RootKit Hook Analyzer 3.00

RootKit Hook Analyzer

---

Check for active kernel rootkits on your system

New: version 3.00 allows you to test system hook quality

This is a fairly well known anti-rootkit (but not a very good one), the 3.00 version allows you to check for "hook quality".

"

Hook Quality Test

If any hooks have been found on your computer system and you find they are not malware but part of a legitimate product, RootKit Hook Analyzer allows you to test if the hooks have been properly implemented and do proper parameter checking.

On a clean Windows installation, as soon as any application calls a system service from user mode, its parameters will be checked for validity by the function which executes in kernel mode. This means that if the application passes bogus parameters, it receives an error code and does not cause the computer to crash. However if the system service is hooked and the hooked function does not do proper parameter checking it can crash the system. One of the main causes for computer crashes (blue screens and resets) these days is because legitimate programs (very often security products) which do system call hooking do not properly validate their parameters.

With this test, you can check if the software you have installed does not suffer from this problem. If your computer resets during this test it means the software you have installed is at fault. This does not mean it is exposing rootkits or malware to your system but it means that it is compromising your systems stability and probably causing your computer to reset or blue screen during normal computer operation as well. If this test fails you should contact the author/vendor of the product which is failing and notify him on the issue so he can hopefully set things straight and release an update."

TrueCrypt 6.0a Released

TrueCrypt 6.0a Released

July 8, 2008

Resolved incompatibilities / bug fixes:

• On systems where certain inappropriately designed chipset drivers were installed, it was impossible to encrypt the system partition/drive. This will no longer occur.
  (Windows Vista/XP/2008/2003)

• Other minor bug fixes. (Windows, Mac OS X, and Linux)

Get it at http://www.truecrypt.org/

kX-Ray - new antirootkit in development

Another new anti-rootkit in development

"It's a ring-0 rootkit detection tool with functions such as a disassembler, module and thread information on a per-process basis as well as a complete NTFS Alternate Data Streams (ADS) scanner. Hidden process detection, hidden module detection and kernel mode hook scanning are implemented in a way that's generic and hard to beat. This is the ultimate tool when you think you may have issues with rootkits and hidden process trojans/keyloggers/spyware."

Still in beta, development forum is here.

Truecrypt 6.0 released

The well known full featured open-source encryption product - Truecrypt has updated to 6.0.

Truecrypt's major feature has being "plausible denialability" for encrypted containers. The problem with encryption alone is that while the attackers cannot break the encryption they can prove that it exists and force you to reveal the password or face jail time 0r worse. With Plausible denialability, they can't even prove the encrypted volume exists, so it is hard for them to force you to produce a password (after all there might be no encrypted volume at all!)

Version 5.0 added the highly requested ability to encrypt the whole system partition (including the Operating system), however, this could not be done while maintaining "plausible denialbaility".

This new version 6.0 now provides this, allowing you the ability to have hidden operating systems that are totally hidden.



"6.0

July 4, 2008

New features:

• Parallelized encryption/decryption on multi-core processors (or multi-processor systems). Increase in encryption/decryption speed is directly proportional to the number of cores and/or processors.
  
  For example, if your computer has a quad-core processor, encryption and decryption will be four times faster than on a single-core processor with equivalent specifications (likewise, it will be twice faster on dual-core processors, etc.)
  
  [View benchmark results]

• Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed). For more information, see the section Hidden Operating System. (Windows Vista/XP/2008/2003)
  
  For security reasons, when a hidden operating system is running, TrueCrypt ensures that all local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only. (Data is allowed to be written to filesystems within hidden TrueCrypt volumes.)
  
  Note: We recommend that hidden volumes are mounted only when a hidden operating system is running. For more information, see the subsection Security Precautions Pertaining to Hidden Volumes.

• On Windows Vista and Windows 2008, it is now possible to encrypt an entire system drive even if it contains extended/logical partitions. (Note that this is not supported on Windows XP.)

• New volume format that increases reliability, performance and expandability:

  • Each volume created by this or later versions of TrueCrypt will contain an embedded backup header (located at the end of the volume). Note that it is impossible to mount a volume when its header is damaged (the header contains an encrypted master key). Therefore, embedded backup headers significantly reduce this risk. For more information, see the subsection Tools > Restore Volume Header.
    
