Jump to content


Photo

Root Kit Question


  • Please log in to reply
20 replies to this topic

#1 crashrox

crashrox

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 20 July 2005 - 01:39 PM

I have a basic understanding of root kits. Tell me if im wrong.. basicly the rootkit wraps around the o/s and can filter certain requests making some things seem invisible. My question is, if you do a dir in a command promt is the request the same as a file search? Or is it more "low level" and will show everything?

#2 crashrox

crashrox

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 20 July 2005 - 01:53 PM

Funny enough I just found some interesting information.

"A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries." - http://www.windowsec...nvironment.html

#3 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 21 July 2005 - 07:03 AM

That was once true for the older rootkits but that will not lay a glove on the latest rootkits.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#4 crashrox

crashrox

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 21 July 2005 - 02:10 PM

so what are the detection methods now?

#5 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 21 July 2005 - 02:25 PM

There are antihooking applications that may be employed, but the primary method is to look for anomalous entries in the registry that might belie a rootkit. This is basically what HijackThis does, checking "hotspot" registry locations. Frankly so many malware infections nowadays (especially on XP) behave in semi-rootkit-like fashion that it is just normal part of malware analysis....

#6 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 22 July 2005 - 04:54 AM

There are antihooking applications that may be employed, but the primary method is to look for anomalous entries in the registry that might belie a rootkit.  This is basically what HijackThis does, checking "hotspot" registry locations. 

View Post


A rootkit would be able to hide "any anomalous entries in the registry". HJT isn't really suitable for rootkit detection.

Basically a rootkit overlays your Operating system, and controls it, which enables it to lie to almost any other program . As such rootkit detection is extremely difficult, since you cannot trust anything the operating system tells you.

The best method is to unmount the hard-disk or boot up on a CD then run an analysis.

Leaving that aside, some rootkit detectors try to catch the rootkit in a lie. They run 2 different levels of analysis, one on a 'low level' and one on the normal level. These 2 scans should match. If there is any difference between the 2 scans, there *might* be a rootkit installed.

There are counter measueres against such tools, and counter-counter measures and so on...
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#7 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 22 July 2005 - 04:56 AM

I have a basic understanding of root kits. Tell me if im wrong.. basicly the rootkit wraps around the o/s and can filter certain requests making some things seem invisible. My question is, if you do a dir in a command promt is the request the same as a file search? Or is it more "low level" and will show everything?

View Post


I doubt a kernel level rootkit could be found out so easily.
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#8 crashrox

crashrox

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 22 July 2005 - 08:58 AM

yea I have been reading up about it. Pretty tricky to discover. From what I have been told finding flaws in the rootkit as you mentioned is one of the most viable options. Programmers are lazy :p

#9 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 22 July 2005 - 09:07 AM

Paranoid, this is not entirely true:

A rootkit would be able to hide "any anomalous entries in the registry". HJT isn't really suitable for rootkit detection.


I'll give you an example. The new variants of the Qoologic trojan have some rootkit-like behavior. Files are not viewable in Explorer, or even through the dos dir command. Sometimes 16-bit utilities like xfind will show them; sometimes not.

However, we can still identify the Qoologic infection by particular telltale entries in the registry, picked up by HijackThis; the ones labeled "KavSvc" or "winsync" (or an older one was "Narrator"). We then need to develop more clever methods of actually locating the Qoologic files that Windows does not see. But the registry entries ARE visible.

#10 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 23 July 2005 - 06:09 AM

[quote name='Swandog46' date='Jul 22 2005, 10:07 AM']
Paranoid, this is not entirely true:

[quote]A rootkit would be able to hide "any anomalous entries in the registry". HJT isn't really suitable for rootkit detection.[/quote]

I'll give you an example. The new variants of the Qoologic trojan have some rootkit-like behavior. Files are not viewable in Explorer, or even through the dos dir command. Sometimes 16-bit utilities like xfind will show them; sometimes not.[/quote]
[/quote]

Swandog that is a bad example.

I think we need to differentiate between real root kits and "rootkit-like behaviour" (wehatever that is). Don't be fooled, the ability of Qoologic to hide itself from explorer or task manager doesn't make it a rootkit. Lots of malware already do it, without being a rootkit. it's all part of the stealth game.

A rootkit deserving of the name, would have control over the window API, intercepts all calls for registry enumeration etc.

