On Wed, 15 Feb 2006, Thane Sherrington (S) wrote:
From the SysInternals page:
Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing
so would require intercepting RootkitRevealer's reads of Registry hive data or
file system data and changing the contents of the data such that the rootkit's
Registry data or files are not present. However, this would require a level of
sophistication not seen in rootkits to date. Changes to the data would require
both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus
the ability to change data structures such that they hide the rootkit, but do
not cause inconsistent or invalid structures or side-effect discrepancies that
would be flagged by RootkitRevealer.
Perhaps there has been an update to this, but reading this, it looks to me
that right now RootKitRevealer is 100%. It doesn't catch rootkits that don't
hide themselves, but those should show up in tools like ProcessExplorer (or
even an AV scan) so I would say that right now RootKits are more of a threat
to the average user than to the person who knows how to find them.
Everytime you make something idiot-proof they go an make a better idiot.
The analogy works here as well. Now for home users, yeah, rootkit
revealer is very likely going to get anything you would be exposed to,
because you're just getting hit with the automated tools. Businesses who
store customer data on a machine, and absolutely positively MUST be sure
their machine is clean (Health records, presciption information, SSN's,
etc) can't afford to be the exception to the rule when it comes to
detecting these things.
This is coming down to you believe you can completely clean the machine,
no matter what is on it, faster than doing a data backup, format, data
restore, and that you present more of a value to the customer when you do
that.
I believe that no matter how good I am, I'm gambling that I'm not going to
run into something on the client's PC that will slow down the process, and
cost the customer money it didn't need to. Yes, we try to clean the
machines as much as possible, but the insane assumption that cleaning the
machine is always better than starting fresh with the OS, is just that,
insane.
You also seem to think I'm recommending a reformat everytime a machine
comes in with some spyware or a virus or two, I'm not. But in the case
where the user had no virus information, they're being locked out of doing
certain things on the machine, their crashing constantly and clearing out
thier startup, running a quick scan doesn't resolve the majority of the
issue, a backup and format is in order.
Christopher Fisk
--
Loew's Qaddafi's Mann's Grauman's Chinese Theater