We are often asked what Anti Rootkit Scanners are available for Windows Vista. There are currently only 7, out of the 20 or so scanners available, that will work with Vista. These scanners will also only work with 32 Bit versions of Vista.
Here is a list of the 7 in alphabetical order. Please click on the scanner name or screenshot to bring you to a more detailed page where you can download the software.
Â
Â
Â
Â
Â
Â
Keep Safe,
Steo – www.antirootkit.com
In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).
This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.
This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.
GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.
Indeed GMER’s Anti Rootkit Software can find the rootkit.
 
The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.
Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.
Keep Safe,
regards,
Steo – www.antirootkit.com
Â
Another Storm Worm domain as popped up on the radar,
happy2008toyou.com
The whois…
Domain name:Â Â Â Â Â Â Â Â Â Â Â Â HAPPY2008TOYOU.COM
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns.happy2008toyou.com 68.251.106.142
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns10.happy2008toyou.com 89.35.121.187
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns11.happy2008toyou.com 58.9.65.61
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns12.happy2008toyou.com 222.209.139.28
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns13.happy2008toyou.com 82.59.136.43
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns2.happy2008toyou.com 68.36.252.81
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns3.happy2008toyou.com 71.230.66.163
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns4.happy2008toyou.com 68.61.185.117
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns5.happy2008toyou.com 70.232.142.1
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns6.happy2008toyou.com 66.75.86.71
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns7.happy2008toyou.com 85.29.202.180
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns8.happy2008toyou.com 86.139.75.35
Name Server:Â Â Â Â Â Â Â Â Â Â Â Â ns9.happy2008toyou.com 86.130.251.39
Creation Date:Â Â Â Â Â Â Â Â Â Â 2007.12.29
Updated Date:Â Â Â Â Â Â Â Â Â Â Â 2007.12.29
Expiration Date:Â Â Â Â Â Â Â Â 2008.12.29
Status:Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DELEGATED
Registrant ID:Â Â Â Â Â Â Â Â Â Â X05O1TC-RU
Registrant Name:Â Â Â Â Â Â Â Â Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:     1874 str. office 923
Registrant City:Â Â Â Â Â Â Â Â Los-Angeles
Registrant State:Â Â Â Â Â Â Â CA
Registrant Postal Code:Â 320784
Registrant Country:Â Â Â Â Â US
Administrative Technical Contact
Contact ID:Â Â Â Â Â Â Â Â Â Â Â Â Â X05O1TC-RU
Contact Name:Â Â Â Â Â Â Â Â Â Â Â Larry Claus
Contact Organization:Â Â Â Larry Claus
Contact Street1:        1874 str. office 923
Contact City:Â Â Â Â Â Â Â Â Â Â Â Los-Angeles
Contact State:Â Â Â Â Â Â Â Â Â Â CA
Contact Postal Code:Â Â Â Â 320784
Contact Country:Â Â Â Â Â Â Â Â US
Contact Phone:Â Â Â Â Â Â Â Â Â Â 1 320 5216723
Contact E-mail:Â Â Â Â Â Â Â Â Â larryknower931@yahoo.com
Registrar:Â Â Â Â Â Â Â Â Â Â Â Â Â Â ANO Regional Network Information Center dba RU-CENTER
Last updated on 2008.01.01 03: 36: 27 MSK/MSD
The full list of domains we currently have is:
familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
Santapcards.com
Santawishes2008.com
The filename downloaded is happy_2008.exe
Most Virus Scanners find it,
Have a happy New Year,
Keep Safe,
regards,
Steo
Whats the first thing people all over the world do when they want to find out about something…they Google it!!! “Googling” something has become a keyword in so many people’s lives these days. Googling has an entry on popular online dictionaries http://dictionary.reference.com/browse/google which means it wont be long before you can actually use the word Googling “legally”.
So when millions of people recently got an email with a link to newyearcards2008.com where they could pick up their New Years E Card Greeting they went to Google and did a search for newyearcards2008.com and they would have seen newyearcards2008.com at the very top,
From Google….
“Happy New Year!
| Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press … newyearcards2008.com/ – 1k – Cached – Similar pages“ |
Most Google users would think it is legitimate such is the trust in Google these days. When clicked on the user would have seen a page delivered via someones PC whether it be in their front room, bedroom, office, factory floor even unsuspecting Internet Cafe’s all over the world.
Snapshot from newyearcards2008.com
These infected PC users do not suspect a thing because their Anti Virus program shows that everything is ok, all is well. Why? The latest Storm Worm is using a rootkit … http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/ . Nothing shows because of the stealth capabilities of the rootkit. It hides all traces of itself from normal anti virus and anti spyware scanners. Different scanners are now required for checking for rootkits. Scanners that know exactly how the rootkit operates are required, check out the Antirootkit Software page for list of new scanners.
Why does a search of newyearcards2008.com show the main infection site up first on a Google search? It’s all about how many pages on the internet link to newyearcards2008.com. Even by me putting newyearcards2008.com in this blog will help the name climb the Google ladder so that it shows at the very top and stays top for as long as it can, fooling people into thing it is legitimate ( I mention newyearcards2008.com a lot here so that this blog entry will raise higher than newyearcards2008.com and people will read this warning before getting their New Year’s “Surprise” E-Card).
