Rootkit scanners not keeping up with new rootkits

Galdorf

Galdorf

Well-Known Member
Reaction score
502
Location
Ontario, Canada
Wow every rootkit scanner that is free no longer picks up many of the rootkits out there many times i have used gmer,rootrepeal ect. only to get no rootkit found result.
There is even a new atapi.sys rootkit none of these pick up.
I have to resort to unhackme it seems to find all of them ,also boot disk av's will pick them up as well but scanning in the infected os does not seem to work anymore.
 
Galdorf said:
Wow every rootkit scanner that is free no longer picks up many of the rootkits out there many times i have used gmer,rootrepeal ect. only to get no rootkit found result.
There is even a new atapi.sys rootkit none of these pick up.
I have to resort to unhackme it seems to find all of them ,also boot disk av's will pick them up as well but scanning in the infected os does not seem to work anymore.
Click to expand...
Are you sure they're new rootkits? UnHackMe picks up a lot of false positives.
 
Yes i have made copies of the files and checked them they are packed and hashes don't match from the originals on the os disk not only that but its not signed either and those files are signed by ms.
I sent them to virus total and it showed as rootkit,also my av picked it up but to run a rootkit scan on infected os it shows nothing.

After cleaning the machine and replacing the atapi.sys you could surf to all websites.
If you know what your doing with unhackme it does not give false positives it asks you to check if the file is valid and if it is signed thus a file 42397245642.exe is not a system file but a trojan,also when you install new drivers or software it asks you to verify once to rule it out on next reboot.
 
Last edited:
Galdorf said:
Wow every rootkit scanner that is free no longer picks up many of the rootkits out there many times i have used gmer,rootrepeal ect. only to get no rootkit found result.
There is even a new atapi.sys rootkit none of these pick up.
I have to resort to unhackme it seems to find all of them ,also boot disk av's will pick them up as well but scanning in the infected os does not seem to work anymore.
Click to expand...

I don't mean to be funny Galdorf but you've made a few posts with doom and gloom about rootkits and I'm not sure they've come true so far. You claimed there was a completely undetectable TDL4 rootkit and that turned about to be a TDL3 variant and not undetectable. You may remember that thread where we had people from Sysinternals forum come over and ridicule our ignorance on the subject. Since then I've read other threads from you about how X has been undetectable or missed by all scanners and so forth.

If you can actually provide samples of these finds then other people can check them out to see what is actually undetectable and what is just not being detected by you using certain software - there might well be a difference.
 
MobileTechie said:
I don't mean to be funny Galdorf but you've made a few posts with doom and gloom about rootkits and I'm not sure they've come true so far. You claimed there was a completely undetectable TDL4 rootkit and that turned about to be a TDL3 variant and not undetectable. You may remember that thread where we had people from Sysinternals forum come over and ridicule our ignorance on the subject. Since then I've read other threads from you about how X has been undetectable or missed by all scanners and so forth.

If you can actually provide samples of these finds then other people can check them out to see what is actually undetectable and what is just not being detected by you using certain software - there might well be a difference.
Click to expand...

Im not saying it is totally undetectable im saying it is undetectable from the infected os , scanning it external,or boot cd it shows up as a rootkit thus all the free rootkit scanners are useless unless they update them gmer has not been update for quite some time.
 
Can you supply any of them. Plenty of people would be interested in getting some experience with them?
 
Galdorf said:
Im not saying it is totally undetectable im saying it is undetectable from the infected os , scanning it external,or boot cd it shows up as a rootkit thus all the free rootkit scanners are useless unless they update them gmer has not been update for quite some time.
Click to expand...
NTFS has not been updated for sometime but it still works if we keep the bad guys out.

GMER is a commununity project, UnHackMe is a commecial product - sometimes the line between the white hats and the black hats becomes blurred if profit becomes an objective.

IIRC Galdorf dismissed HijackThis as rubbish because it identified "too many false positives". Now in all the years I've used HJT it's never identified anything bad because it's an analysis tool not a diagnostic tool, it has no database back-end so was never designed to identify good from bad. As such it's still a powerful tool that still serves me well.

Don't get me wrong Galdorf, you've made some valuable and useful posts here, but all-too-often you make bold proclamations that there's yet another undetected rootkit that only UnhackMe has uncovered, yet when challenged you never provide any intelligent evidence to support your claims. These new rootkits never get discussed amongst the more forensic forums either, are they so dark and dangerous that no-one but the foolish dare go near them? Maybe UnHackMe is your product or something you're affiliated to, in which case good luck to you if you're making money from it one way or another, but I've yet to be convinced that it is little more than commercial scareware.

As our politicians have discovered: the politics of fear are more powerful than the actual risks we "could" face.
 
iptech said:
NTFS has not been updated for sometime but it still works if we keep the bad guys out.

GMER is a commununity project, UnHackMe is a commecial product - sometimes the line between the white hats and the black hats becomes blurred if profit becomes an objective.

IIRC Galdorf dismissed HijackThis as rubbish because it identified "too many false positives". Now in all the years I've used HJT it's never identified anything bad because it's an analysis tool not a diagnostic tool, it has no database back-end so was never designed to identify good from bad. As such it's still a powerful tool that still serves me well.

Don't get me wrong Galdorf, you've made some valuable and useful posts here, but all-too-often you make bold proclamations that there's yet another undetected rootkit that only UnhackMe has uncovered, yet when challenged you never provide any intelligent evidence to support your claims. These new rootkits never get discussed amongst the more forensic forums either, are they so dark and dangerous that no-one but the foolish dare go near them? Maybe UnHackMe is your product or something you're affiliated to, in which case good luck to you if you're making money from it one way or another, but I've yet to be convinced that it is little more than commercial scareware.

As our politicians have discovered: the politics of fear are more powerful than the actual risks we "could" face.
Click to expand...

I don't make money from unhackme and im not affiliated either just stating a fact that free rootkit scanners need to be updated.
Btw unhackme is a russian product i live in canada i just want there to be a free alternative for people to scan for rootkits that is reliable.
Instead i just resort to scanning from boot cd/flash drive and tougher ones i use unhackme because of the pre-os scan it finds the stuff.
I use to use gmer a lot because it was fast and did not require installation but now it is missing too many rootkits and needs to be updated, having to scan from boot cd/flashdrive takes much longer than using gmer and finding the files removing and replacing them ie. atapi.sys more work for me.
 
Last edited:
Galdorf said:
Btw unhackme is a russian product i live in canada i just want there to be a free alternative for people to scan for rootkits that is reliable.
Instead i just resort to scanning from boot cd/flash drive and tougher ones i use unhackme because of the pre-os scan it finds the stuff.
Click to expand...

I bought Unhackme on your recommendation some time ago. I agree with your comments on its effectiveness.

I've been trying their Warrior product, but find it confusing. Have you tied it?
 
stevenamills said:
I bought Unhackme on your recommendation some time ago. I agree with your comments on its effectiveness.

I've been trying their Warrior product, but find it confusing. Have you tied it?
Click to expand...

No i have not tried it yet, but might look into it later.
Have you checked youtube there are some tutorials there.
 
Last edited:
You must log in or register to reply here.

Similar threads

britechguy
Windows 11 on Incompatible Hardware & with Local User - a new experience
Replies
0
Views
201
britechguy
britechguy
HCHTech
Alerts!
Replies
10
Views
822
Sky-Knight
Sky-Knight
callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
300
callthatgirl
callthatgirl
HCHTech
Outlook New rant
Replies
12
Views
1K
dcomp12
D
B
New ThinkCenter M70T strange issue with outlook 365
Replies
3
Views
714
britechguy
britechguy
Back
Top