RootKit Hook Analyzer 3.00

RootKit Hook Analyzer

---

Check for active kernel rootkits on your system

New: version 3.00 allows you to test system hook quality

This is a fairly well known anti-rootkit (but not a very good one), the 3.00 version allows you to check for "hook quality".

"

Hook Quality Test

If any hooks have been found on your computer system and you find they are not malware but part of a legitimate product, RootKit Hook Analyzer allows you to test if the hooks have been properly implemented and do proper parameter checking.

On a clean Windows installation, as soon as any application calls a system service from user mode, its parameters will be checked for validity by the function which executes in kernel mode. This means that if the application passes bogus parameters, it receives an error code and does not cause the computer to crash. However if the system service is hooked and the hooked function does not do proper parameter checking it can crash the system. One of the main causes for computer crashes (blue screens and resets) these days is because legitimate programs (very often security products) which do system call hooking do not properly validate their parameters.

With this test, you can check if the software you have installed does not suffer from this problem. If your computer resets during this test it means the software you have installed is at fault. This does not mean it is exposing rootkits or malware to your system but it means that it is compromising your systems stability and probably causing your computer to reset or blue screen during normal computer operation as well. If this test fails you should contact the author/vendor of the product which is failing and notify him on the issue so he can hopefully set things straight and release an update."

TrueCrypt 6.0a Released

TrueCrypt 6.0a Released

July 8, 2008

Resolved incompatibilities / bug fixes:

• On systems where certain inappropriately designed chipset drivers were installed, it was impossible to encrypt the system partition/drive. This will no longer occur.
  (Windows Vista/XP/2008/2003)

• Other minor bug fixes. (Windows, Mac OS X, and Linux)

Get it at http://www.truecrypt.org/

kX-Ray - new antirootkit in development

Another new anti-rootkit in development

"It's a ring-0 rootkit detection tool with functions such as a disassembler, module and thread information on a per-process basis as well as a complete NTFS Alternate Data Streams (ADS) scanner. Hidden process detection, hidden module detection and kernel mode hook scanning are implemented in a way that's generic and hard to beat. This is the ultimate tool when you think you may have issues with rootkits and hidden process trojans/keyloggers/spyware."

Still in beta, development forum is here.

Truecrypt 6.0 released

The well known full featured open-source encryption product - Truecrypt has updated to 6.0.

Truecrypt's major feature has being "plausible denialability" for encrypted containers. The problem with encryption alone is that while the attackers cannot break the encryption they can prove that it exists and force you to reveal the password or face jail time 0r worse. With Plausible denialability, they can't even prove the encrypted volume exists, so it is hard for them to force you to produce a password (after all there might be no encrypted volume at all!)

Version 5.0 added the highly requested ability to encrypt the whole system partition (including the Operating system), however, this could not be done while maintaining "plausible denialbaility".

This new version 6.0 now provides this, allowing you the ability to have hidden operating systems that are totally hidden.



"6.0

July 4, 2008

New features:

• Parallelized encryption/decryption on multi-core processors (or multi-processor systems). Increase in encryption/decryption speed is directly proportional to the number of cores and/or processors.
  
  For example, if your computer has a quad-core processor, encryption and decryption will be four times faster than on a single-core processor with equivalent specifications (likewise, it will be twice faster on dual-core processors, etc.)
  
  [View benchmark results]

• Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed). For more information, see the section Hidden Operating System. (Windows Vista/XP/2008/2003)
  
  For security reasons, when a hidden operating system is running, TrueCrypt ensures that all local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only. (Data is allowed to be written to filesystems within hidden TrueCrypt volumes.)
  
  Note: We recommend that hidden volumes are mounted only when a hidden operating system is running. For more information, see the subsection Security Precautions Pertaining to Hidden Volumes.

• On Windows Vista and Windows 2008, it is now possible to encrypt an entire system drive even if it contains extended/logical partitions. (Note that this is not supported on Windows XP.)

• New volume format that increases reliability, performance and expandability:

  • Each volume created by this or later versions of TrueCrypt will contain an embedded backup header (located at the end of the volume). Note that it is impossible to mount a volume when its header is damaged (the header contains an encrypted master key). Therefore, embedded backup headers significantly reduce this risk. For more information, see the subsection Tools > Restore Volume Header.
    
    Note: If the user fails to supply the correct password (and/or keyfiles) twice in a row when trying to mount a volume, TrueCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using the primary header) each subsequent time that the user attempts to mount the volume (until he or she clicks Cancel). If TrueCrypt fails to decrypt the primary header and then decrypts the embedded backup header successfully (with the same password and/or keyfiles), the volume is mounted and the user is warned that the volume header is damaged (and informed as to how to repair it).
    
