I don't know what to make of this, perhaps someone who has took the plunge with it might like to share their experience. I routinely examine various RootKit Detectors locally and such but this one threw up a RED FLAG when i was about to launch it when i came upon this warning!...........
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.fontaineferrypark.us%2Fimages%2Fscreen.jpg&hash=d400dd6599be28ee4a92ea1d27f66c5eb19905c6)
JOSEPH,
That is a conformation sign (Disclamer) (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsmilies.sofrayt.com%2Ffsc%2Fwink2.gif&hash=026d7c7f666300aa5560f32f726a9d4a87a10844)
Witch The program maker has placed in to cover its self in the case of you removing some thing form your PC.
GR@PH;<'S :breakkie:
Hi GR@PH;<'S
Yes, i understand it is a Disclaimer of sorts along with a very candid Warning! .....but what's most
troubling is that no place does that Kit offer some additional explaination as to just what it means by
potentially harm your computer
That warning box, to me anyway clearly expresses an expected danger to occur. And if that is likely,
ie: Process Guard is hooking with it's protective measures, then you're to assume then that tool might
attempt to remove this safety? And in whatever variation that action might take what else are we to
assume but that it's highly likely to damage componants or worse.
I am just trying to find a better read on it if there is one of the Risk.
Obviously this is the first detector of that nature that explicitly implies using their tool is "potentially" dangerous which of course negates the entire interest.
Just musing here ...
Maybe you are confused about the application? It is meant to address the Sony rootkit issue, not be a rootkit "revealer" in general.
As for the warning itself, the nature of a rootkit makes it extremely difficult to remove, often leaving a hard drive reformat as the only solution. Some think the only guaranteed way to remove a rootkit is to destroy the system and then rebuild it from scratch.
Since the CD-ROM (or the PC itself) might fail to work properly if the rootkit was removed improperly, I suspect a warning such as you noted is somewhat sensible for those who lack sophisticated computer training.
On another note ... under an aggressive interpretation of the Digital Millennium Copyright Act (DMCA), some speculate that using a removal tool such as this to remove the Sony Rootkit could be considered a crime in itself. A vendor without a specific DMCA exemption might not be covered for distributing the removal tool.
When removing rootkits, keep in mind that the nature of them are to be hidden and to perform hidden and unknown taskas.
Therefore, any designer of such scanner cannot do anything else than to warn about the risks, when no one knows what will be found, nor removed.
Both F-secure´s Blacklight and Sysinternal´s RootKit Revealer have disclaimers. Not when you open the utilities , but they are clearly stated in the readme.
Many security experts say: "If you store or transmit classified data and find an unknown rootkit, wipe out Windows and reinstall"
Die Hard :)
QuoteBoth F-secure´s Blacklight and Sysinternal´s RootKit Revealer have disclaimers. Not when you open the utilities
Hello
DIEHARDExactly so, and is why when this one appeared straightway it suggests alarm or perhaps take your chances. That is kind of the indication expressed.
And Thanks
Win73 for some feedback in that manner. I agree that underlying risks certainly can exist and will on occasion occur as we have all seen time and again, WinsockFix tool comes to mind that we must suggest on some of the more persistent types that attach to PC internet connection.
It seemed meant to bring particular attention with
"save all your work"At any rate it might would help if before offering such tool freely like that it was included the manner in which is expected to remove, and possibility what would be affected as a further precautions.
Some of the rootkit programs i examined particularly are "Detect Only" , with the exception of the
Powerful! Ice Sword, it is an extremely sharp instrument that both reveals and effects removal, MANUALLY by user, i might add........but is also worded in Chinese :? (someone really should do something about an english version lol) You simply will not believe what all it uncovers.
I've yet to come across any known reports that the Lavasoft tool had been thoroughly tested or proven somewhat adequate but then hence the warning along with the recent offer indicates perhaps not? Speculating of course, but it does deserve caution and is why i felt it important untill theres some better clarification to pass along this find and gather a few opinions from anyone with recent experience with it.
Thanks
EDIT: I see i was lead to be misinterpreted to the purpose of that tool. In the present period we're in with all the stir over potential rootkits and many forums making it a practice to suggest to users affected by malware/hijacks to run Rootkit Detection tools that i took it to be another one in a group of RootKit Detectors per say in general, which of course clearly states it's not.
QuoteThe ARIES Rootkit Remover developed by Lavasoft provides the means to locate and permanently remove the Sony rootkit from the system and disable the rootkit's ability to run once more after reboot. This standalone tool is a reliable, trustworthy, and safe way of removing the rootkit--unlike Sony's own rootkit remover that has been known to cause blue screens.