    Note: If the user fails to supply the correct password (and/or keyfiles) twice in a row when trying to mount a volume, TrueCrypt will automatically try to mount the volume using the embedded backup header (in addition to trying to mount it using the primary header) each subsequent time that the user attempts to mount the volume (until he or she clicks Cancel). If TrueCrypt fails to decrypt the primary header and then decrypts the embedded backup header successfully (with the same password and/or keyfiles), the volume is mounted and the user is warned that the volume header is damaged (and informed as to how to repair it).
    
    
  • The size of the volume header area has been increased to 128 KB. This will allow implementation of new features and improvements in future versions and ensures that performance will not be impaired when a TrueCrypt volume is stored on a file system or device that uses a sector size greater than 512 bytes (the start of the data area will always be aligned with the start of a host-filesystem/physical sector).

  For more information about the new volume format, see the section TrueCrypt Volume Format Specification.
  
  Note: Volumes created by previous versions of TrueCrypt can be mounted using this version of TrueCrypt.

• Parallelized header key derivation on multi-core processors (one algorithm per core/thread). As a result, mounting is several times faster on multi-core processors. (Windows)
  
  

• Ability to create hidden volumes under Mac OS X and Linux.

• On Linux, TrueCrypt now uses native kernel cryptographic services (by default) for volumes encrypted in XTS mode. This increases read/write speed in most cases. However, the FUSE driver must still be used when the volume is encrypted in a deprecated mode of operation (LRW or CBC), or when mounting an outer volume with hidden-volume protection, or when using an old version of the Linux kernel that does not support XTS mode. (Linux)

Improvements:

• Up to 20% faster resuming from hibernation when the system partition/drive is encrypted. (Windows Vista/XP/2008/2003)

• Many other improvements. (Windows, Mac OS X, and Linux)

Removed features:

• Encrypted system partitions/drives can no longer be permanently decrypted using the TrueCrypt Boot Loader (however, it is still possible using the TrueCrypt Rescue Disk). (Windows Vista/XP/2008/2003)
  
  Note: This was done in order to reduce the memory requirements for the TrueCrypt Boot Loader, which was necessary to enable the implementation of support for hidden operating systems.

Bug fixes:

• When Windows XP was installed on a FAT16 or FAT32 partition (as opposed to an NTFS partition) and the user attempted to encrypt the system partition (or system drive), the system encryption pretest failed. This will no longer occur.

• Many other minor bug fixes and security improvements (preventing e.g. denial-of-service attacks). (Windows, Mac OS X, and Linux)"

KAV Rescue Disk

http://fileforum.betanews.com/detail/Kaspersky_Rescue_Disk/1213647614/1

"Kaspersky Rescue Disk is a safe way to remove viruses from a computer without the risk of getting infecte. Boot from the Kaspersky Rescue Disk to scan and remove threats from an infected computer without the risk of infecting other files or computers.

Burn this ISO image to a CD, insert it into the infected system's CD-ROM drive, enter the PC's BIOS, set it to boot from the CD and reboot the computer."

Sandboxie updates to 3.28

[App Update] Sandboxie 3.28

These are the changes to Sandboxie since version 3.26.

* New translations:
o Translation to Finnish, contributed by pokpok
o Translation to German, contributed by Brummelchen
o Translation to Portuguese (Brasil), contributed by anonymous
o Translation to Turkish, contributed by Volkan Gezer

* Resolution for long-time problems and annoyances:
o SBIE1116 errors on Windows XP which prevented Sandboxie from starting.
o Sandboxed Outlook using incorrect account password.
o Sandboxed programs and Sandboxie Control immediately recognize new drive letters that appear (for example as a result of mounting a USB drive).

* Firefox 3:
o Added default exclusion for the Firefox database of phishing sites, urlclassifier*.sqlite files, to improve start-up time of sandboxed Firefox, and reduce the time needed to recreate this database when the sandbox is deleted.

* Usability improvements in Sandboxie Control:
o Real paths are displayed instead of the %placeholder% notation.
o Hiding SBIE messages through Sandboxie Control hides the message only for the detail specified in the message.
o Desktop icons do not flicker when Sandboxie Control window is visible.
o For Windows Vista, added more requests for UAC elevation where necessary.

