Topic: Microsoft warns of impossible to detect malware.

[Nemesis]

Link to full story

RSA: Microsoft on 'rootkits': Be afraid, be very afraid

Rootkits are a new generation of powerful system-monitoring programs

News Story by Paul Roberts

FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.

The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.

The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference.

The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.

[toasty0]

Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.

The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

[Ravok]

 So what are we going to have to do? wait for this microsoft tool?

[Pestalence_XC]

Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.

The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

OK.. doing a bit of research.. first read the doc i have posted at the bottom of this post.. notice that the program running the scan that they refer to has WinDiff listed in the title bar...

This program is built into Windows XP already.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tools/tools/windiff.asp

All one has to do is follow the instructions listed above..

Is this the new Strider Ghosebuster that Microsoft is talking about.. I don't know.. all i know is that the Strider Ghostbuster program at Research.Microsoft.Com has the text document posted below.. the images at the bottom of the document has the program showing WinDiff as the program name..

Using Search All OF Microsoft at the windows site for WinDiff, it lists it as a system tool, clicking the windiff link took me to a page for the instructions on how to use it correctly, which is the link above...

After executing it on my system, I realized that it is already built into Win Xp Pro, and possibly Win Xp Home if running the full 266 MB install of Win XP Sp 2 (which basically turns Home Edition into Pro edition without changing the OS name).

Anyhow, i hope that this helps.