Author: cantthinkofanickname PostPosted: Sat Mar 13, 2010 9:56 pm    Post subject: Detecting Malware
Is it true that to reliably detect any malware esp. rootkits that one needs to boot into safe mode and then run Norton or McAfee (or whatever) on the C: drive? Or conversely, if that comes up clean there is not malware installed?

Author: RoboGeekLocation: LeRoy, IL PostPosted: Sun Mar 14, 2010 2:39 am    Post subject:
not true

many rootkits can hide in safe mode as well..

User mode rootkits run when windows runs normally, but not in safe mode. Kernel mode rootkits will run in either - that includes dkom rootkits. If the OS is compromised you CANNOT trust the results of a scanner - you have to manually hunt and kill.

And most of the new malware know when your trying to kill it, so it plays dead for a few days or reboots. Thats why you do not want to run any tools on it until you fingerprint the infection and know exactly what you have. Then you can start killing it. After thats done, run the scanners for cleanup.

I get a ton of work into my shop from other shops that basically run combofix and malwarebytes, get a clean scan, and give it back to the customer. A week later its in my shop...

I haven't seen anything in a year or so without a rootkit attached. Including the virus wifey got last night from facebook with the catchme rootkit. Koobface is rampant there too

Author: cantthinkofanickname PostPosted: Mon Mar 15, 2010 10:13 am    Post subject:
OK, thanks for that. I'm in the UK but that's not going to make any difference I suppose (or are rootkits regional)? I suppose that someone brings a PC in to your shop because some obvious symptoms persist. What should I be looking for or if it is hidden and is keylogging me (I'm getting paranoid now but that may be a good thing if it's the rational form)?

I run W7 amd MacAffee and use a limited account for day2day work.

Perhaps there's a site I can go to to learn more?