* Further improvements to the following issues:
o Improved support for network shares exposed by Windows computers (including Quick and Immediate Recovery, and Direct and Full Access)
o There remain some difficulties in accessing network shares exposed by some NAS devices
o Full support for programs installing and using WinSxS assemblies on both Windows XP and Windows Vista

* Collection of smaller changes:

* Default Copy Limit Kb increased to 48MB from 32MB.
* Fewer temporary files are kept in the sandbox.
* Fixed PATH environment variable in sandboxed programs.

* Partially resolved conflict with Rising Antivirus 2008

Homepage

Rootrepeal - new antirootkit

There's a new anti-rootkit released called rootrepeal

Given that most of the other anti-rootkits projects have stopped development (rootkit unhooker for example) or development have slowed (Icesword) - (an exception seems to be GMER which is going strong) , rootrepeal is a welcome addition.

"RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. "

of course, one should always be suspicious of such offerings from unknown sources (a "free" antirootkit might turn out to be a rootkit itself), but this one looks fairly reliable, with past development by "Ad" noted at the sysinternals forum (possibly the second best forum on rootkits/antirootkits open to the public).

SafeSpace discontinued

An announcement about the freeware sandbox Safespace

"To all SafeSpace users.

As you may be aware, Artificial Dynamics is a subsidiary company of the AppSense Group Inc.
Artificial Dynamics consisted of a small team of developers who created the virtualization engine which made SafeSpace possible.
In April, the technologies used in SafeSpace were re-acquired by AppSense Ltd and Artificial Dynamics has since been disbanded. As a result, we have only been able to offer limited support to end users.

Version 2.0.41.0 was our last official release. Limited support will still be available via the Artificial Dynamics support forums, and SafeSpace will continue to be hosted on Download.com – free for personal use.

Our patented virtualization technology is now being utilized within AppSense user environment management solutions to enable dynamic personalization of physical and virtual corporate desktops.
If you’d like to know more about these solutions please visit http://www.appsense.com.

I would like to sincerely thank everyone who took the time to try SafeSpace. Your feedback helped us develop a great security product which is today being used by several thousand home users.

I will continue to visit these forums regularly and help out with any SafeSpace related topics that occur.

Best regards,

Kris.

Artificial Dynamics."

What a pity, Safespace was one of the most promising up and coming sandboxes. Though not quite popular as sandboxie , for various reasons (it had a nice interface but required more resources particularly NET Framework turned off some users), it was still a very promising product with good anti-keyloggering features.

Virus.gr releases June 08 antivirus tests

Virus.gr has released their test results of antiviruses for June 08.

Some notes about the methodology

1. All settings are set to maximum rather than default. Most users do not do this, because it will result in excessive false positives (particularly for antivir). Nevertheless this is a common enough for such tests. For example av-comparatives does so.

2. More serious is this part

"The 246705 virus samples were chosen using VS2000 according to Kaspersky, F-Prot, Nod32, Dr.Web, BitDefender and McAfee antivirus programs. Each virus sample was unique by virus name, meaning that AT LEAST 1 antivirus program detected it as a new virus."

Getting a good test bed that includes real threats (which excludes rubbish files, corrupted files etc) is always the biggest challenge for a good test and pretty much every tester has test-beds that are not as good as they wish. However, to rely on antiviruses to determine if something is a threat or not obviously biases the test.

Kaspersky etc obviously have a *big* advantage in this test. After all part of the "questions" in the test are drawn from what Kaspersky knows. Kaspersky also has the biggest database (unknown though how much in there is really malicious)

See other criticism of the methodology.

Still for what's it worth, see the results below.


