[ISN] Rootkit Removal Tools

From: InfoSec News (alerts@private)
Date: Wed Aug 30 2006 - 23:04:42 PDT


PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

How to Improve Network Security Without Extra Staff or Busting Your 
Budget
   http://list.windowsitpro.com/t?ctl=369C9:7EB890

Symantec Webcast : Symantec Packager - Tap into the Power 
   http://list.windowsitpro.com/t?ctl=369E3:7EB890

Manage Vulnerabilities. Defend Against Threats.
   http://list.windowsitpro.com/t?ctl=369E4:7EB890


=== CONTENTS ===================================================

IN FOCUS: Rootkit Removal Tools

NEWS AND FEATURES
   - Time to Upgrade SUS to WSUS
   - Big Blue to Pay $1.3 Billion for ISS
   - Citrix and Microsoft Team Up to Develop New Appliance
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: IE Bug Worse Than Expected
   - FAQ: Block IE 7.0 Installation
   - Share Your Security Tips

PRODUCTS
   - Managing and Reporting Security Events
   - Wanted: Your Reviews of Products 

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: AlertLogic ========================================

How to Improve Network Security Without Extra Staff or Busting Your 
Budget
   Who couldn't use some extra protection? Worms and malicious 
intruders can attack your network anytime, so make sure that your 
defenses are at their strongest, especially for your small- and medium-
sized businesses. If IDS/IPS appliances are too costly and difficult to 
maintain, learn how a turn-key solution can provide the protection you 
need at a price you can afford. 
   http://list.windowsitpro.com/t?ctl=369C9:7EB890


=== IN FOCUS: Rootkit Removal Tools =============================
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Rootkits are a growing problem, and as you might expect, the list of 
tools that can help you prevent rootkit infiltration is also growing. 
The list of standalone tools that can help with rootkit detection and 
removal is also expanding. This week, I give you a list of the 
standalone detection and removal tools that I know about. 

The alphabetical list below can be a resource to help you add some 
useful tools to your security toolkit. As with antivirus and 
antispyware tools, using multiple rootkit detection and removal tools 
is a good idea because not every tool can detect and remove every 
rootkit. 

Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, 
Sophos Anti-Rootkit, and IceSword, all of which are from entities that 
I'm familiar with and trust to some extent or other. 

A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) 
look interesting, but I have no idea who the authors are, nor do their 
Web sites offer much information to lend insight. So although I 
included them in the list, definitely use your own discretion.

There are undoubtedly other related tools available that I'm not aware 
of; if you know of one, please send me an email with details. If you've 
tried one of the tools below, let me know about your experiences with 
it.

BitDefender RootkitUncover beta, from SoftWin
   This tool is currently available as a free beta and looks promising, 
particularly because it's from SoftWin, makers of BitDefender. 
   http://list.windowsitpro.com/t?ctl=369CC:7EB890

DarkSpy, from DarkSpy Security Group
   This tool is from a group of Chinese security researchers that I'm 
unfamiliar with. The download page for the tool says, "Use at your own 
risk," and you'd be wise to take that advice; however, it might give 
you a little comfort to know that this tool was recently mentioned in 
the SANS Internet Storm Center's Handler's Diary. Click the second URL 
under the Helios entry below to link to that mention. 
   http://list.windowsitpro.com/t?ctl=369DB:7EB890

F-Secure BlackLight
   This is a standalone "trialware" tool, meaning that it periodically 
expires after a certain date--currently October 1. It's also a standard 
component of F-Secure's Internet Security 2006 package.
   http://list.windowsitpro.com/t?ctl=369D6:7EB890

GMER, from an unknown independent Polish developer
   Although no information is readily available about who developed 
this tool, its Web site has several screenshots and some movies (in 
.wmv and .avi format) that show the tool in action. So you can get a 
good idea of what it's like before using it. 
   http://list.windowsitpro.com/t?ctl=369EB:7EB890

Helios, from MIEL e-Security
   This is a new tool, currently in "alpha" development, that looks 
promising. For some good insight into Helios, go to the second URL 
below to read the SANS Handler's Diary entry for July 26, in which you 
can also see some screen shots of the tool in action. 
   http://list.windowsitpro.com/t?ctl=369E9:7EB890
   http://list.windowsitpro.com/t?ctl=369DF:7EB890

IceSword, by Xfocus Team
   IceSword has proven useful to many security administrators. Xfocus 
is a group of Chinese security researchers, and while the site is 
written in Chinese, you can use AltaVista's Babel Fish Translation 
engine (at the second URL below) to view it in English. You can also 
use Babel Fish to translate the Chinese documentation. 
   http://list.windowsitpro.com/t?ctl=369E6:7EB890
   http://list.windowsitpro.com/t?ctl=369EC:7EB890