If it isn't even capable of hiding registry entries from HJT, it isn't even close to being a rootkit.

That said, all rootkits have their own weaknesses, so I wouldnt be surprised if some left tell tale signs that could be detected, but as a class, most rootkits would not leave any registry entry for you to pick up

Edited by Paranoid, 23 July 2005 - 06:15 AM.

Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#11 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 23 July 2005 - 06:38 AM

Paranoid, this is not entirely true:

However, we can still identify the Qoologic infection by particular telltale entries in the registry, picked up by HijackThis; the ones labeled "KavSvc" or "winsync" (or an older one was "Narrator").  We then need to develop more clever methods of actually locating the Qoologic files that Windows does not see.  But the registry entries ARE visible.

View Post


Another thought struck me, the Qoologic infections you deal with are those configured to serve popups, hijack browsers etc*. As such unlike real rootkits (which remain totally silent), they already announce themselves.

I think they don't really care if you know they are there, so not hiding the registry entries don't matter that much. The main aim and purpose of qoologic is to acquire these "Rootkit like" functions is to hide files so as to fustrate people trying to remove it.

Compare it to The Beast , hackerdefender, etc, they hide 100%, that is what they do.


*They might have limited backdoor functions.
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#12 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 23 July 2005 - 12:20 PM

Paranoid,

It seems to me that you have defined the debate in the wrong way. You have defined a rootkit basically as an undetectable Windows hook. Of course then a rootkit is undetectable, because you have defined it as such.

What we really mean by a "rootkit" is code that inserts itself into the Windows API so as to be able to intercept input and output API calls. There are two strategies to counter this. The first is the one you mentioned:

Leaving that aside, some rootkit detectors try to catch the rootkit in a lie. They run 2 different levels of analysis, one on a 'low level' and one on the normal level. These 2 scans should match. If there is any difference between the 2 scans, there *might* be a rootkit installed.


This is how RootkitRevealer, DLLCompare, and lots of other similar applications work.

The second is to use an antihooking application like AntiHookExec:
http://www.security....tihookexec.html

basically to "out-rootkit" the rootkit --- to intercept programs that intercept API calls.

A third strategy might be to use a third-party application independent of API calls; perhaps a string-search app like strings.exe from SysInternals, to brute-force strings-search through the registry for the malicious strings used to run the rootkit at boot.

As such unlike real rootkits (which remain totally silent)


Let me ask you this: what would be the point of a rootkit that remained "totally silent"? The point of a rootkit is to gain stealthy root access. But once you do that, then what? If you are a malware author, you don't just write a rootkit because you CAN --- you write one to force arbitrary execution of code, to spread "zombie" machines for spamming, DDoS attacks or similar pursuits, or for hijackings designed to make you money via pay-per-click engines.

If a rootkit has a backdoor function like you acknowledge it would need to have in order to be effective at all, that would effectively "announce" the rootkit as well. You will generally know it is there if it does anything at all --- you then just need to look for it.

#13 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 25 July 2005 - 05:17 AM

Paranoid,

It seems to me that you have defined the debate in the wrong way.  You have defined a rootkit basically as an undetectable Windows hook.  Of course then a rootkit is undetectable, because you have defined it as such.


Er No. When did I use the word "undetectable hook"? I just pointed out that if you thin HJT allows you to detect rootkits by looking at registry strings, you must be dreaming.

Besides I suppose you think it's much better to define a rootkit has something that can be picked up by simply at the registry? That would be very misleading as you very well know and false in practically all cases.


What we really mean by a "rootkit" is code that inserts itself into the Windows API so as to be able to intercept input and output API calls.


That would be one of the functions of a rootkit yes.


The second is to use an antihooking application like AntiHookExec:
http://www.security....tihookexec.html


Funny you should mention this one.

As such unlike real rootkits (which remain totally silent)


Let me ask you this: what would be the point of a rootkit that remained "totally silent"? The point of a rootkit is to gain stealthy root access. But once you do that, then what? If you are a malware author, you don't just write a rootkit because you CAN --- you write one to force arbitrary execution of code, to spread "zombie" machines for spamming, DDoS attacks or similar pursuits, or for hijackings designed to make you money via pay-per-click engines.


