rootkit

SSH Rootkit is a patch for latest version of SSH 1.2 to enable "rootkit" features like incoming/outgoing password logging, "global password" to allow login into any account using a pre-defined password.

Adds options to SSH configure script to enable rootkit features. Script kiddie dream!

WARNING: If configure fails on your system for some reason, re-run autoheader / autoconf in the ssh dir after patching.

WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!

PLEASE READ THE SECTION ABOUT SETTING FILE MODES FOR THE
USERNAME/PASSWORD LOG FILE!!! IF YOU DONT, SSH ROOTKIT
WILL NOT WORK!!! IF I GET ANY EMAIL ABOUT "SIGNAL 11"
WHEN RUNNING SSH, I WILL IGNORE IT!

WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!

NOTICE: This version includes patches from these people: Zelea, spwn.

NOTICE: Setting file modes on the logfile PLEASE make sure that your selected log file (--enable-ssh-log=whatever) is set to mode 666 (read/write by all) its extremely important to do this, because otherwise ssh will not be able to fopen() the log file, and will die with sig11. No, there is not an easy way to make it open the file while its still root. So, to summarize this:

# chmod 666 /wherever/your/log/file/is/.logfile

If you dont do this, dont come crying to me after the admin finds you.

Whats New in This Release:

· now uses configure options to enable rootkit features
· NEW logging facility, save incoming AND outgoing logins into a file, outgoing logins are saved with [successful] or [failed] message, great incase the user types some -other- password, then you can have access to TWO of his shells general code cleanup build against ssh-1.2.27
· corrected a bug that prevented wtmp/utmp login when RSA authentication and .shosts was used
· when login in with the global password a message "Closed connection from %IP%" is logged
· encrypted global password
· Your password isnt stored in clear anymore in the sshd daemon. Only the MD5 hash of your password is. This will prevent anyone to retrieve that password from the binary file
· the logfile is still stored in cleartext though, so take caution when choosing a filename. Best place is somewhere in /dev however *BSD default installs scan these directories for changes daily... /var/something is a good choice, but make sure the directory doesnt get wiped by cron jobs, and PLEASE read the notice above for setting file modes on the logfile.

Sophos Anti Rootkit description
Sophos Anti-Rootkit eliminates hidden applications and processes Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care.

Sophos Anti-Rootkit will find and remove any rootkit that is hidden on your computer.

The term rootkit is used to define a Trojan (or technology) used to hide the presence of a malicious object (process, file, registry key, network port) from the computer user or administrator.

Here are some key features of "Sophos Anti Rootkit":

· Scans running processes, windows registry and local hard drives for rootkits.
· Identifies known rootkits and selects, by default, files for removal which will remove the rootkit component of the malware without compromising OS integrity.
· Allows users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit.
· Once the user has run a scan, the screen prompts the user through the necessary steps until every rootkit has been removed.
· Users can switch between the GUI and command-line functionality.
· Both context sensitive and command-line help are available.

DarkSpy Anti-Rookit is a multiway-based detection tool for rootkit detection.

It internally combines many effective detection techniques, including DarkSpys own handlers and also methods used by other famous tools.

Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care.

Sophos Anti-Rootkit will find and remove any rootkit that is hidden on your computer.

The term rootkit is used to define a Trojan (or technology) used to hide the presence of a malicious object (process, file, registry key, network port) from the computer user or administrator.

Here are some key features of "Sophos Anti Rootkit":

· Scans running processes, windows registry and local hard drives for rootkits.
· Identifies known rootkits and selects, by default, files for removal which will remove the rootkit component of the malware without compromising OS integrity.
· Allows users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit.
· Once the user has run a scan, the screen prompts the user through the necessary steps until every rootkit has been removed.
· Users can switch between the GUI and command-line functionality.
· Both context sensitive and command-line help are available.

RootKit Hook Analyzer description
RootKit Hook Analyzer is a security utility which will check if there are any rootkits installed which hook the kernel RootKit Hook Analyzer is a security utility which will check if there are any rootkits installed on your PC which hook the kernel system services.

Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on.

If any of these system services are intercepted and modified it means that there is a possibility that the safety of your system is at risk and that spyware, viruses or malware are active.

Kernel hooks are out of fashion these days and not officially documented and considered deprecated by Microsoft. The pioneering heroes of the old days who discovered how to actually implement them have all adopted the new fashion of advising against using kernel hooks as a programming practice.

Often kernel hooks are unnecessary because there are documented ways which allow a programmer to achieve his goal. However in a lot of system tools such as monitoring and antivirus software, kernel hooks are the only available technique to get the difficult job done and thus an unavoidable necessary evil.

Important is that if your kernel system services are hooked that you can find out which is the responsible software that makes use of these techniques. Inspired by all the discussions going on about the Sony CD protection rootkit, we have developed the RootKit Hook Analyzer.

RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on.
If any of these system services are intercepted and modified it means that there is a possibility that the safety of your system is at risk and that spyware, a virus or other malware is active on your system. Kernel hooks are not necessarily bad, for system monitoring software and security tools often they are a necessary evil. However it is desired if kernel rootkit hooks are installed on your system that you can find out where they come from. This program will display all kernel services and the responsible modules for handling them, along with company and product information. If no hooks are active on your system it means that all system services are handled by NTOSKRNL.EXE, the principal base component of most Windows operating systems which is developed by Microsoft. All you have to do to find out what kernel hooks are installed on your system is press the Analyze button at the bottom of the screen. RootKit Hook Analyzer also allows you to view installed system modules and drivers with their base addresses as well as file and product information as well as the responsible companies.

New is support for Windows x64 editions. Windows x64 is protected with a feature called Patchguard which is supposed to block any type of hooking activity in the Windows kernel. Hackers have been able to circumvent this protection and Windows x64 kernel hooks may now be found in both malware as well as legitimate products.
The software is distributed as a free download. For more information visit http://www.resplendence.com/hookanalyzer

The ARIES Rootkit Remover was desgined to locate and permanently remove the Sony rootkit from the system and disable the rootkits ability to run once more after reboot.

This standalone tool is a reliable, trustworthy, and safe way of removing the rootkit--unlike Sonys own rootkit remover that has been known to cause blue screens.

This primarily protects consumers and ensures privacy. The tool is developed by Lavasoft in line with our common goals to steer computing environment towards better standards.

McAfee Rootkit Detective description
McAfee Rootkit Detective will proactively detect and clean rootkits that are running on the system McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.

Here are some key features of "McAfee Rootkit Detective":

· Designed to proactively detect the system objects like processes, files and registry that are hidden to the user
· Provides information about all running processes in the system
· Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks
· Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry
· Allows the user to terminate the malicious processes
· Users can submit samples using the submission feature present in the tool
· Users can also collect the samples manually after renaming them and Avert Labs for further analysis


Requirements:

· Windows XP Home Edition with SP2
· Windows XP Professional Edition with SP2
· Windows 2000 with SP4
· Windows 2000 Server
· Windows 2003 Server SP1


BETA KNOWN ISSUES
· McAfee Rootkit Detective will detect registry entries pertaining to McAfee Entercept Products if installed on your system.
· McAfee Rootkit Detective will detect mfehidk.sys file pertaining to McAfee Antispyware Enterprise (Standalone) as a hooked service.
· McAfee Rootkit Detective will detect IAT/EAT hooks in Windows 2000 SP4 system pointing to shim.dll.
· McAfee Rootkit Detective will detect vsdatant.sys from Zone Alarm as hooked service for rootkit like behavior.
· McAfee Rootkit Detective will detect Goback2k.sys as hooked service on system having Go Back software installed system for rootkit like behavior.
· McAfee Rootkit Detective will detect fsndis5.sys as hooked service from F-Secure if F-Secure Internet Security Suite 2006 is installed on the system
· McAfee Rootkit Detective will detect klif.sys as hooked service from Kaspersky if Kaspersky Internet Security 2006 is installed on the system.
· McAfee Rootkit Detective will detect FireTDS.sys as hooked service from McAfee if McAfee Desktop Firewall is installed on the system.
· McAfee Rootkit Detective will detect Hidsys.sys as hooked service from McAfee if McAfee Host Intrusion Prevention is installed on the system.
· McAfee Rootkit Detective will detect Service Name ZwCreateThread when VSE product is installed on the system.
· McAfee Rootkit Detective will not run on Windows 2000 platforms when Kaspersky Internet Security 2006 is installed.
· McAfee Rootkit Detective will detect many IAT/EAT hooks and SSDT hooks of legitimate applications.

