Microsoft Strider GhostBuster Rootkit Detection Software Download

  • Thread starter Thread starter Pamela Fischer
  • Start date Start date
P

Pamela Fischer

Do Strider GhostBuster Rootkit downloads actually exist?

I read every line of the Microsoft Windows Defender Research page
http://research.microsoft.com/rootkit - but I still don't see where to
downlod the actual GhostBuster utility.

Am I missing something?

Is there a Microsoft rootkit decloaking utility on that page?
If so, (I don't see it), can you kindly point us to the download link?

Thank you in advance,
Pamela Fischer
 
I read every line of the Microsoft Windows Defender Research page
http://research.microsoft.com/rootkit - but I still don't see where to
downlod the actual GhostBuster utility.
Click to expand...
======================================================================
I'm still looking for that Microsoft GhostBuster download link.

In the July 24, 2004 Microsoft paper titled "Strider GhostBuster: Why
It's A Bad Idea For Stealth Software To Hide Files" (
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%
20Report&id=775 ), the authors state "We have built a tool called the
Strider GhostBuster that automates most of the ScanDiff steps below ...
running to completion ... in 10 to 15 minutes."

But where can we obtain a download link to Strider Ghostbuster?
======================================================================
Apparently the Strider GhostBuster tool automates the 3 steps below:
======================================================================
Step #1:
We first boot normally into the infected OS and invoke "dir /s /a" to
scan the entire file system. We save the output in a file named
"Infected_Scan.txt" on a disk. The file-hiding software can arbitrarily
interfere with the scanning process and/or arbitrarily modify the output
file . (Note that the user account from which the scan is performed
should be added to the ACLs of the System Volume Information folder and
other folders that by default are not accessible to the user .)

Step #2:
We restart the machine and this time boot into a clean WinPE CD [WPE]
that contains a clean version of WinDiff.exe. We invoke "dir /s /a" again
and save the output in the file "Clean_Scan.txt". The hidden file should
appear in this output because the file-hiding software was not running
during the scan.

Step #3:
Finally, we invoke WinDiff.exe to compare the two files
"Infected_Scan.txt" and "Clean_Scan.txt". Any hidden file should be
revealed in the diff result .
======================================================================
Based on this, Microsoft researchers state in this paper that the
documented ScanDiff process above detects all real-world file-cloaking
RootKits, Trojans, and commercial keyloggers. Specifically, these
ScanDiff steps detect Sony BMG Ineptware, Hacker Defender 1.0, Aphex -
AFX Windows Rootkit 2003, Vanquish, and Msvsres.dll; plus the keyloggers
ActMon and ProBot SE; and the commercial flyware Hide Files 3.3, Hide
Folders XP, Advanced Hide Folders, and File & Folder Protector (flyware
being defined as your boss' fly-on-the wall ware).
======================================================================
I'm sure there is a download link to Microsoft Strider GhostBuster
utility somewhere out there. But the closest I can get to is this link
provided in the paper above: http://research.microsoft.com/sm/strider
======================================================================
My question is:
Does anyone really know where to get a Strider Ghostbuster utility?

Pamela Fischer
 
Pamela Fischer said:
I read every line of the Microsoft Windows Defender Research page
http://research.microsoft.com/rootkit - but I still don't see where to
downlod the actual GhostBuster utility.
Click to expand...
======================================================================
I'm still looking for that Microsoft GhostBuster download link.

In the July 24, 2004 Microsoft paper titled "Strider GhostBuster: Why
It's A Bad Idea For Stealth Software To Hide Files" (
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%
20Report&id=775 ), the authors state "We have built a tool called the
Strider GhostBuster that automates most of the ScanDiff steps below ...
running to completion ... in 10 to 15 minutes."

But where can we obtain a download link to Strider Ghostbuster?
======================================================================
Apparently the Strider GhostBuster tool automates the 3 steps below:
======================================================================
Step #1:
We first boot normally into the infected OS and invoke "dir /s /a" to
scan the entire file system. We save the output in a file named
"Infected_Scan.txt" on a disk. The file-hiding software can arbitrarily
interfere with the scanning process and/or arbitrarily modify the output
file . (Note that the user account from which the scan is performed
should be added to the ACLs of the System Volume Information folder and
other folders that by default are not accessible to the user .)

Step #2:
We restart the machine and this time boot into a clean WinPE CD [WPE]
that contains a clean version of WinDiff.exe. We invoke "dir /s /a" again
and save the output in the file "Clean_Scan.txt". The hidden file should
appear in this output because the file-hiding software was not running
during the scan.

Step #3:
Finally, we invoke WinDiff.exe to compare the two files
"Infected_Scan.txt" and "Clean_Scan.txt". Any hidden file should be
revealed in the diff result .
======================================================================
Based on this, Microsoft researchers state in this paper that the
documented ScanDiff process above detects all real-world file-cloaking
RootKits, Trojans, and commercial keyloggers. Specifically, these
ScanDiff steps detect Sony BMG Ineptware, Hacker Defender 1.0, Aphex -
AFX Windows Rootkit 2003, Vanquish, and Msvsres.dll; plus the keyloggers
ActMon and ProBot SE; and the commercial flyware Hide Files 3.3, Hide
Folders XP, Advanced Hide Folders, and File & Folder Protector (flyware
being defined as your boss' fly-on-the wall ware).
======================================================================
I'm sure there is a download link to Microsoft Strider GhostBuster
utility somewhere out there. But the closest I can get to is this link
provided in the paper above: http://research.microsoft.com/sm/strider
======================================================================
My question is:
Does anyone really know where to get a Strider Ghostbuster utility?

Pamela Fischer
Click to expand...
It doesn`t appear to exist yet. It was mooted back in July. Not heard much
about it since then. Perhaps it was just another one of M$s bright ideas.
bw..OJ
 
Pamela
This (Strider) is a Microsoft Research project - the programs involved are
almost certainly undergoing patent applications, and as a result cannot be
published yet.
When they are published, they look as if they are to be directed more
towards the Enterprise market than the home user.


--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's
 
Pamela said:
Do Strider GhostBuster Rootkit downloads actually exist?

I read every line of the Microsoft Windows Defender Research page
http://research.microsoft.com/rootkit - but I still don't see where to
downlod the actual GhostBuster utility.

Am I missing something?

Is there a Microsoft rootkit decloaking utility on that page?
If so, (I don't see it), can you kindly point us to the download link?

Thank you in advance,
Pamela Fischer
Click to expand...

Here is a free program that will find "Rootkits" it is written by the same
person that found the rootkit installation installed by listening to a Sony
music CD a couple of weeks ago.

http://www.sysinternals.com/utilities/rootkitrevealer.html
 
I saw your other post after posting my reply, seems that you are already
aware of the rootkit revealer program, it also seems that you are concerned
about rootkits (as you should be) here is a link for a security program that
will
"prevent" rootkits from installing unless you allow it too.
http://www.diamondcs.com.au/processguard/index.php?page=download
Of course this won't remove any that may already be on your system, just
prevent any future installations.

Mike Heelan of www.spywareinfo.com predicts that programs like Ad-Aware
and Spybot will become useless in the future because of these.
You will have to boot from something like Bart'sPE to scan your system for
parasites,sounds like a real pain in the keister to me so a program that
will prevent them from installing sounds like an easier way to go.
 
Back
Top