The Lavasoft ARIES Rootkit Remover removes only the ARIES rootkit; it does not touch the DRM software from Sony. Once the ARIES Rootkit is removed, you can put the CD from which the rootkit was originally installed on your PC into the CD drive, and the ARIES rootkit will not be installed again.
QuoteEDIT: I see i was lead to be misinterpreted to the purpose of that tool. In the present period we're in with all the stir over potential rootkits and many forums making it a practice to suggest to users affected by malware/hijacks to run Rootkit Detection tools that i took it to be another one in a group of RootKit Detectors per say in general, which of course clearly states it's not.
LOL ... the name ARIES Rootkit Remover might have been a giveaway ... Aries.sys being the actual Sony rootkit driver ...
:tease:
According to Mark's blog at Sysinternals, the way the tools are removing the rootkit has a small chance of crashing your computer ... likely the reason for the Lavasoft warning.
Hi JOSEPH,
although I am writing in private here - so nothing of this is an official statement from Lavasoft - I am one of the authors of this tool. Most of it, except the GUI, has been written by me. It was also on me to analyze the Sony Rootkit in-depth. Although some vendors claim it is quite complicated, it is not at all. The biggest problem is how it works and to get it deactivated. Since Lavasoft's tool (the ARIES Rootkit Remover) employs a driver to perform checks and parts of the cleaning, it is only legitimate to prompt the user to agree, since the loading of any kernel modules is a risk by itself. You will surely agree that it is hard to test the tool on all myriads of (possible) configurations (read: combinations of different software).
@winchester73: Indeed, crashing may be a problem, but the tool does not attempt to unload the rootkit for obvious reasons.
I will write a blog entry on this soon. If I do not forget about it, I will also reply here to notify you of this blog-entry.
Cheers,
Oliver
Just a quick note. I can confirm the identity of Oliver. (In case anyone doubts this)
Hello ,Oliver. welcome and thank you for straightening this out. :thumbsup:
It´s very valuable to have an explanation directly from the vendors/authors :P
regards
Die Hard :)
OYF1P ... thanks for the explanation. I think Mark was probably talking about Sony's own tool, but I'm not sure ... :P
I believe I know you from other forums, but if LS SteveJ vouches for you, that's good enough for me ... :D
Quote from: OYF1P on January 30, 2006, 08:01:47 PM
I will write a blog entry on this soon. If I do not forget about it, I will also reply here to notify you of this blog-entry.
Cheers,Oliver
Likewise, i welcome & appreciate the direct response, and at that, most timely. Thanks
Hello
Oliver and greetings:
In some haste to make due with catching up to a schedule that seems to never end the Lavasoft RootKit Remover name attracted my attention while rapidly browsing over some results to RootKit Applications since they continue to be a focus of some study right now.
It was at the point actually in the reply post where
Winchester73 made specific reference to SONY that i re-reviewed then recognized the oversight. I think if anyone followed my above post this will prove out to have been the case.
Still the interest is a very valid one and i like to pose a question for you if there is any consideration perhaps in the making from your group for a general RootKit Detection/Removal application. Any reply or reference to this is gladly received.
I was taken aback initially at the warning box message and i think you'll understand the hesitation with some serious concern whenever a presentation is so outlined with much caution as made in that fashion, but i also now think i can also understand the precaution that it was expected to imply also.
Upon another review for any additional helpful descriptions nothing detailed was found nor was expected to, given now that it's understood the tool is only meant to address a single entity (Sonyfiles), however as to the removal procedure whether or not an already existing security program which rests hooks to rootkit levels might be affected and just what might result from any interaction of the two, was my chief concern.
Thanks again for sharing your own views.
Hi, Oliver, Those of us who frequent MR do indeed know you. Welcome and thank you. We appreciate your stopping by.
QuoteLOL ... the name ARIES Rootkit Remover might have been a giveaway ... Aries.sys being the actual Sony rootkit driver ...
Believe it or not i had assumed that the Sony issue had long since concluded and given the long Lavasoft history of Ad-Aware simply concluded the RootKit Detector or any similar other tool offered would also be for general use.
For that matter the ARIES identifier to me could just as well been named VIRGO, AQUARIUS or any other Zodiac. VIRGO just happens to be mine LoL
Quote from: winchester73 on January 30, 2006, 09:22:42 PM
OYF1P ... thanks for the explanation. I think Mark was probably talking about Sony's own tool, but I'm not sure ... :P
Yes he was. And that is quite justified by the facts. I will detail it today in a long blog entry.
Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Likewise, i welcome & appreciate the direct response, and at that, most timely. Thanks
Sorry for the delay. I was moving to Sweden on Tuesday and Wednesday so I had no time until today. Will write the blog entry today and link to it from here.
Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Still the interest is a very valid one and i like to pose a question for you if there is any consideration perhaps in the making from your group for a general RootKit Detection/Removal application. Any reply or reference to this is gladly received.
We are looking into it. However, I personally think that there is no safe way to detect a rootkit, since it is the rootkit's sole purpose to hide and provide someone access to the owned box.
Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
I was taken aback initially at the warning box message and i think you'll understand the hesitation with some serious concern whenever a presentation is so outlined with much caution as made in that fashion, but i also now think i can also understand the precaution that it was expected to imply also.
Well, just the fact that others do not warn you of it, does not mean there is less of a risk. The problem simply is, that any kernel module (i.e. any kernel mode driver) can cause trouble, because there is a large diversity of software out there where it is impossible to test all combinations.
Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Upon another review for any additional helpful descriptions nothing detailed was found nor was expected to, given now that it's understood the tool is only meant to address a single entity (Sonyfiles), however as to the removal procedure whether or not an already existing security program which rests hooks to rootkit levels might be affected and just what might result from any interaction of the two, was my chief concern.
You are right. A description, why this warning is being shown, should have been added to sweep away the doubts of sceptical people ;)
Since I am only a developer I can only give a hint to our webmaster to link to my blog entry once it is written.
Sorry for the late response again.
Ah, Oliver follows in the footsteps of "Urizen" (Nic to you ;) ). Hope the move went well. Thanks for the update. :rose:
Thanks mate ... hope you have a chance to unpack your belongings before too long.
Please say hello to urizen for me.
Here we go: http://www.lavasoft.de/wordpress/?p=57
Nicely done mate ... :thumbsup:
Interesting article you wrote there,Oliver.
Thank you :thumbsup:
Die Hard :)
Quote from: OYF1P on February 03, 2006, 06:11:13 PM
Here we go: http://www.lavasoft.de/wordpress/?p=57
Thanks guy.
QuoteSince this is my first blog entry ever, bare with me
I'm a bit more seasoned than you in that category lol :)
But can confidently say you done excellent in that write-up. My compliments. Pls continue.
I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.
Total time logged in: 22 hours and 52 minutes.
Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
But can confidently say you done excellent in that write-up. My compliments. Pls continue.
Thanks.
Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.
What do you mean? Our tool is using the SSDT to see whether these 4 functions are hooked. That is one of the indicators.
I will certainly write something about generic rootkit detection and generic rootkit removal soon, because I am completely unhappy with the claims of some companies and people.
Quote from: JOSEPH on February 03, 2006, 08:05:21 PM
I hope to attract some further reply from you on developments locally that gave rise to my initial suspicions when i first encountered the Lavasoft (SonyRootKit) Remove Tool. It directly involved the SSDT and as you so well detailed in that blog report now i am certainly grateful for the tool's pre-cautionary note.
I'd be curious myself to know what local developments you are talking about ...
I thought this turned out to be a case of mistaken identity, that you thought LS' tool was designed to sniff out all rootkits rather than being an application targeted to removing just the Sony item.
Oliver explained the reason for the "warning" ... and now you are "grateful" for it.
What am I missing?
:uhm:
QuoteI'd be curious myself to know what local developments you are talking about ...
Certainly :) Nothing fancy or too difficult here.
QuoteWhat do you mean? Our tool is using the SSDT to see whether these 4 functions are hooked. That is one of the indicators.
The digital searching technique it uses in and of itself is safe i now understand, and besides the user is prompted before allowing the tool to perform a removal, correct me if this is wrong.
You see with one of the newest security programs i been examining in my own research to various rootkits issues, it employs a kernel mode driver that extends kernel services through similar means as rootkits themselves (such as hooking the system service tables)
I was mainly concerned that somewhere during the scan itself (and now incorrectly so) that it might interfere with this and affect the stability of the operating system.
I should point out that for discussion and purpose i use as reference a
Ice Sword reading under the heading of
System Services Descriptor Table. It of course displays all kernel system services, a view of the installed system modules and drivers with their base address ETC.
You get the nod on that area of address, interupts, and certainly descriptions from that table etc. LoL
I now understand, i think, that Lavasoft's Sony Rootkit Romover employs in the scanning similar actions to the Resplendence RootKit Hook Analyzer which can show you what kernel hooks are presently active on a system.
