ROOTKITS

NUMEROUS DOWNLOAD SOURCES IN REGARD TO ROOTKIT DETECTION, REMOVAL, AND PREVENTION TOOLS

http://www.antirootkit.com/software/index.htm
http://packetstormsecurity.nl/UNIX/penetration/rootkits/

INVALUABLE KNOWLEDGE AND RESOURCES ABOUT ROOTKITS AND ROOTKIT TOOLS INCLUDING SOURCE CODE

http://www.rootkit.com/index.php

ROOTKIT HUNTER

http://sourceforge.net/projects/rkhunter/

ROOTKIT SCANNER IS SCANNING TOOL TO ENSURE YOU FOR ABOUT 99.9%* YOU'RE CLEAN OF NASTY TOOLS. THIS TOOL SCANS FOR ROOTKITS, BACKDOORS AND LOCAL EXPLOITS BY RUNNING TESTS LIKE:
- MD5 HASH COMPARE
- LOOK FOR DEFAULT FILES USED BY ROOTKITS
- WRONG FILE PERMISSIONS FOR BINARIES
- LOOK FOR SUSPECTED STRINGS IN LKM AND KLD MODULES
- LOOK FOR HIDDEN FILES
- OPTIONAL SCAN WITHIN PLAINTEXT AND BINARY FILES
ROOTKIT HUNTER IS RELEASED AS GPL LICENSED PROJECT AND FREE FOR EVERYONE TO USE.

RKPROFILER LX

http://www.trapkit.de/research/rkprofiler/rkplx/rkplx.html

RKPROFILER LX IS DIVIDED INTO TWO PARTS: A DATA COLLECTION COMPONENT CALLED "ROOTKIT PROFILER MODULE" (RKPMOD) AND A DATA INTERPRETATION COMPONENT CALLED "ROOTKIT PROFILER CONSOLE" (RKPCONSOLE).
RKPMOD IS A KERNEL MODULE THAT GETS LOADED ON THE SYSTEM THAT SHOULD BE CHECKED FOR THE PRESENCE OF A KERNEL ROOTKIT. THERE ARE OTHER WAYS TO PERFORM DATA COLLECTION, BUT CURRENTLY ONLY THIS APPROACH IS PUBLICLY AVAILABLE.
RKPCONSOLE IS A USERLAND PROGRAM THAT CAN BE USED TO ANALYSE THE COLLECTED INFORMATION.

FEATURES:

DETECTION: RKPROFILER LX CHECKS THE WHOLE KERNEL CODE AS WELL AS DIFFERENT KERNEL DATA SECTIONS AND CPU REGISTERS REGARDING POSSIBLE MODIFICATIONS AND HIDDEN COMPONENTS:

  • GENERIC KERNEL CODE MODIFICATION
  • SYSCALL TABLE ADDRESS MODIFICATION
  • SYSCALL ADDRESS MODIFICATION
  • SYSCALL CODE MODIFICATION
  • INTERRUPT HANDLER ADDRESS MODIFICATION
  • INTERRUPT HANDLER CODE MODIFICATION
  • PAGE FAULT HANDLER MODIFICATION
  • KERNEL SYMBOL MODIFICATION
  • SYSENTER REGISTER MODIFICATION
  • VIRTUAL FILE SYSTEM FUNCTION POINTER MODIFICATION
  • HIDDEN PROCESSES AND THREADS
  • HIDDEN KERNEL MODULES

ZEPPOO

http://www.zeppoo.net/

ZEPPOO ALLOWS YOU TO DETECT ROOTKITS ON THE I386 ARCHITECTURE UNDER LINUX BY USING /DEV/KMEM AND /DEV/MEM. IT CAN ALSO DETECT HIDDEN TASKS, MODULES, SYSCALLS, SOME CORRUPTED SYMBOLS, AND HIDDEN CONNECTIONS.

TRUMAN

http://www.secureworks.com/research/tools/truman.html

TRUMAN CAN BE USED TO BUILD A "SANDNET", A TOOL FOR ANALYZING MALWARE IN AN ENVIRONMENT THAT IS ISOLATED, YET PROVIDES A VIRTUAL INTERNET FOR THE MALWARE TO INTERACT WITH. IT RUNS ON NATIVE HARDWARE, THEREFORE IT IS NOT STYMIED BY MALWARE WHICH CAN DETECT VMWARE AND OTHER VMS. THE MAJOR STUMBLING BLOCK TO NOT USING VMS IS THE DIFFICULTY INVOLVED WITH REPEATEDLY IMAGING MACHINES FOR RE-USE. TRUMAN AUTOMATES THIS PROCESS, LEAVING THE RESEARCHER WITH ONLY MINIMAL WORK TO DO IN ORDER TO GET AN INITIAL ANALYSIS OF A PIECE OF MALWARE.

UNINFORMED TECHNICAL RESEARCH

http://uninformed.org/

UNINFORMED IS A TECHNICAL OUTLET FOR RESEARCH IN AREAS PERTAINING TO SECURITY TECHNOLOGIES, REVERSE ENGINEERING, AND LOWLEVEL PROGRAMMING. THE GOAL, AS THE NAME IMPLIES, IS TO ACT AS A MEDIUM FOR INFORMING THE UNINFORMED. THE RESEARCH PRESENTED HERE IS SIMPLY AN EXAMPLE OF THE EVOLUTIONARY THOUGHT THAT AFFECTS ALL ACADEMIC AND PROFESSIONAL DISCIPLINES.

OFFENSIVE COMPUTING

http://www.offensivecomputing.net/

OFFENSIVE COMPUTING, LLC WAS FORMED BY VALSMITH AND DANNY QUIST AS A RESOURCE FOR THE COMPUTER SECURITY COMMUNITY. THE PRIMARY EMPHASIS HERE IS ON MALWARE COLLECTIONS AND ANALYSIS FOR THE PURPOSE OF IMPROVING PEOPLE'S ABILITIES TO DEFEND THEIR NETWORKS. THE WEB SITE ALSO DETAILS LINKS TO LIVE MALWARE.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License