    
  • The size of the volume header area has been increased to 128 KB. This will allow implementation of new features and improvements in future versions and ensures that performance will not be impaired when a TrueCrypt volume is stored on a file system or device that uses a sector size greater than 512 bytes (the start of the data area will always be aligned with the start of a host-filesystem/physical sector).

  For more information about the new volume format, see the section TrueCrypt Volume Format Specification.
  
  Note: Volumes created by previous versions of TrueCrypt can be mounted using this version of TrueCrypt.

• Parallelized header key derivation on multi-core processors (one algorithm per core/thread). As a result, mounting is several times faster on multi-core processors. (Windows)
  
  

• Ability to create hidden volumes under Mac OS X and Linux.

• On Linux, TrueCrypt now uses native kernel cryptographic services (by default) for volumes encrypted in XTS mode. This increases read/write speed in most cases. However, the FUSE driver must still be used when the volume is encrypted in a deprecated mode of operation (LRW or CBC), or when mounting an outer volume with hidden-volume protection, or when using an old version of the Linux kernel that does not support XTS mode. (Linux)

Improvements:

• Up to 20% faster resuming from hibernation when the system partition/drive is encrypted. (Windows Vista/XP/2008/2003)

• Many other improvements. (Windows, Mac OS X, and Linux)

Removed features:

• Encrypted system partitions/drives can no longer be permanently decrypted using the TrueCrypt Boot Loader (however, it is still possible using the TrueCrypt Rescue Disk). (Windows Vista/XP/2008/2003)
  
  Note: This was done in order to reduce the memory requirements for the TrueCrypt Boot Loader, which was necessary to enable the implementation of support for hidden operating systems.

Bug fixes:

• When Windows XP was installed on a FAT16 or FAT32 partition (as opposed to an NTFS partition) and the user attempted to encrypt the system partition (or system drive), the system encryption pretest failed. This will no longer occur.

• Many other minor bug fixes and security improvements (preventing e.g. denial-of-service attacks). (Windows, Mac OS X, and Linux)"

KAV Rescue Disk

http://fileforum.betanews.com/detail/Kaspersky_Rescue_Disk/1213647614/1

"Kaspersky Rescue Disk is a safe way to remove viruses from a computer without the risk of getting infecte. Boot from the Kaspersky Rescue Disk to scan and remove threats from an infected computer without the risk of infecting other files or computers.

Burn this ISO image to a CD, insert it into the infected system's CD-ROM drive, enter the PC's BIOS, set it to boot from the CD and reboot the computer."

Sandboxie updates to 3.28

[App Update] Sandboxie 3.28

These are the changes to Sandboxie since version 3.26.

* New translations:
o Translation to Finnish, contributed by pokpok
o Translation to German, contributed by Brummelchen
o Translation to Portuguese (Brasil), contributed by anonymous
o Translation to Turkish, contributed by Volkan Gezer

* Resolution for long-time problems and annoyances:
o SBIE1116 errors on Windows XP which prevented Sandboxie from starting.
o Sandboxed Outlook using incorrect account password.
o Sandboxed programs and Sandboxie Control immediately recognize new drive letters that appear (for example as a result of mounting a USB drive).

* Firefox 3:
o Added default exclusion for the Firefox database of phishing sites, urlclassifier*.sqlite files, to improve start-up time of sandboxed Firefox, and reduce the time needed to recreate this database when the sandbox is deleted.

* Usability improvements in Sandboxie Control:
o Real paths are displayed instead of the %placeholder% notation.
o Hiding SBIE messages through Sandboxie Control hides the message only for the detail specified in the message.
o Desktop icons do not flicker when Sandboxie Control window is visible.
o For Windows Vista, added more requests for UAC elevation where necessary.

* Further improvements to the following issues:
o Improved support for network shares exposed by Windows computers (including Quick and Immediate Recovery, and Direct and Full Access)
o There remain some difficulties in accessing network shares exposed by some NAS devices
o Full support for programs installing and using WinSxS assemblies on both Windows XP and Windows Vista

* Collection of smaller changes:

* Default Copy Limit Kb increased to 48MB from 32MB.
* Fewer temporary files are kept in the sandbox.
* Fixed PATH environment variable in sandboxed programs.

* Partially resolved conflict with Rising Antivirus 2008

Homepage

Rootrepeal - new antirootkit

There's a new anti-rootkit released called rootrepeal

Given that most of the other anti-rootkits projects have stopped development (rootkit unhooker for example) or development have slowed (Icesword) - (an exception seems to be GMER which is going strong) , rootrepeal is a welcome addition.

"RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. "

of course, one should always be suspicious of such offerings from unknown sources (a "free" antirootkit might turn out to be a rootkit itself), but this one looks fairly reliable, with past development by "Ad" noted at the sysinternals forum (possibly the second best forum on rootkits/antirootkits open to the public).