Of course your tool takes that another step in the case of aries.sys in making the actual removal possible.
As best as i been able to piece together given my out-of-classroom experiences and short amount of time devoted to this so far is that to make the most use of any tool of this nature effectively, and to reasonably understand at least some of the architecture to them, it helps to be able to correctly interpret the output of those various commands, and the purpose for these interactions in a layman's terms if you will.
You just done that nicely on the recent blog write-up which i commend you again highly on that detailed report.
I tried to insert this screenshot for a better perspective in what i was referring to in my comments but appears the choice to MODIFY posts was not available at the time.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.fontaineferrypark.us%2Fimages%2F999.jpg&hash=ef0e57406d5a38f87886af06ecbdfac388ab3979)
Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
The digital searching technique it uses in and of itself is safe i now understand, and besides the user is prompted before allowing the tool to perform a removal, correct me if this is wrong.
Even before scanning, because the scanning involves loading of a kernel mode module which in itself could cause the trouble.
Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
You see with one of the newest security programs i been examining in my own research to various rootkits issues, it employs a kernel mode driver that extends kernel services through similar means as rootkits themselves (such as hooking the system service tables)
I was mainly concerned that somewhere during the scan itself (and now incorrectly so) that it might interfere with this and affect the stability of the operating system.
It does not extend anything - actually it is not invasive at all, but uses the kernel mode module to get information that you cannot get otherwise.
Quote from: JOSEPH on February 04, 2006, 11:38:21 AM
I now understand, i think, that Lavasoft's Sony Rootkit Romover employs in the scanning similar actions to the Resplendence RootKit Hook Analyzer which can show you what kernel hooks are presently active on a system.
Of course your tool takes that another step in the case of aries.sys in making the actual removal possible.
Yes, and it only focuses on checking whether aries.sys is loaded and whether the hooks point to it (which is not necessarily the case if someone else hooked the same APIs after it).
QuoteBlog Quote:
To find what service was requested, the dispatcher takes the number of the service requested as an index into the so-called System Service Dispatch Table (SSDT - or sometimes SST) and looks up the address of the function from this table. The story could end here, but sadly it does not: it is possible to manipulate the entries in this table to divert calls from the actual function address to your own, if you run in kernel mode.
Indeed, it's a given that Sony was certainly not one of the first to take advantage of that services call kernel function and some might conclude that this recent Sony debacle could lend to more of this type problem coming to light, but also in that respect perhaps it's a valuable moment for users, developers, and techs alike in that now many will be more vigiliant to the possibility of this type threat since it's out in the open now.
I would just like to add for the record
OYF1P that it's commendable of you to have replied with such dispatch the way you did to this concern very early one. Even though this Topic did originate from an oversight on my part, it's refreshing to find developers like yourself vigilant in both your efforts as well as to the attention that others might bring out in regards to it.
Most of my own efforts lately continue to surround ad/spyware research locally and getting something of a handle & certainly a more accurate understanding on the various exploits that allow these intrusions into business/home users computers be it via URL redirects or installation of hidden bundled programs and such. Your replies and the commentary in Blog are most enlightening chiefly in regards to the Lavasoft Sony RootKit Remover but also i'm sure helped others following this topic to better understand the underlying nature of not only that single issue (Sony rootkit) but perhaps the behavior of rootkits in general from a "developers" point-of-view. And one who is taken the initiative to design a course of correction for not only this one, but hopefully might endeavor to address others in general sometime soon. You certainly have my vote of confidence.
Anyway, i for one welcome that and will certainly look forward to reading more reviews & comments of yours in the future, also wish you much satisfaction with your efforts in your new position at the LavaLab in Research and Development.
(I think i spelled that right?)
Regards: Joseph
Hmmm, kind of wondering if OYF1P might be going to follow up on the TO BE CONTINUED.......... follow up to that first summary that was made.
It should be interesting to see exactly what develops or rather what new progress we should expect in the anti-malware product camps between now and sometime in spring.
Browsing about in the various rootkit camps lately as i have i found those ambitions look to be going forward on the current NT systems.
By the same measure perhaps, at least some of the AV's for example KAV2006 appear to be pressing ahead in anticipation of those type efforts.
Yes, it is/was indeed my intention to continue the article (probably rather articles). However, the sole lack of time has kept me from doing so. Will try to get it done this week.
I want to write about rootkit detection and so on. A field where great expectations exist - expectations which often are not justified by anything.
