that you added. Otherwise, you're done and have your first virtual machine setup and installed. Congratulations!

      Configuring the Virtual Machine
      Although the OS is installed on the VM, you still have some steps to do in order to make it a more secure browsing environment.

      The first thing you'll want to do is install the VirtualBox Additions. These are handily built into VirtualBox, so in your VM window, select the Devices dropdown and click "Insert Guest Additions CD image..." to put the files into the virtual CD-ROM drive. Then simply go to the CD-ROM drive in Windows, double-click on VBoxWindowsAdditions, and work through the prompts, including a reboot of the VM. These tools give VirtualBox the ability to drag and drop files, share clipboards, and other things that make the experience work better.



      Next, it's recommended that you run Windows Update and patch the system up to the latest revision.

      Once the VM has the VirtualBox Additions installed and is up to the latest patch revision, you should take a snapshot. I'll cover the advantages to snapshots near the end of the article, but in a nutshell, it's a way to make a point-in-time copy of your VM so that if you make a mistake, you can go back in time. Click the "Take" button in the interface, give the snapshot a name, and click the Ok button.



      Now it's time to address what is potentially one of the biggest decisions to make: How will you configure your networking? Click on the Settings button followed by the Network section on the left to bring up the screen with four Network adapters.

      Since we're building a secure browsing environment, you will want to make sure your selected network is NAT, or Network Address Translation. This basically "hides" your VM from both the Internet and your internal LAN so that it can't be easily attacked. If, on the other hand, you wanted a VM that looks more like another node on your internal LAN, then you should selected Bridged Adapter. Doing so will obtain an IP address from your DHCP server on your network and allow it to communicate bidirectionally to all of the resources.



      If there are any services running on this VM that you want to be able to access, you need to setup Port Forwarding. Click on the Port Forwarding button under Advanced, type in a name, what local port you want to assign for the forward, and then what the destination of that forwarder is. In the above example, we now have the ability to SSH to 127.0.0.1 on port 2222 and the network traffic will be sent to the virtual machine, even though it's on a NAT. This is advanced functionality that you probably won't need for a secure browser, but it's good to know that it exists.

      If you want more information on VirtualBox networking, Oracle provides very detailed information in its documentation.

      Although doing the above protects the VM from being directly attacked, it won't prevent malware from attacking your LAN if it becomes infected from a website or program. While you could setup firewall rules on the virtual machine, those would be useless if malware disables the firewall, so your best bet is to use Windows Firewall on your main computer to block all traffic to your LAN.



      Doing this is as simple as opening up Windows Defender Firewall and creating a new Outbound rule with the following characteristics:

      Program: %ProgramFiles%\Oracle\VirtualBox\VirtualBoxVM.exe Action: Block the connection Profile: Domain, Private, and Public Protocols: Any Scope: Remote IP address, all IPs except for your Internet router. In my example, my router is 172.30.128.100, so we block everything else so so the VM can get out to the Internet. You now have a VM that's running on a NAT network that has no visibility into your private LAN, but can surf any site on the Internet!

      I talked about the concept of a shared clipboard and drag and drop earlier, and those are features you can decide whether you want to implement or not although, like I said, drag and drop seems to be buggy from time to time. Shared clipboards can be helpful if you want to cut and paste text from one machine to another. However there's another sharing option called Shared Folders that you'll almost certainly want to utilize, even if it's just on a temporary basis. It allows you to take a folder on your main PC and make it available to the virtual machine, and is mounted as a drive letter. This lets you easily move files, such as downloaded binaries, from the secure VM onto your host PC.



      Setting up Shared Folders is simple. Under the settings for the VM, click Shared Folders on the left, and then click the plus sign in the upper-right to bring up the "Add Share" dialog box. Select the folder you want to share, give it a name that will be presented to the VM, check the Auto-mount box, then click Ok. Once you're back at the Shared Folders page, you have to click OK once more for it to take effect. This can be done any time, but if the VM is currently running, there will be an extra option to "make permanent" so that the share persists across reboots.

      Snapshots
      A snapshot is, in essence, a point-in-time backup of the entire system, similar to a System Restore in Windows. As noted earlier, this is the secret sauce that makes the VM secure in the long run. More accurately, it means you don't care what happens to the virtual machine because you can always get a clean version back.



      With the VM highlighted, click the "Take" button. In the resulting dialog box, give the snapshot a descriptive name (such as, "Patched on Sept 20, 2020"), and click the OK button. The main interface will now show the snapshot and, underneath it, a line that says "Current State." The snapshot is your safe image, while the current state is what will change.



      From here, you can open any email, visit any website, or install any software, just to see what happens. When you're done and want to, for example, login to your bank, you would simply revert your snapshot back to the previous state by clicking the "X" in the upper right corner of the VM. This brings up a dialog box that has a checkbox to restore to the previous snapshot.

      It's important to note that, just because you have snapshots, doesn't mean you should forgo patching the VM every month. I recommend reverting your snapshot, starting the VM, and performing a Windows Update, as well as updating any browser you're using, roughly once a month. Once you're done patching, create another snapshot and use that as your new base. Keep two or three previous snapshots so that you can revert back if the upgrade breaks your system.