The first beta version of the AVG Anti-Rootkit, an advanced utility designed to detect and remove hidden objects known as Rootkits, from your system, is now available for beta testing.

AVG Anti-Rootkit can even remove Trojans and Rootkits that are hiding inside NTFS Alternate Data Streams.

Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care.

Sophos Anti-Rootkit will find and remove any rootkit that is hidden on your computer.

The term rootkit is used to define a Trojan (or technology) used to hide the presence of a malicious object (process, file, registry key, network port) from the computer user or administrator.

Here are some key features of "Sophos Anti Rootkit":

· Scans running processes, windows registry and local hard drives for rootkits.
· Identifies known rootkits and selects, by default, files for removal which will remove the rootkit component of the malware without compromising OS integrity.
· Allows users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit.
· Once the user has run a scan, the screen prompts the user through the necessary steps until every rootkit has been removed.
· Users can switch between the GUI and command-line functionality.
· Both context sensitive and command-line help are available.

Panda Anti Rootkit description
Panda Anti-Rootkit is a program that uses latest generation technology to detect and remove rootkits Panda Anti-Rootkit was designed to be a small application that will use the latest generation technology to detect and remove rootkits on your system. Rootkits are programs designed to hide processes, files or Windows Registry entries.

This type of software is used by hackers to hide their tracks or to insert threats surreptitiously on compromised computers. There are types of malware that use rootkits to hide their presence on the system.

Rootkits use sophisticated techniques to avoid being detected by antivirus solutions. To combat this new threat Panda Software has developed Panda Anti-Rootkit.

OS X Rootkit Hunter is based on Michael Boelen`s "rootkit hunter" but little modified for easier/better usability on Mac OS X.

OS X Rootkit Hunter is scanning tool to detect nasty tools on your Mac. This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

*not yet tested on intel MACs.

Panda Anti-Rootkit was designed to be a small application that will use the latest generation technology to detect and remove rootkits on your system. Rootkits are programs designed to hide processes, files or Windows Registry entries.

This type of software is used by hackers to hide their tracks or to insert threats surreptitiously on compromised computers. There are types of malware that use rootkits to hide their presence on the system.

Rootkits use sophisticated techniques to avoid being detected by antivirus solutions. To combat this new threat Panda Software has developed Panda Anti-Rootkit.

Panda Anti-Rootkit was designed to be a small application that will use the latest generation technology to detect and remove rootkits on your system. Rootkits are programs designed to hide processes, files or Windows Registry entries.

This type of software is used by hackers to hide their tracks or to insert threats surreptitiously on compromised computers. There are types of malware that use rootkits to hide their presence on the system.

Rootkits use sophisticated techniques to avoid being detected by antivirus solutions. To combat this new threat Panda Software has developed Panda Anti-Rootkit.

McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system.

McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.

Here are some key features of "McAfee Rootkit Detective":

· Designed to proactively detect the system objects like processes, files and registry that are hidden to the user
· Provides information about all running processes in the system
· Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks
· Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry
· Allows the user to terminate the malicious processes
· Users can submit samples using the submission feature present in the tool
· Users can also collect the samples manually after renaming them and Avert Labs for further analysis

Rootkit scanner is scanning tool to ensure you for about 99.9% youre clean of nasty tools. Rootkit Hunter scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Rootkit Hunter is released as GPL licensed project and free for everyone to use.

No, not really 99.9%.. Its just another security layer.