Thanks again for reply. Happy to hear the interest in that is still alive. 8)
As an analyst myself to a degree (volunteer), as well as conducting some personal research, i can relate to those pressing demands in that field. On this end we're probably afforded much more free time for study and discussion but certainly not taxed with the promoting and improving specific popular softs in keeping with standards and industry expectations. LoL
Products like Ad-Aware SE and WindowsDefender & the like are designed for detections as well as safe removals AFTER malicious programs/files have penetrated and been identified yes, but i believe the hope is being raised now that many also would like to hear some comments and feelings on the area of prevention programs or Add-Ons as concern HIPS.
I've already posted something to this effect in another forum but it bears repeating so i'll express it again. :)
We seem to be moving into what is really a very exciting time coming up with all these new approaches and the techniques that are being experimented with. For the security community and end users alike many new introductions in the form of (active prevention), HIPS programs should help strengthen and expand safety knowledge well beyond what the normal boundaries have been in the past and what we all been used to.
If you ask me it's a pretty exciting time to be involved at any end of the spectrum.
http://www.wilderssecurity.com/showpost.php?p=685547&postcount=10 (http://www.wilderssecurity.com/showpost.php?p=685547&postcount=10)
Hi again. You can find the continuation of my previous article here: http://www.lavasoft.de/wordpress/?p=64#more-64 ( also http://www.lavasoft.de/blog.shtml )
Comments (also in the blog) are appreciated!
I think that explains fully why there is no generic removal application ... :D
Thanks for the thorough read. :thumbsup:
Very well done OYF1P, my compliments to the chef (err author)
I be more than happy to engage some of that with my own comments but out of courtesy to your schedule i will of course allow for some time first.
Thanks
Just go ahead. It is always nice to exchange knowledge and discuss ideas - the more contrversive the better.
And please note: this is my current opinion, built upon my current knowledge. It might be that I get or have ideas in future that could change this. At first sight no one would believe that generic removal of (different) file-infecting viruses is possibe - but it is. Yet, this is another problem than with rootkits ...
Really nice to read the reviews and comments on the Lava Blog OYF1P
It's really great to read about what's happening there and how things are coming along in this field from other vendors prospectives.
Hahaha, that's funny. Since I have been considered a rogue former employee now by LS, they have removed all the blog entries that are linked from here. Funny, huh?
Read on (http://blog.assarbad.net/20061027/ls_en-5/)
// Oliver
:sinking:
It is sad that it has come to this, but as a result of the ongoing problems, I have revised the posted instructions to our members. We cannot jeopardize the stability of our members and guests computers.
http://www.landzdown.com/index.php?topic=423.msg3030#msg3030
News from the battle-front: http://blog.assarbad.net/20061101/ls_en-6/
The blog articles have been recovered :tease:
Well done, matey ... :thumbsup:
Wonder if that link should be posted at the LS Forum ... :D
Quote from: winchester73 on November 01, 2006, 02:49:56 PM
Wonder if that link should be posted at the LS Forum ... :D
I wouldn't mind. A-C hates planes and how would she get to Iceland otherwise :muahaha: ...
Quote from: Assarbad on November 01, 2006, 04:04:35 PM
Quote from: winchester73 on November 01, 2006, 02:49:56 PM
Wonder if that link should be posted at the LS Forum ... :D
I wouldn't mind. A-C hates planes and how would she get to Iceland otherwise :muahaha: ...
I would be
very careful Oliver - she can walk on water - can't she ...? :hysterical:
Quote from: Totro on November 01, 2006, 11:19:43 PM
I would be very careful Oliver - she can walk on water - can't she ...? :hysterical:
Thanks. Now I am so scared I won't sleep tonight ...
;)
Quote from: Assarbad on November 01, 2006, 01:20:34 AM
News from the battle-front: http://blog.assarbad.net/20061101/ls_en-6/
The blog articles have been recovered :tease:
Wow. The more things change over there, the more they stay the same. (Slight poke at some humour)
Anyway, Greets again &
Hello Oliver :thanks: Rest assured your time and effort spent in replying to us is not been in vain nor ever would. I am taken aback a bit if what i ascertain is true, that is you are a "former"? i think was the term described.
Rogue on the other hand couldn't possibly apply where your concerned IMHO, and i am certain to many others too. I found drawing out your commentary and engaging tech issues with you INTELLIGENT and rational in discussions, very refreshing given what is been circulating in that camp since it's sudden abort, but then thats far history buffs now and better left where it is. (Going in circles) :lol: