Security UPDATE--Rootkit Removal Tools--August 30, 2006

More than a dozen tools are available to help you detect and remove rootkits from your systems.

ITPro Today

August 29, 2006

12 Min Read
ITPro Today logo in a gray background | ITPro Today

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

How to Improve Network Security Without Extra Staff or Busting Your Budget

http://www.windowsitpro.com/go/whitepapers/alertlogic/networksecurity/?code=SECTop0830

Symantec Webcast : Symantec Packager - Tap into the Power http://www.veritas.com/offer?a_id=25462

Manage Vulnerabilities. Defend Against Threats.

http://findtechinfo.com/penton/nl/178

CONTENTS

===========================================

==============================

How to Improve Network Security Without Extra Staff or Busting Your Budget Who couldn't use some extra protection? Worms and malicious intruders can attack your network anytime, so make sure that your defenses are at their strongest, especially for your small- and medium-sized businesses. If IDS/IPS appliances are too costly and difficult to maintain, learn how a turn-key solution can provide the protection you need at a price you can afford. http://www.windowsitpro.com/go/whitepapers/alertlogic/networksecurity/?code=SECTop0830 === IN FOCUS: Rootkit Removal Tools

===================

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about. The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit. Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other. A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion. There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it. BitDefender RootkitUncover beta, from SoftWin This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender. http://download.bitdefender.com/windows/desktop/internet_security/beta/ DarkSpy, from DarkSpy Security Group This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention. http://www.fyyre.net/~cardmagic/index_en.html F-Secure BlackLight This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package. http://www.f-secure.com/blacklight/blacklight.html GMER, from an unknown independent Polish developer Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it. http://www.gmer.net Helios, from MIEL e-Security This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action. http://helios.miel-labs.com http://isc.sans.org/diary.php?storyid=1487 IceSword, by Xfocus Team IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also use Babel Fish to translate the Chinese documentation. http://www.xfocus.net/tools/200509 http://babelfish.altavista.com/babelfish/tr?trurl=http://www.xfocus.net/tools/200509/&lp=zt_en RKDetector, by Miguel Tarasco Acuna This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like. http://www.rkdetector.com RootKit Hook Analyzer, from Resplendence Software Projects Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks. http://www.resplendence.com/hookanalyzer RootkitRevealer, from Sysinternals A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts. http://www.sysinternals.com/Utilities/RootkitRevealer.html Rootkit Unhooker, from UG North Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes. http://www.rkunhooker.narod.ru Sophos Anti-Rootkit This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution. http://sophos.com/products/free-tools/sophos-anti-rootkit.html System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher. http://www.invisiblethings.org/tools.html UnHackMe, from Greatis Software While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested. http://greatis.com/unhackme === Regional Events Cover 4 Key Interoperability Topics Are you a Windows fan, a UNIX diehard, a Linux lover, or all of the above? Check out TechX World, an OS-agnostic event designed to give you insider tips on coping in a Windows-plus world. Designed specifically for IT professionals who work in a multi-OS environment, TechX World is a four-track, one-day event featuring technical experts Michael Otey, Gil Kirkpatrick, Dustin Puryear, and Randy Dyess providing information about OS interoperability, data interoperability, directory and security integration, and virtualization. The regional event series will visit four cities from October 24 through November 2: Washington D.C., Chicago, Dallas, and San Francisco. Attendees who register before August 31 will receive early bird pricing and a one-year subscription to Windows IT Pro. At $129 per person for four tracks and a full day of learning, it's worth sending the entire team to make sure you cover all the sessions. For complete agenda and speaker details, go to http://list.windowsitpro.com/t?ctl=36435:2C9A6 === SPONSOR: Symantec

================================

Symantec Webcast : Symantec Packager - Tap into the Power Need to extend your IT administration reach and connect to the devices? This webcast is designed for IT professionals interested in the functionality of Symantec Packager. Topics to be covered include product functionality, the product basics, as well as configuring and deployment with specific examples for pcAnywhere Host and Remote installations. Date: September 7, 2006, 9:00am PDT, 12:00pm EDT Speaker: Sandra Stamler, Product Marketing Manager Register now at http://www.veritas.com/offer?a_id=25462 === SECURITY NEWS AND FEATURES

=======================

Time to Upgrade SUS to WSUS Microsoft ceased distributing Software Update Services (SUS) August 24 and will stop delivering updates via SUS December 6. The company will no longer support SUS after the December date. For administrators who rely on SUS, it's a great time to upgrade to Windows Server Update Services (WSUS). http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/93276/WindowsSecurity_93276.html Big Blue to Pay $1.3 Billion for ISS IBM announced that it has entered into a deal to buy Internet Security Systems (ISS) for $1.3 billion in cash. Upon closing of the acquisition, ISS will become a security business unit at IBM within the company's Global Services organization. http://www.windowsitpro.com/Article/ArticleID/93291/93291.html Citrix and Microsoft Team Up to Develop New Appliance The new Citrix WANScaler appliance is aimed squarely at improving delivery of applications to branch offices and will be based on Microsoft Windows Server 2003, Internet Security and Accleration (ISA) Server to provide added security, and WANScaler technology to improve network and application performance. http://www.windowsitpro.com/Article/ArticleID/93293 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Core Security

===========================

Manage Vulnerabilities. Defend Against Threats. Your IT and Security budgets are tight. This White Paper shows real-world case studies demonstrating the ROI potential of automated penetration testing. http://findtechinfo.com/penton/nl/178 === GIVE AND TAKE

====================================

=========================================

by Renee Munshi, [email protected] Managing and Reporting Security Events CrossTec has released version 3.5 of its Activeworx Security Center event management software. The upgrade contains a new internal reporting center instead of the Crystal Reports software in previous versions (Crystal Reports will still be optional). Activeworx 3.5 lets users control parameters and schedule automated reporting tasks and comes with more than 200 new PCI, SOX, GLBA, and HIPAA reports. Integration with the Snort intrusion detection system (IDS) provides event information. Activeworx 3.5's correlation engine has been benchmarked at more than 15,000 events per second. Activeworx 3.5's console is customizable and can be modified to display the entire network or just portions of it. An Activeworx deployment starts at $2500. For more information, visit http://www.crossteccorp.com/activeworx/ WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate. === RESOURCES AND EVENTS

=============================

=============================

Help your small or midsized business protect one of its most valuable assets--business information. Easily store, manage, protect, and share information by using hardware designed with the needs of your business in mind. Manage IT without the large staff and extensive training--learn how today! http://www.windowsitpro.com/go/whitepapers/emc/smbs/?code=0830featwp === ANNOUNCEMENTS

====================================

Invitation for VIP Access For only $29.95 per month, you'll get instant VIP online access to ALL articles published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. Sign up now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2768um Save $40 off Windows IT Pro Subscribe to Windows IT Pro today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

http://www.windowsitpro.com/windowssecurity

https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like