Results below courtesy of Virus.gr

Rank

1. G DATA 2008 version 18.2.7310.844 - 99.05%

2. F-Secure 2008 version 8.00.103 - 98.75%

3. TrustPort version 2.8.0.1835 - 98.06%

4. Kaspersky version 8.0.0.357 - 97.95%

5. eScan version 9.0.742.1 - 97.44%

6. The Shield 2008 - 97.43%

7. AntiVir version 8.1.00.331 Premium - 97.13%

8. Ashampoo version 1.61 - 97.09%

9. Ikarus version 1.0.82 - 96.05%

10. AntiVir version 8.1.00.295 Classic - 95.54%

11. AVG version 8.0.100 Free - 94.85%

12. BitDefender 2008 version 11.0.16 - 94.70%

13. Avast version 4.8.1201 Professional - 93.78%

14. Nod32 version 3.0.650.0 - 93.36%

15. F-Prot version 6.0.9.1 - 91.87%

16. BitDefender version 10 Free - 91.32%

17. ArcaVir 2008 - 88.65%

18. Norman version 5.92.08 - 87.72%

19. Vba32 version 3.12.6.6 - 87.21%

20. McAfee Enterpise version 8.5.0i - 86.57%

21. McAfee version 12.0.177 - 86.39%

22. Rising AV version 20.46.52 - 85.87%

23. Norton 2008 - 83.34%

24. Dr. Web version 4.44.5 - 82.87%

25. Antiy Ghostbusters version 5.2.3 - 80.23%

26. VirusBuster version 5.002.62 - 77.19%

27. Outpost version 6.0.2294.253.0490 - 75.35%

28. V3 Internet Security version 2008.05.31.00 - 75.23%

29. ViRobot Expert version 5.5 - 74.50%

30. Virus Chaser version 5.0a - 73.65%

31. A-squared Anti-Malware version 3.5 - 71.66%

32. PC Tools version 4.0.0.26 - 69.82%

33. Trend Micro Antivirus+Antispyware 2008 version 16.10.1079 - 67.28%

34. Iolo version 4.325 - 63.98%

34. Panda 2008 version 3.01.00 - 61.41%

36. Sophos Sweep version 7.3.2 - 54.71%

37. ClamWin version 0.93 - 54.68%

38. CA Anti-Virus version 9.00.170 - 51.08%

39. Quick Heal version 9.50 - 47.97%

40. Comodo version 2.0.17.58 - 43.15%

41. Trojan Hunter version 5.0.962 - 31.39%

42. Solo version 7.0 - 21.10%

43. Protector Plus version 8.0.C03 - 20.14%

44. PCClear version 1.0.8.0 - 19.63%

45. AntiTrojan Shield version 2.1.0.14 - 14.74%

46. Trojan Remover version 6.6.9 - 13.49%

47. VirIT version 6.2.94 - 8.63%

48. True Sword version 4.2 - 3.42%

49. Abacre έκδοση version 1.4 - 0.00%

The results look somewhat reasonable in that the top 3 are mult-engine products hence they are expect to do best. eScan uses Kaspersky's engine so you expect similar results etc. No idea what "the shield" is, but it is probably a kaspersky clone too. See remarks above about Kaspersky having a big advantage.

AntiVir premimum does better than antivir free which makes sense because of the lack of antispyware signatures. Also notice that the top 3 free antiviruses (avast! professional is exactly the same in terms of detection rates as avast! free) , antivir, avg and avast! are pretty much neck to neck.

Freeware rising antivirus released

Images courtesy of http://www.wilderssecurity.com/showpost.php?p=1270399&postcount=21

I know a lot of people are suspicious about products from China, but it can't be denied that there are many excellent security products from China these days, such as HIPS like ProSecurity, EqSecure and PowerShadow (similar to Returnil ).

But what about antiviruses? Everyone is familiar with the big 3 in antiviruses, AVG, Antivir and AVAST! They are free products that provide real-time protection though they lack many features of their fully featured big brothers. In particular, Antivir which has the best reputation and best test scores, lacks many features such as web shield (Http scanner) and antispyware protection.

But what if i told you there was a free product that had exactly the same features as the paid version? Crazy? That would be Rising Antivirus .

Well that's not a big deal, if the full paid version had very few features to begin with, but let's take a look at these set of features

"Active Defense Technology

Rising’s Active Defense Technology is designed to prevent the execution of malicious programs. It provides more open rules for advanced user customization, which enables the user to define unique defense rules depending upon the special circumstances of his/her own system, thus maximizing the system’s protection.

