At 04:53 PM 14/02/2006, Christopher Fisk wrote:
On Tue, 14 Feb 2006, Thane Sherrington (S) wrote:
What about the ones not published?
Well, according to Systernals, it would take technology not yet
seen in a rootkit to get around Rootkit Revealer. It would have to
be specifically written to intercept RR calls to directly look at
the registry and hard drive files. So right now, it seems like a
pretty good tool.
I'm not saying it's not a good tool, I'm saying (And they admit)
that it's certainly not 100%.
From the SysInternals page:
Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from
RootkitRevealer. Doing so would require intercepting
RootkitRevealer's reads of Registry hive data or file system data and
changing the contents of the data such that the rootkit's Registry
data or files are not present. However, this would require a level of
sophistication not seen in rootkits to date. Changes to the data
would require both an intimate knowledge of the NTFS, FAT and
Registry hive formats, plus the ability to change data structures
such that they hide the rootkit, but do not cause inconsistent or
invalid structures or side-effect discrepancies that would be flagged
by RootkitRevealer.
Perhaps there has been an update to this, but reading this, it looks
to me that right now RootKitRevealer is 100%. It doesn't catch
rootkits that don't hide themselves, but those should show up in
tools like ProcessExplorer (or even an AV scan) so I would say that
right now RootKits are more of a threat to the average user than to
the person who knows how to find them.
T