Microsoft’s GhostBuster

Posted on February 15, 2005
Filed Under /dev/null/ | 54 views |

This sounds pretty damned clever: a simple way to detect root kits and stealthware called GhostBuster:

File hiding is an advanced stealth technique that is becoming popular among system monitoring software such as RootKits, Trojans, and keyloggers. It presents a major challenge to system administrators and the anti-malware industry because detection and removal are virtually impossible if the target files are not even visible. In this paper, we present the Strider GhostBuster that exploits the fundamental weakness of the file-hiding behavior and turns the problem into its own solution.

Download the Word doc from their site for complete details. For a summation, this from Bruce Schneier:

Here’s how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Currently only a research project at the moment.

Comments

• 
  

• The Other Blog (for geeks)

  binary code

• Pages

  • Installing calc.pl under OS X
  • Ruby Class: Mach Speed
  • Ruby Class: Temperature Conversion

• Recent Posts

  • This is The End
  • Yeah Sure, Go Nuts
  • iTunes Movies in Canada: First Impressions
  • The Reason Dev Environments Should be Sandboxed
  • CNN Shirts Beta
  • HP Thinks I’m an Idiot
  • But It Always Says It’s Sorry Afterwards!
  • Explaining My Twittering
  • Creative Looks Gift Horse In Mouth, Shoots it In Head, Apologizes Afterwards
  • Ventus Available Gratis

• Software

  • Drop Bocks

• Stuff and Things

  • Accordion Guy
  • blog-j
  • blogaritaville
  • David Akin’s On the Hill
  • Diana Galligan
  • FA: OSX
  • Fingers
  • Full Frontal Lobotomy
  • fuzzz.gaulin.ca
  • Global Nerdy
  • Ice 9
  • Kat Mullaly
  • kattekylling
  • Keebler.net
  • Paul Baranowski
  • Pony
  • Postmodern Sass
  • radical TRUST
  • Raganwald
  • Salad with Steve
  • Spiralgirl
  • The Dust bin

• Categories

  • /dev/code/
  • /dev/debug/
  • /dev/dropbocks/
  • /dev/null/
  • /dev/ruby

• About

  This is an area on your website where you can add text. This will serve as an informative location on your website, where you can talk about your site.

• Search

• Admin

  • Log in
  • Wordpress
  • XHTML