Beta version of avast! antirootkit tool (standalone)

[Vlk]

Hi guys,

as promised, here's the beta of the new avast! antirootkit tool. It was designed with simplicity in mind.

In most cases, it shouldn't find (report) anything.
It is very important to run the program with no other applications running though - otherwise, strange things may happen.


Known problems:
- the hidden services scan is not yet ideal (will be changed)
- on 64-bit systems, we have seen some strange false positives (a huge number of regkeys suddenly reported as hidden)

There'll probably be more bugs, but these are the two major outstanding issues.


Here's the download link: http://files.avast.com/files/beta/aswar.exe


Enjoy!
Vlk

[Tech]

Testing now...
Is it better to run it at Safe Mode?

[Vlk]

Testing now...
Is it better to run it at Safe Mode?

No.

The point is, the rootkit needs to be active for the program to work. Some rootkits don't load in SafeMode.

[RejZoR]

Code:

avast! Antirootkit, version 0.9.2
Scan started: 7. marec 2008 21:53:19

Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] s1=771343423  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] s2=285507792  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] h0=1  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] p0="C:\Program Files\Alcohol Soft\Alcohol 52\"  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] h0=0  **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] ujdew=(binary value)  **HIDDEN**

Scan finished: 7. marec 2008 21:56:44
Hidden files found: 0
Hidden registry items found: 7
Hidden processes found: 0
Hidden boot sectors found: 0


----------

It found this stuff on my PC. From what i know these are hidden entries from Alcohol 52% (and probably also 120%) virtual drive.
It also appears it can identify hidden but not dangerous entries (which user cannot delete, just check them).

[Vlk]

This is OK, that's as expected... (but it said "unharmful hidden items found", right?)

[essexboy]

Going to use it now on a possible bagle/beagle infection I will post the link later

[RejZoR]

Yep, unharmful items found. Wouldn't it be better if these are shown only if users wants to (may be enabled in Scan Options menu).
This way regular users won't be scared if not necessary (they usually jump oh my god something was detected and start burning their PC and stuff). Just a hint.

[joaopr]

Yep, unharmful items found. Wouldn't it be better if these are shown only if users wants to (may be enabled in Scan Options menu).
This way regular users won't be scared if not necessary (they usually jump oh my god something was detected and start burning their PC and stuff). Just a hint.

Testing now too.
Thanks RejZoR !!!

[bob3160]

Nothing to report which is good news.

I guess the update check hasn't been activated yet

[Vlk]

I guess the update check hasn't been activated yet

Correct. But this can be activated / implemented even without changing the program...

Thanks
Vlk

[sanctuary24]

a quick question, is this rootkit technology going to be the same as the rootkit module in Avast 4.8 and will it be an always active module like standard shield (ie background running)?

[Vlk]

a quick question, is this rootkit technology going to be the same as the rootkit module in Avast 4.8 and will it be an always active module like standard shield

There's nothing like "always active antirootkit" (in the classical sense of word). If the rootkit is not yet active, it's not really a "rootkit" (i.e. can be detected using normal methods, e.g. by the Standard Shield).

So, to answer the question, this is the same technology that will be used in avast 4.8.

[sanctuary24]

so does that mean that while its inactive it will be picked up by other modules but if it is running the antirootkit module will catch it, sorry if this is wrongly interpreted as I'm not to understanding on these functions

[joaopr]

Tested.
100% working.
Thanks.

[Vlk]

so does that mean that while its inactive it will be picked up by other modules but if it is running the antirootkit module will catch it, sorry if this is wrongly interpreted as I'm not to understanding on these functions

Yes. A rootkit is tough to detect only if it is active. Before it activates, it can be detected as any other piece of malware (e.g. by a simple signature etc.). But once it activates, it masks itself - sometimes so well that it's virtually impossible to detect in all cases.

It's a cat'n'mouse game, really.