      In addition to patching your VM every month, it's also important to stay up to date on the VirtualBox hypervisor software as well. While you won't have to upgrade monthly, you should try to keep abreast of any security issues and patch when they are discovered. For example, back in 2018, there was a bug that allowed an attacker to run code on your base OS from within a VM, the very thing you're trying to prevent with this setup. Patching hygiene is still important!

      TL;DR
      There's a lot of details in this article, but if you just want the meat of what we covered, here it is:

      Download and install VirtualBox on your PC Create a new VM in VirtualBox Mount the ISO of the OS you want to install and click Start Install the OS like you normally would Create a snapshot Select a NAT for the VM, and then configure Windows Firewall on your main PC to block traffic to anywhere but the default router (optional) Setup a shared folder between your VM and main PC Take another snapshot, and revert the snapshot each time you're done surfing the web (optional but highly recommended) Patch once a month and take another snapshot Conclusion
      I hope you've found this tutorial on how to setup a secure sandbox browsing environment to be helpful. It's a pretty simple way to navigate the web, and is a great option for keeping your banking information secure, as long as you revert the snapshot to a never-been-used state before each session.

      If you have any questions, or have feedback to provide on this technical deep dive, I'd love to hear about it in the comments below. Also, if you want more technical documents like this in the future, let us know so that we can make Neowin as useful as possible for you!

    • By Jefferson Mangubat
      Twitter announces new steps to beef up security of high-profile political accounts
      by Jefferson Mangubat

      Twitter is taking extra measures to keep high-profile accounts with political inclinations secure during the upcoming U.S. elections. Beginning today, those accounts will now receive in-app notifications that will prompt owners to adopt Twitter's recommended practices for increased security.

      In a blog post, Twitter said it will require political accounts to use a strong password. For those that use a weak combination, the company will ask them to replace their password the next time they log in to their accounts. This will apply to officials in the U.S. executive branch, members of Congress, U.S. governors, secretaries of state, presidential campaigns with election labels, political journalists and news outlets, candidates, and political parties.

      Twitter's password reset protection will also be turned on by default to prevent unauthorized password changes. Meanwhile, it will also recommend that these accounts enable two-factor authentication.

      The social networking site plans to roll out more proactive internal security safeguards over the next few weeks. These include advanced detection and alert systems to address security incidents, heightened protection for authorized login attempts, and faster account recovery support. With these measures, Twitter seems to be trying to prevent the recent major hack in July from taking place again.

    • By Usama Jawad96
      Google's Advanced Protection Program will now scan risky files on-demand
      by Usama Jawad

      Back in 2017, Google announced its Advanced Protection Program (APP) to secure accounts of high-risk individuals such as journalists, business executives, activists and people involved in electoral processes. While the service is free to use, people who enroll in the program may have to pay a fee to procure a security key.

      In August 2019, Google stated that for APP users, Chrome will automatically scan for risky downloads, trigger alerts if required, and even block files containing malware from downloading. Now, the firm is making further enhancements to this feature.

      In a blog post, Google has highlighted that APP customers are already protected from phishing and Chrome also warns them when downloading risky files. Now, the company is taking this a step further by allowing them to send risky files directly to Google for scanning of potential threats. The tech giant will be using its cloud-hosting Safe Browsing suite of malware detection technology to analyze any files uploaded to its service. Google says:

      With the U.S. presidential elections just around the corner - amidst reports of increased cyberattacks - Google has encouraged members of political campaigns to enroll in APP. You can find out more details about the program here.

    • By Usama Jawad96
      Microsoft announces new Threat Protection APIs, platform now 'integration-ready'
      by Usama Jawad

      Microsoft Threat Protection (MTP) is a platform that provides organizations cross-domain threat detection and response mechanisms within their Microsoft 365 environments. It collects raw data from several endpoints across individual domains, and analyzes it to give a complete view of attack surfaces so that they can be detected, investigated, prevented, and responded to in an efficient manner.

      Microsoft has announced new APIs for MTP, stating that the platform is now "integration-ready".



      The Incidents API reveals comprehensive details about MTP incidents and is an evolution over simple alert mechanisms. It allows security teams to monitor and analyze the full scope of attacks and impacted services, including information about severity and entities responsible for alerts.

      The Cross-product threat hunting API allows security professionals query-based access to raw datastores in MTP so that they can utilize their own expertise and existing knowledge to create custom queries to detect threats.

      Additionally, Microsoft has also announced Splunk Enterprise and Micro Focus ArcSight FlexConnector security information and event management (SIEM) connectors, which are now available in preview mode. The former allows organizations to integrate security incidents with Splunk Enterprise while the latter offers the same integration with ArcSight.

      Lastly, the firm has stated that MTP alerts will be available soon via the Microsoft Graph Security API. Microsoft states that it plans to add an event streaming interface as well, which will stream event data into external sources so security professionals can analyze it with other data sources and develop custom analytics. The future roadmap for the platform also includes exposing more APIs to meet the needs of security professionals.