RKDetector, by Miguel Tarasco Acuna
   This toolkit comes in two parts: A file system analyzer and an 
Import Address Table (IAT) analyzer. The file system analyzer scans the 
file system and registry, and the IAT analyzer scans memory space for 
alterations that would allow rootkits to hook into the system. Screen 
shots are available to give you a good idea of what the tool looks 
like. 
   http://list.windowsitpro.com/t?ctl=369EA:7EB890

RootKit Hook Analyzer, from Resplendence Software Projects
   Although most rootkit detection tools look at kernel hooks, the file 
system, the registry, user accounts, and so on, this particular tool 
focuses exclusively on kernel hooks. 
   http://list.windowsitpro.com/t?ctl=369E1:7EB890

RootkitRevealer, from Sysinternals
   A tool written by Mark Russinovich and Bryce Cogswell, two very well 
known Windows experts. 
   http://list.windowsitpro.com/t?ctl=369D4:7EB890

Rootkit Unhooker, from UG North
   Although I have no idea who UG North is, the tool looks promising. 
It checks for unwanted processes and system hooks and can help 
terminate such processes.
   http://list.windowsitpro.com/t?ctl=369E7:7EB890

Sophos Anti-Rootkit
   This standalone tool offers both a GUI and a command line version 
and is similar to the antirootkit technology built into the Sophos 
Anti-Virus for Windows solution.
   http://list.windowsitpro.com/t?ctl=369D0:7EB890

System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska
   These tools specifically look for hidden files and at various system 
components that might be modified by various rootkit techniques. Source 
code is included. Rutkowska is a well-known researcher. 
   http://list.windowsitpro.com/t?ctl=369E0:7EB890

UnHackMe, from Greatis Software
   While all the other listed tools are free, this tool is priced 
starting at $19.95 for a single license. You can view screen shots of 
the tool to see what it looks like and download a working demo if 
you're interested. 
   http://list.windowsitpro.com/t?ctl=369E8:7EB890

===

Regional Events Cover 4 Key Interoperability Topics
   Are you a Windows fan, a UNIX diehard, a Linux lover, or all 
of the above? Check out TechX World, an OS-agnostic event 
designed to give you insider tips on coping in a Windows-plus 
world.
   Designed specifically for IT professionals who work in a 
multi-OS environment, TechX World is a four-track, one-day 
event featuring technical experts Michael Otey, Gil Kirkpatrick, 
Dustin Puryear, and Randy Dyess providing information about OS 
interoperability, data interoperability, directory and security 
integration, and virtualization. 
   The regional event series will visit four cities from 
October 24 through November 2: Washington D.C., Chicago, 
Dallas, and San Francisco. Attendees who register before August 
31 will receive early bird pricing and a one-year subscription to 
Windows IT Pro. At $129 per person for four tracks and a full day 
of learning, it's worth sending the entire team to make sure you 
cover all the sessions. For complete agenda and speaker details, 
go to
   http://list.windowsitpro.com/t?ctl=369D9:7EB890 


=== SPONSOR: Symantec ==========================================

Symantec Webcast : Symantec Packager - Tap into the Power 
Need to extend your IT administration reach and connect to the devices? 
This webcast is designed for IT professionals interested in the 
functionality of Symantec Packager. Topics to be covered include 
product functionality, the product basics, as well as configuring and 
deployment with specific examples for pcAnywhere Host and Remote 
installations. 
   Date: September 7, 2006, 9:00am PDT, 12:00pm EDT
   Speaker: Sandra Stamler, Product Marketing Manager
   Register now at http://list.windowsitpro.com/t?ctl=369E3:7EB890


=== SECURITY NEWS AND FEATURES =================================

Time to Upgrade SUS to WSUS
   Microsoft ceased distributing Software Update Services (SUS) August 
24 and will stop delivering updates via SUS December 6. The company 
will no longer support SUS after the December date. For administrators 
who rely on SUS, it's a great time to upgrade to Windows Server Update 
Services (WSUS). 
   http://list.windowsitpro.com/t?ctl=369C6:7EB890

Big Blue to Pay $1.3 Billion for ISS
   IBM announced that it has entered into a deal to buy Internet 
Security Systems (ISS) for $1.3 billion in cash. Upon closing of the 
acquisition, ISS will become a security business unit at IBM within the 
company's Global Services organization.
   http://list.windowsitpro.com/t?ctl=369CF:7EB890

Citrix and Microsoft Team Up to Develop New Appliance
   The new Citrix WANScaler appliance is aimed squarely at improving 
delivery of applications to branch offices and will be based on 
Microsoft Windows Server 2003, Internet Security and Accleration (ISA) 
Server to provide added security, and WANScaler technology to improve 
network and application performance. 
   http://list.windowsitpro.com/t?ctl=369D5:7EB890

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=369CE:7EB890


=== SPONSOR: Core Security =====================================

Manage Vulnerabilities. Defend Against Threats.
   Your IT and Security budgets are tight. This White Paper shows real-
world case studies demonstrating the ROI potential of automated 
penetration testing.
   http://list.windowsitpro.com/t?ctl=369E4:7EB890