The people who registered newyearcards2008.com, they went about getting the domain name mentioned on a lot of internet pages around the world, mostly on blog pages belonging to Google. Most of the Blogspot pages have been disabled by Google but many Blogspot and Blogger owners who are using their own domain name have links to newyearcards2008.com
 in thier “hacked” blogs.
Â
Â
If you suspect a site as being unusual with unusual activity then you can report it to Google and help them mark it as suspect. You can report to Google, suspect sites, via http://www.google.com/safebrowsing/report_badware/
A recent Trend Micro Blog entry highlights Blogger pages being used to harbor links to newyearcards2008.com… http://blog.trendmicro.com/hundreds-of-blogger-pages-harboring-new-years-storm-links/trackback/
So far as of 29th Dec GMT newyearcards2008.com is showing tops, lets see when it is highlighted as a suspect site by Google on a web search.
Also keep an eye out for newyearwithlove.com
(Asked whois.nic.ru:43 about newyearwithlove.com)
 Domain name:            NEWYEARWITHLOVE.COM
 Name Server:            ns.newyearwithlove.com 24.161.84.89
 Name Server:            ns10.newyearwithlove.com 69.179.23.34
 Name Server:            ns11.newyearwithlove.com 70.241.145.212
 Name Server:            ns12.newyearwithlove.com 69.137.25.197
 Name Server:            ns13.newyearwithlove.com 82.67.135.130
 Name Server:            ns2.newyearwithlove.com 71.201.48.186
 Name Server:            ns3.newyearwithlove.com 68.114.62.80
 Name Server:            ns4.newyearwithlove.com 76.226.178.239
 Name Server:            ns5.newyearwithlove.com 70.128.122.94
 Name Server:            ns6.newyearwithlove.com 76.201.158.149
 Name Server:            ns7.newyearwithlove.com 75.49.2.123
 Name Server:            ns8.newyearwithlove.com 67.8.191.249
 Name Server:            ns9.newyearwithlove.com 71.12.83.79
 Creation Date:          2007.12.26
 Updated Date:           2007.12.26
 Expiration Date:        2008.12.26
 Status:                 DELEGATED
 Registrant ID:          XHAEJUS-RU
 Registrant Name:        Bill Gudzon
 Registrant Organization: Bill Gudzon
 Registrant Street1:     1920 str. office 345
 Registrant City:        Los-Angeles
 Registrant State:       CA
 Registrant Postal Code: 32089
 Registrant Country:     US
 Administrative Technical Contact
 Contact ID:             XHAEJUS-RU
 Contact Name:           Bill Gudzon
 Contact Organization:   Bill Gudzon
 Contact Street1:        1920 str. office 345
 Contact City:           Los-Angeles
 Contact State:          CA
 Contact Postal Code:    32089
 Contact Country:        US
 Contact Phone:          1 320 5427834
 Contact E-mail:         bgudzon1956@hotmail.com
 Registrar:              ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.29 05: 07: 05 MSK/MSD
Keep Safe,
Steo – www.antirootkit.com
Â
Microsoft have just gained one of the best anti rootkit teams on the planet. EP_X0FF and the development team of Rootkit Unhooker have joined Microsoft. They are currently making plans to ship off to Wittenberg in Germany ( where Martin Luther is buried ) where the Rootkit Unhooker team will finish off work on their, up to now,secret project called Secured Eye (SEye),“…in a two words this is project mix of software/hardware related to distributed calculations and virtualization technologies based on Vanderpool / Pacifica extensions. Not a Blue Pill. To be more correct some parts of SEye can be used as a pill for any kind of Blue Pill variations 
”
Microsoft now owns Rootkit Unhooker and SEye….”As you can guess all our source code and concept were sold to MS. This was happened in the beginning of November and includes all variants of our test programs, RkU, including last 4.1 version and SEye which is ready on 3/4.”
It is a great thing that EP_X0FF and the team are off to Microsoft. Just like Mark Russinovitch before them, their vision and knowledge alongside money and resources from Microsoft will bode well for us all in the future.
Best of Luck to you all and keep in touch.
You can read EP_X0FF’s blog here…http://www.rootkit.com/blog.php?user=EP_X0FF
Keep Safe
Steo
Â
The Authentium Virus Blog posting shows how anti malware programs need to be extremely user friendly for the average user out there. We feel that this is especially true when it comes to Anti Rootkit programs.
There should be a straight forward, non threatening way for users who do not have much computer experience to remove rootkits.
From the Authentium Virus Blog…
“On average we have removed 2 pieces of malware from the machine per day and I suspect that there are at least two different potentially unwanted applications and at least one piece of malware left on the machine. This malware removed includes 2 bots, 1 rootkit, 1 executable that controlled the rootkit and 1 dropper. I suspect that there are still a mass mailer and/or network worm left to be removed. Compliments of a good defense in depth strategy this seems to be contained by the security suite. But it still does not leave the machine in a usable state.”
Keep Safe,
regards
Steo