[unisog] HACKER_DEFENDER

Nicholas Ianelli ni at cert.org
Fri Feb 25 21:19:12 GMT 2005


Chuck,

Not sure if you saw these two products to assist with detection/mitigation 
of W32 root kits (freeware):

FLISTER is a proof-of-concept code for detecting files hidden by both
usermode and kernelmode Windows rootkits. It exploits the bugs in handling
ZwQueryDirectoryFile() calls with ReturnSingleEntry set to TRUE. Flister
works on Windows 2000, XP and 2003.

http://www.invisiblethings.org/tools.html

SysInternals have released their Rootkit revealer.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Nick

--On Friday, February 25, 2005 2:03 PM -0500 Chuck Haines 
<chaines at gmail.com> wrote:

> We recently had an outbreak of the hacker_defender rootkit.  Just a
> heads up to let everyone know to look for it.  More information on
> removal and such can be found at
> http://mother.itsp.purdue.edu/~wirges/resources/public/hacker_defender/.
>  We are still in the process of cleaning and disecting it.  I'll
> report back with any other findings besides those listed in the
> information site.
>
> Chuck Haines
> WPI ECE Systems Administrator
>
> --
> Chuck Haines
> chaines at gmail.com
> http://www.maxslack.com
> -------------------------------------------
> Tau Kappa Epsilon Fraternity
> TKE-ZM Web Coordinator
> ECE Systems Administrator
> -------------------------------------------
> AIM: CyberGrex
> YIM: CyberGrex_27
> ICQ: 3707881
> -------------------------------------------
> GPG Fingerprint: 303A AB50 4EA9 70ED 2E30 2368 C9CD CCB5 4BD7 0989
> GPG Key: http://www.maxslack.com/gpgkey.txt
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog







More information about the unisog mailing list