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: IE Bug Worse Than Expected
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=369DD:7EB890

   Microsoft Security Bulletin MS06-042--Cumulative Security Update for 
Internet Explorer has now been re-released to fix an exploitable 
vulnerability introduced by the original patch. The vulnerability 
involves long URLs in conjunction with HTTP 1.1 and compression. Be 
sure to read the updated bulletin and apply the latest version of the 
patch. 
   http://list.windowsitpro.com/t?ctl=369D1:7EB890

FAQ: Block IE 7.0 Installation
   by John Savill, http://list.windowsitpro.com/t?ctl=369D8:7EB890 

Q: How can I block Microsoft Internet Explorer (IE) 7.0 installation 
via the registry?

Find the answer at
   http://list.windowsitpro.com/t?ctl=369D2:7EB890

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to 
r2rwinitsec@private If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Managing and Reporting Security Events
   CrossTec has released version 3.5 of its Activeworx Security Center 
event management software. The upgrade contains a new internal 
reporting center instead of the Crystal Reports software in previous 
versions (Crystal Reports will still be optional). Activeworx 3.5 lets 
users control parameters and schedule automated reporting tasks and 
comes with more than 200 new PCI, SOX, GLBA, and HIPAA reports. 
Integration with the Snort intrusion detection system (IDS) provides 
event information. Activeworx 3.5's correlation engine has been 
benchmarked at more than 15,000 events per second. Activeworx 3.5's 
console is customizable and can be modified to display the entire 
network or just portions of it. An Activeworx deployment starts at 
$2500. For more information, visit
   http://list.windowsitpro.com/t?ctl=369E2:7EB890

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.


=== RESOURCES AND EVENTS =======================================

Gear up for TechX World Roadshow  
   Hear first-hand from leading interoperability experts, vendors, and 
peers at this exclusive one-day event. You'll learn about managing OS 
interoperability, directory migration, data interoperability, and much 
more. This event provides in-depth information on how Windows and other 
systems cooperate with each other. 
   http://list.windowsitpro.com/t?ctl=369DA:7EB890

Does your company have $500,000 to spend on one email discovery 
request? Join us for this free Web seminar to learn how you can 
implement an email archiving solution to optimize email management and 
proactively take control of e-discovery--and save the IT search party 
for when you really need it! Live Event: Tuesday, September 12 
   http://list.windowsitpro.com/t?ctl=369C8:7EB890

You know you need to manage your email data; how do you do it? What 
steps are you taking? What additional measures should you enact? What 
shouldn't you do? Learn the answers to these questions and get control 
of your vital messaging data. Download the free eBook today! 
   http://list.windowsitpro.com/t?ctl=369CB:7EB890

Dramatically simplify Exchange troubleshooting with an in-depth look at 
built-in troubleshooting tools and third-party applications. Join us as 
we analyze a typical troubleshooting process, address the problems with 
using standard tools, and learn how automated troubleshooting can solve 
these challenges. Live Event: Thursday, September 14 
   http://list.windowsitpro.com/t?ctl=369C7:7EB890

Are you protected company-wide against spyware, keyloggers, adware, and 
backdoor Trojan horses? Test the state-of-the-art scanning engine that 
uses threat signatures from multiple sources to track down the culprits 
that antivirus solutions alone can't protect you against. Download your 
free 30-day trial of CounterSpy Enterprise today! 
   http://list.windowsitpro.com/t?ctl=369CA:7EB890


=== FEATURED WHITE PAPER =======================================

Help your small or midsized business protect one of its most valuable 
assets--business information. Easily store, manage, protect, and share 
information by using hardware designed with the needs of your business 
in mind. Manage IT without the large staff and extensive training--
learn how today! 
   http://list.windowsitpro.com/t?ctl=369CD:7EB890


=== ANNOUNCEMENTS ==============================================

Invitation for VIP Access  
   For only $29.95 per month, you'll get instant VIP online access to 
ALL articles published in Windows IT Pro, SQL Server Magazine, and the 
Exchange and Outlook Administrator, Windows Scripting Solutions, and 
Windows IT Security newsletters--that's more than 26,000 articles at 
your fingertips. Sign up now: 
   https://store.pentontech.com/index.cfm?s=1&promocode=eu2768um

Save $40 off Windows IT Pro  
   Subscribe to Windows IT Pro today and SAVE up to $40! Along with 
your 12 issues, you'll get FREE access to the entire Windows IT Pro 
online article archive, which houses more than 9,000 helpful IT 
articles. This is a limited-time offer, so order now:  
   https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and the Windows IT Security newsletter 
(subscribe at the second URL below).
   http://list.windowsitpro.com/t?ctl=369DE:7EB890
   https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=369D3:7EB890

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=369E5:7EB890
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Wed Aug 30 2006 - 23:12:21 PDT