Microsoft Strider GhostBuster Rootkit Detection Software Download

Discussion in 'Computer Support' started by Pamela Fischer, Nov 21, 2005.

  1. Do Strider GhostBuster Rootkit downloads actually exist?

    I read every line of the Microsoft Windows Defender Research page
    http://research.microsoft.com/rootkit - but I still don't see where to
    downlod the actual GhostBuster utility.

    Am I missing something?

    Is there a Microsoft rootkit decloaking utility on that page?
    If so, (I don't see it), can you kindly point us to the download link?

    Thank you in advance,
    Pamela Fischer
    Pamela Fischer, Nov 21, 2005
    #1
    1. Advertising

  2. > I read every line of the Microsoft Windows Defender Research page
    > http://research.microsoft.com/rootkit - but I still don't see where to
    > downlod the actual GhostBuster utility.

    ======================================================================
    I'm still looking for that Microsoft GhostBuster download link.

    In the July 24, 2004 Microsoft paper titled "Strider GhostBuster: Why
    It's A Bad Idea For Stealth Software To Hide Files" (
    http://research.microsoft.com/research/pubs/view.aspx?type=Technical%
    20Report&id=775 ), the authors state "We have built a tool called the
    Strider GhostBuster that automates most of the ScanDiff steps below ...
    running to completion ... in 10 to 15 minutes."

    But where can we obtain a download link to Strider Ghostbuster?
    ======================================================================
    Apparently the Strider GhostBuster tool automates the 3 steps below:
    ======================================================================
    Step #1:
    We first boot normally into the infected OS and invoke "dir /s /a" to
    scan the entire file system. We save the output in a file named
    "Infected_Scan.txt" on a disk. The file-hiding software can arbitrarily
    interfere with the scanning process and/or arbitrarily modify the output
    file . (Note that the user account from which the scan is performed
    should be added to the ACLs of the System Volume Information folder and
    other folders that by default are not accessible to the user .)

    Step #2:
    We restart the machine and this time boot into a clean WinPE CD [WPE]
    that contains a clean version of WinDiff.exe. We invoke "dir /s /a" again
    and save the output in the file "Clean_Scan.txt". The hidden file should
    appear in this output because the file-hiding software was not running
    during the scan.

    Step #3:
    Finally, we invoke WinDiff.exe to compare the two files
    "Infected_Scan.txt" and "Clean_Scan.txt". Any hidden file should be
    revealed in the diff result .
    ======================================================================
    Based on this, Microsoft researchers state in this paper that the
    documented ScanDiff process above detects all real-world file-cloaking
    RootKits, Trojans, and commercial keyloggers. Specifically, these
    ScanDiff steps detect Sony BMG Ineptware, Hacker Defender 1.0, Aphex -
    AFX Windows Rootkit 2003, Vanquish, and Msvsres.dll; plus the keyloggers
    ActMon and ProBot SE; and the commercial flyware Hide Files 3.3, Hide
    Folders XP, Advanced Hide Folders, and File & Folder Protector (flyware
    being defined as your boss' fly-on-the wall ware).
    ======================================================================
    I'm sure there is a download link to Microsoft Strider GhostBuster
    utility somewhere out there. But the closest I can get to is this link
    provided in the paper above: http://research.microsoft.com/sm/strider
    ======================================================================
    My question is:
    Does anyone really know where to get a Strider Ghostbuster utility?

    Pamela Fischer
    Pamela Fischer, Nov 21, 2005
    #2
    1. Advertising

  3. Pamela Fischer

    Noel Paton Guest

    Pamela
    This (Strider) is a Microsoft Research project - the programs involved are
    almost certainly undergoing patent applications, and as a result cannot be
    published yet.
    When they are published, they look as if they are to be directed more
    towards the Enterprise market than the home user.


    --
    Noel Paton (MS-MVP 2002-2006, Windows)

    Nil Carborundum Illegitemi
    http://www.crashfixpc.com/millsrpch.htm

    http://tinyurl.com/6oztj

    Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
    "Pamela Fischer" <> wrote in message
    news:Xns9714F32A2D15sonyrootkit@207.115.63.158...
    > Do Strider GhostBuster Rootkit downloads actually exist?
    >
    > I read every line of the Microsoft Windows Defender Research page
    > http://research.microsoft.com/rootkit - but I still don't see where to
    > downlod the actual GhostBuster utility.
    >
    > Am I missing something?
    >
    > Is there a Microsoft rootkit decloaking utility on that page?
    > If so, (I don't see it), can you kindly point us to the download link?
    >
    > Thank you in advance,
    > Pamela Fischer
    Noel Paton, Nov 21, 2005
    #3
  4. Pamela Fischer

    MAP Guest

    Pamela Fischer wrote:
    > Do Strider GhostBuster Rootkit downloads actually exist?
    >
    > I read every line of the Microsoft Windows Defender Research page
    > http://research.microsoft.com/rootkit - but I still don't see where to
    > downlod the actual GhostBuster utility.
    >
    > Am I missing something?
    >
    > Is there a Microsoft rootkit decloaking utility on that page?
    > If so, (I don't see it), can you kindly point us to the download link?
    >
    > Thank you in advance,
    > Pamela Fischer


    Here is a free program that will find "Rootkits" it is written by the same
    person that found the rootkit installation installed by listening to a Sony
    music CD a couple of weeks ago.

    http://www.sysinternals.com/utilities/rootkitrevealer.html

    --
    Mike Pawlak
    MAP, Nov 21, 2005
    #4
  5. Pamela Fischer

    MAP Guest

    I saw your other post after posting my reply, seems that you are already
    aware of the rootkit revealer program, it also seems that you are concerned
    about rootkits (as you should be) here is a link for a security program that
    will
    "prevent" rootkits from installing unless you allow it too.
    http://www.diamondcs.com.au/processguard/index.php?page=download
    Of course this won't remove any that may already be on your system, just
    prevent any future installations.

    Mike Heelan of www.spywareinfo.com predicts that programs like Ad-Aware
    and Spybot will become useless in the future because of these.
    You will have to boot from something like Bart'sPE to scan your system for
    parasites,sounds like a real pain in the keister to me so a program that
    will prevent them from installing sounds like an easier way to go.

    --
    Mike Pawlak
    MAP, Nov 21, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bratboy
    Replies:
    0
    Views:
    384
    Bratboy
    Apr 18, 2006
  2. David H. Lipman
    Replies:
    34
    Views:
    3,377
    Jim Byrd
    Sep 25, 2005
  3. Blue Event Horizon
    Replies:
    6
    Views:
    3,108
    raincoater
    Sep 9, 2006
  4. Replies:
    18
    Views:
    6,788
    Sue Perficial
    Nov 23, 2005
  5. Rootkit detection and removal

    , Mar 12, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    2,617
    Plato
    Mar 12, 2006
Loading...

Share This Page