Excellent site for beginners and review:

http://www.webs4u.co.nz/hints/hints.html

 

 

ROOTKITS

What are they

                    Software tools intended to conceal running processes, files or system

                    data, thereby helping an intruder to maintain access to a system whilst

avoiding detection.

                    Not malware but programs that cleverly and deeply hide the presence of

malware programs

                    Malwear program may report your PC to be clean

                    Files not seen with usual Windows programs, e.g. WE, Task Manager, Startup

folder

                    Received lots of publicity re 2005 Sony copy protection software on some CDs

installed a rootkit on Windows computers; Symantec also involved

                    Originated with Unix tools to hide intruder traces thus allowing rooting

 

How are they used

                    In the past by hackers to hide Trojans; now to hide spyware or mass circulation

viri/worms

                    May take over your PC in a surreptitious manner

                    May work with worms, sniffers, keyloggers, DoS (Denial of Service), email spam,

access user names and log-in information for sites that require them

 

What are the various types

                    1. Persistent Rootkits: A persistent rootkit is one associated with malware that

activates each time the system boots. Because such malware contain code that

must be executed automatically each system start or when a user logs in, they

must store code in a persistent store, such as the Registry or file system, and

configure a method by which the code executes without user intervention.

 

                    2. Memory-Based Rootkits: Memory-based rootkits are malware that has no

                    persistent code and therefore does not survive a reboot.

 

                    3. User-mode Rootkits: There are many methods by which rootkits attempt to

evade detection. For example, a user-mode rootkit might intercept all calls to the

Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration

utilities, including Explorer and the command prompt, to enumerate the contents of

file system directories. When an application performs a directory listing that would

otherwise return results that contain entries identifying the files associated with the

rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-

mode services and more sophisticated user-mode rootkits intercept file system,

Registry, and process enumeration functions of the Native API. This prevents their

detection by scanners that compare the results of a Windows API enumeration with that

returned by a native API enumeration.

 

                    4. Kernel-mode Rootkits: Kernel-mode rootkits can be even more powerful since,

not only can they intercept the native API in kernel-mode, but they can also directly

manipulate kernel-mode data structures. A common technique for hiding the presence

of a malware process is to remove the process from the kernel's list of active processes.

Since process management APIs rely on the contents of the list, the malware process will

not display in process management tools like Task Manager or Process Explorer.

 

 

How do we diagnose the presence of Rootkits

                    Not easy!

                    Most AV and anti-spyware scanners worthless although some now are adding this feature

                    Need a special detector

                    Many being developed and improved but still are difficult to use and are non-specific

                    Good idea to use several

                    This one looks promising: RootkitRevealer:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

                    Other examples: BlackLight from F-Secure (free); RootkitRevealer (free); Rootkit Hook

Analyzer (Beta and free); IceSword (free, Chinese, experience users only)

                    Malicious Software Removal Tool from MS

                    Not dedicated to RKD

                    Distributed via MS and Windows Update services

 

What is the therapy

                    Two pronged i.e. removal of the RK then the malwear

                    Extremely difficult to remove even with positive diagnosis

                    Many feel better formatting & re-installing the OS would be best approach

                    Back up clone possible only if backup done prior to the infestation

 

What prophylaxis should I use

                    Same as avoiding malwear infections in general i.e. use several layers of protection

                    Running Windows from lesser than Administrator account (not always practical)

                    Use security tools that prevent global hooking e.g. Process Guard ($29.95), Anti Hook

(free); not practical for all users i.e. only P2P users, and crackers those that downlad and

install programs frequently

                    the best advice an ounce of protection .. !