Root Kit

How can you scan and locate root kits?

Jack_son_Asked:
Who is Participating?
 
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
Generally, a rootkit gets onto a machine by visiting a malware ridden website, clicking a suspect link in an email, or connecting an infected USB device to the computer when the computer has not been protected against USB vector virii.

In the first case, 1-don't visit suspect websites 2-use a link checker in your browser like Web Of Trust (WOT - mywot.com) or linkextender (FF) or just use Chrome (I use chrome and WOT).

In the second case, NEVER click links in emails.  I generally type the link into my browser to make sure it is going where it says it is going.  Alternately you can use a link checker (f-secure has an online one) to check if there is malware on the site before you visit it.  You just enter the URL and let the tester test it for you.

In the last case, you should be using something like USB-Set or USB firewall to inoculate and protect yourself from this possibility.

About TDSSKiller - it is aimed primarily at TDSS type rootkits.  It will find many others, but not necessarily all.
0
 
HellmarkLinux Systems AdministratorCommented:
Microsoft has Rootkit Revealer, and Avast Antivirus also can detect rootkits. Both are free.
0
 
Neil RussellConnect With a Mentor Technical Development LeadCommented:
Be aware that there are root kits that VERY FEW AV packages find, they are getting cleverer by the day
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
I wrote an article about rootkits and the various software freely available to scan with.  Check it out here.
0
 
younghvConnect With a Mentor Commented:
That EE Article by tzucker has helped a lot of our members solve problems.

You should also take a look at:
TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
and
FixTDSS.exe from Symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Malwarebtes and ComboFix are two of the most popular tools as described here:
Stop-the-Bleeding-First-Aid-for-Malware
0
 
Jack_son_Author Commented:
Great articles!  I did use Sophos earlier, it found a few things in the OS files, but cant tell whether they are legitimate or not.  How can I tell?  I will also try these other scanners perhaps they are better.
0
 
younghvConnect With a Mentor Commented:
My personal favorite for evaluating individual files is here:
http://virusscan.jotti.org/en

Just 'browse' to the file on your system and let Jotti evaluate it.
0
 
Jack_son_Author Commented:
TDS killer did not find anything, will this find most root kits?  Also, how does someone get one on their laptop?
0
 
Jack_son_Author Commented:
Great, thanks.  So which tool do you think would be best to find a root kit that no anti-virus can find?  Is there any higher strength products that can get me this?
0
 
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
Almost all of the rootkit tools are specifically designed to find rootkits that AV doesn't.  Your average AV solution and most endpoint solutions will not find aggressive rootkits. (or if they do they will not be able to get rid of them).  Rootkit Revealer is fairly strong and likely to find any rootkit.  On the other hand the F-Secure tool unless run in deep scan mode as a startup item will not find much.

I tried to designate which products were more llikely to find a rootkit and help you get rid of it in my article.  GMER is fairly powerful, but if this is the first time you are using it you may want to post the GMER log before taking action.
0
 
HellmarkConnect With a Mentor Linux Systems AdministratorCommented:
It should also be noted that Avast is based on GMER.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.