ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
 Posted: Wed Oct 11, 2006 9:25 am Post subject: |
|
|
| Coder68 wrote: |
Please reread. I never said I wanted to list klif or the Zone Alarm file.
|
Then forgive me for assuming you were thinking straight.,
| Quote: |
What I did say is I want to list the files and info on known rootkits.
|
Bad idea. The antiviruses are already doing it. And they are doing it way better than you could.
| Quote: |
If we had an up to date list, the newbies could download and look to see if any of their files are in the database. This would stop a lot of the common questions from occuring over and over again. "Do I have a rootkit" and then their log has hacker defender on it.
|
LOL. Think about, if a newbie finds out he has a rootkit, what is he going to
do about it? Start removing it himself? *snicker*.
Oh sure one of the staff members here, has posted on his blog how to remove Hackdefender, wow, it's so easy just unhook everything and you can see the file. Delete it and it's gone! LOL, if you believe that you must be on crack. In a real situtation it's not going to be that easy (think modified hackdefender variants), and even if you managed to pierce the rootkit protection, there's going to be a lot of other crud in there that will require an expert to determine what to do . Heck, some experts would just tell you to reformat once you have a rookit.
Yes, he's going to post here asking for help anyway.... So what is gained by him knowing he already has a rookit? the helper still has to go through it.
Let me spell it out to you, you are right what we need to do is to prevent common questions from being asked again and again.
The gain comes from preventing people posting their logs when they
*don't * have a rootkit. And we can easily determine who doesn't have a rootkit (at least relative to a rootkit scanner results), just by filtering out people who think they have a rootkit because they see a legimate ssdt hook.
the gain does not come from letting a user determine he has hackerdefender! "Do I have hackerdefender or <insert rootkit name>)" is not a common question!
A common question is "I found X,Y,Z entries when using <insert rootkit scanner>, do I have a rootkit?" (where X,y,z is an innocent entry)
If they have a real rootkit they are going to need help anyway. E.g a newbie sees that he has hackdefender, want to bet he will post here?
Look at how sysinternals rootkit revealer forum is doing it. They don't post baddies, they post harmless entries! Why ? Cos 90% of people asking are having FPs, and the really bad stuff need to be looked at by experts anyway.
The whitelist, focuses the attention of experts on logs that have a high possiility of having something, rather than wasting time wading through perfectly innocent logs.
I don't know why you can't see something so obvious, particularly since your case is an exact example of someone who is asking the same obvious question again and again and where a whitelist would help and a blacklist wouldn't
| Quote: |
You are correct in thinking that someone might think they are safe if something is not in the list. We would have to strongly erge people to seek out all unknown files.
|
Seek out all unknown files? You mean ask at this forum? Well lol, i'm sure that will help reduce unnecessary questions about whether klif.sys is good or not. 
| Quote: |
But again, if they look at the list and see that they do have a rootkit, instead of asking if they do, they could start off by asking “How do I fix this? “
|
Sigh. As i already said, someone who is hit by a rootkit particularly a newbie is going to seek help anyway. Knowing he is hit by X isn't going to help much.
Assume that we succuessful whitelist most good entries ,so say most of people who find unknown entries really have a nasty.
Assuming that there really is a rootkit, the difference between someone asking "I found this unknown entry , it might be a rootkit what do I do?" and "I found this entry and it is hackdefender, what do I do?" is very small , and the helper will still need to do most of the work.
And the blacklist cannot handle the dozens of questions about perfectly clean logs....
Also you seem to think that your list of rootkits is going to help someone remove stuff. The problem is your list of rootkits seems to be drawn from antivirus pages, but would it surprise you to know that these antiviruses can automatically clean these rootkits already ( the availability of full blown rootkit scanning technology not withstanding)?
If so, why should the user be messing with generic manual rootkit scanners??
Chances are if someone has a rootkit that shows up on generic rootkit scanners, it will be something unknown, customized or whatever. Your list is pretty much worthless.
A whitelist would be way more useful because to my knowledge no such list exists because until recently few people were using generic rootkit scanners (where the ability to rule out good entries is paramount) so few people borthered to keep track of good drivers that hook the SSDT.
| Quote: |
Nothing we do will ever be 100%.
|
Yeah yours will be like 1%. And the irony is it won't even help *you* cos your original question was about a totally okay entry!
| Quote: |
I just want to get a good database of information to be used as a starting point. If Holy Father releases a new rootkit today with a file called. google.com, no it will not be in the databse. But eventualy it will, and hopefully sooner then later.
|
My friend I highly recommend you download hackerdefender and take a look. It doesn't take Holyfather or even a 'coder' to change the name of the file to google.com.
Anyway I give up, do whatever you want. If you want to waste your time, I'm not going to stop you.
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