Patented Scanning Technology for Unknown Viruses
Rising's scanning technology for unknown viruses is protected by patents in the United States of America and Europe. This technology protects your personal computer before new virus definitions are available. Unknown Virus Scan&Clean(Patent No.:ZL 01 1 17726.8)

Patented Fully Automatic SmartUpdate
Rising's Automatic SmartUpdate Technology enables Rising software automatically detect the latest version and automatically updates. RISING Virus Lab provides updates at least three times per day with instant updates. Fully Automatic SmartUpdate(Patent No.:ZL 01 1 42155.X)

Smart Virtual Machine with Behaviour & Packing Pattern Recognition
RISING Antivirus comes with an integrated smart virtual machine, which is used for virus scanning and malware recognition. RISING's proprietary smart virtual machine technology provides the additional safety for your computer without slowing down your system. Suspected code and program can be run in this virtual machine for RISING Antivirus to check for potential malicious behaviour. RISING's Behaviour & Packing Pattern Recognition allows to test such potential malware thoroughly without influencing the performance of your PC and protects your system against new viruses and unknown viruses.

Application Protection
Application Protection can protect specified applications from attack by malicious programs. A user can apply rules to game software, instant messenger, etc. to customize protection. Rising Anti-Virus 2008 provides users with eight rules: Anti-DLL Injection, Anti-CodeInjection, Anti-Memory Modification, Anti-Memory Read, Prevent Suspension, Prevent Termination, Anti-Simulated Sending, and Anti-Simulated Key.

<<>

Self-Protection
Previous versions have not offered complete protection to Rising products themselves, resulting in damage to Rising products by specific viruses such as Orange August. The spread of such viruses has prevented users from running Rising products or to browse the Rising website. We now employ Active Defense Technology to address this omission.

Application Access Control
Application Access Control monitors suspicious programs to limit their access to computer resources.

Program Startup Control
Program Startup Control allows users to monitor the startup process of programs, thus being able to intercept and prevent the execution of unknown malicious programs as well as detecting any modification of applications

Malicious Behavior Detection
Malicious Behavior Detection monitors programs running in the system to detect and report the behavior patterns of malicious code, optionally allowing the user to authorize or reject suspicious activity.

Hidden Process Detection
Hidden Process Detection can detect processes that cannot be seen in the Windows Task Manager that may contain malicious code, including rootkits.

Computer Security Check
The Computer Security Check function informs the user of the current security level and guides him/her in strengthening it to prevent intrusions.

Security Tool Integration Platform
The Security Tool Integration platform provides the following tools: Other Embedded Scan, Registration Wizard, Latest Installation Creation Tool, Application Protection Wizard, Vulnerability Check, and View Quarantine."

Granted though most of this sounds impressive , they are just very detailed explainations of technical features most antivirus has (also it doesn't offer webshields that the free versions of AVAST! and AVG does) . But what is most exciting to me is that it has a full fledged HIPS (see headings under "application protection", application access control", "program startup control", "malicious behavior detection").

Images courtesy of http://www.wilderssecurity.com/showpost.php?p=1270399&postcount=21

Being feature rich is good, but this is after all an Antivirus so how is it's detection rate. It is somewhat interesting to note that despite being in the internet age, antiviruses are stronger in regions where their main user base is (if their users are mostly in china, they will tend to be alerted to malware that is "popular" in china), so given that most readers to this blog are not from china, there might be concerns on how good the detection rate is.

First good news, it Checkmark certified by Westcoast labs.

The Bad news is it is not rated regularly by av-comparatives because it does not meet the minimum standard (though the last test to determine this was in Jan 2007 where it scored 71% it might have improved since then) .

It has being tested twice so far on VB100% and failed twice (needs free registration).

The lastest virus.gr test June 2008 (note the testing methodology of this test has being disputed because the test-bed quality is uncertain, in particular "samples were choosen by using those products: Kaspersky, F-Prot, Nod32, Dr.Web, BitDefender and McAfee;" which gives these products a big advantage of course see also) gives it 85.87% , AVG 94.85%, Antivir 94.85%, and Avast! 93.78%.

OITC stats based on scanning using Virustotal (note this testing methodology is not the best) currently shows Rising with 17%, compared to AVG 37%, Antivir 68% AVAST 27%.

Other tests here and here tell the same story.

The basic story one gets is that Rising is still not very strong on the detection front. It should be noted that the tests here rely on on-demand scans, but do not include the HIPS features of Rising AV which should improve results quite a bit (also relies on user knowledge of course).

So should one use this to replace one's antivirus given the relatively poor performance in tests? Currently it is unclear, but one interesting approach is to turn off the real time Antivirus, but use the HIPS features!