PDA

View Full Version : Hypersight Rootkit Detector


Galdorf
05-04-2009, 09:30 PM
It's still in beta but picks up stuff that is very hard to detect i have used it a few times and found stuff nothing else would pick up.

http://northsecuritylabs.com/

Its next gen of rootkit detectors seems they seem to be pretty cutting edge on these new rootkits.

Although this is not for average user its used in HVT meaning the CPU must be able to support HVT intel or amd
It will not run on every pc.

Hardware Virtualiztion Technology. ie Intel VT-x ,AMD-V


AMD virtualization (AMD-V)

AMD markets its virtualization extensions to the 64-bit x86 architecture as AMD Virtualization, abbreviated AMD-V. It is still referred to as "Pacifica", the AMD internal project code name.

AMD-V operates on AMD Athlon 64 and Athlon 64 X2 with family "F" or "G" on socket AM2 (not 939), Turion 64 X2, Opteron 2nd generation[1] and 3rd-generation,[2] Phenom, and all newer processors. Sempron processors do not include support for AMD-V.

On May 23, 2006, AMD released the Athlon 64 ("Orleans"), the Athlon 64 X2 ("Windsor") and the Athlon 64 FX ("Windsor") as the first AMD processors to support AMD-V. Prior processors do not have AMD-V.

[edit] Intel Virtualization Technology for x86 (Intel VT-x)

Previously codenamed "Vanderpool", VT-x represents Intel's technology for virtualization on the x86 platform. Intel plans to add Extended Page Tables (EPT),[3] a technology for page table virtualization,[4] in the Nehalem architecture.[5]

The following modern Intel processors include support for VT-x,[6]:

* Pentium 4 662 and 672
* Pentium Extreme Edition 955 and 965 (not Pentium 4 Extreme Edition with HT)
* Pentium D 920-960 except 945, 935, 925, 915
* some models of the Core processors family
* some models of the Core 2 processors family (list here)
* Xeon 3000, 5000, 7000 series
* some Atom chips
* all Intel Core i7 processors

Neither Intel Celeron, Pentium Dual-Core nor Pentium M processors have VT technology.

more info here: http://en.wikipedia.org/wiki/X86_virtualization

PcTek9
06-20-2012, 03:29 AM
Galdorf,
On November 18th, 2011 - North Security Labs released a working version of this product as a 15 day preview to the public.
This is probably the best rootkit scanner in the world, my reasoning is as follows:
(1) regular scanners compete with malware applications and must rely on signatures
(2) hips like programs can install between the kernel and the applications and monitor for bad stuff there, but... then what about root kits that run in kernel mode, instead of just usermode.
(3) kernel based auditing techniques work and were the newest technology and that is what is used in 99% of all rootkit scanners, sorting the "good" from the "tainted" so to speak. But this just puts a kernel based rootkit on equal footing with a kernel based scanning technique.
(4) hypersight. This technology jumps one over on the rootkit. It does this by loading the entire operating system as a virtual machine. So now the first thing to load is hypersight, and hypersight monitors the 2nd level which is your operating system kernel. your operating system kernel then runs all other applications including regular rootkit scanners.
**** In other words, this about the best thing since sliced bread when it comes to advanced rootkits. I've added it to the list. Kudos to you for providing technibble with some of the most advanced and updated methods that at the time you found it were on the red hot edge of cyber technology - and as far as i know - this still is the most advanced system you can use against rootkits of any kind.

4ycr
06-20-2012, 10:54 AM
I'll need to wait as it does not support x64 yet

Xander
06-20-2012, 04:49 PM
Sounds interesting. I see where it'll let you download a trial but I don't see anywhere about pricing/purchasing. Not a confidence booster that they haven't blogged for 7 months.