You misunderstand. By "announce itself", I mean annouce itself so batently that even the rankest newbie knows that he needs to seek help from our forum God Swandog. Spamming you with a millions of popups, changing your home page would be pretty obvious. This is the vast majority of malware you handle, which I suspect distorts your judgement of what rootkits can do, and how easy to detect they are.

For these kinds of malware, they expect to be noticed. Then it's a matter of trying to make it appear and remove it.



If a rootkit has a backdoor function like you acknowledge it would need to have in order to be effective at all, that would effectively "announce" the rootkit as well.  You will generally know it is there if it does anything at all --- you then just need to look for it.

View Post


LOL, you generally know it's there? I submit you have spent too much time in the adware side of malware to actually say this. You can't ever be sure if there is a rootkit even with the most sophiscated tools, and yet you generally know it's there? Okay.

There's a big difference between malware that serving ads and popups (and to lesser extent sending infected mail, spam) and one that is primarily a backdoor program or keylogger .

Sure in the later cases, they will have to do something as well and *might* be noticed, but unless you are some super expert (eg swandog) no newbies would even notice. And I submit in many cases, even a reasonable skilled user wouldn't notice depending on how well it hides itself.

A program that spawns numerous popups? Well it better be noticed. :)

That's the essential difference between "Adware with rootkit like functions" and "pure rootkits (that's us say those without adware functions)". For adware to function, it has to be noticed,
by the user of the infected machine so whatever "stealth" obtained is essentially self-defeating. The purpose of "stealth" is to fustrate people from removing it mainly, rather than to conceal it's own existence.

These are the breed of "rootkits" you face. That's why i guess rootkits in your world are so easy to 'detect'.

On the other hand keyloggers for example, don't ever want to be noticed and they won't be noticed.

Edited by Paranoid, 25 July 2005 - 05:38 AM.

Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#14 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 25 July 2005 - 09:03 AM

Funny you should mention this one.


???

And I submit in many cases, even a reasonable skilled user wouldn't notice depending on how well it hides itself.


You might be right about this. But let's look at the bigger picture. You are basically giving examples of keyloggers and backdoors as examples of super-stealthy, undetectable rootkits, as compared with the popup-generating rootkit-like functions of malware. This is a fair distinction. But there is no point of writing a keylogger that does not transmit the logged keystrokes back to the author. So it is ultimately impossible to write an effective keylogger (or other type of rootkit) that does not have some kind of contact with the outside world, if not with the machine's user. And hence I reiterate my earlier statement --- in theory, to an aware user, this behavior should be observable, if subtle. A firewall log for example should detect backdoor intrusions or logged-key transmissions. Of course it is possible under certain circumstances to bypass these protections. There is no system that can ever be totally secure. But the flip side of that is: there is no rootkit that can ever be totally undetected.

Bottom line is that some rootkits can be extremely hard to detect; this is why they are getting so much attention lately. And this is scary. But it IS impossible to write a rootkit, or any other malicious hack, that is both totally undetectable AND effective, from the perspective of a rootkit author.

#15 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 26 July 2005 - 01:14 PM

Funny you should mention this one.


???

:evilgrin:


And I submit in many cases, even a reasonable skilled user wouldn't notice depending on how well it hides itself.


You might be right about this. But let's look at the bigger picture. You are basically giving examples of keyloggers and backdoors as examples of super-stealthy, undetectable rootkits, as compared with the popup-generating rootkit-like functions of malware.


Actually if you re-read what I wrote, I only added this speculation as an addendum , on why stealth probably wasn't that important as compared to traditional rootkits which don't have adware functions. Why they might not borther to hide itself completely.

I was just postutating a theory why adware with rootkit like functions might be less concerned about 100% hiding itself (the leaving reg key bit example). This was a speculation of motivation not technicals.

We can discuss for days on whether some subtle behaviour might or might not be caught by a skilled user, but that's not really as fundamental as the purpose of adware versus keyloggers.

I hope this clarifies it up for you. It wasn't even a big point.

  This is a fair distinction.  But there is no point of writing a keylogger that does not transmit the logged keystrokes back to the author.  So it is ultimately impossible to write an effective keylogger (or other type of rootkit) that does not have some kind of contact with the outside world, if not with the machine's user.  And hence I reiterate my earlier statement --- in theory, to an aware user, this behavior should be observable, if subtle.  A firewall log for example should detect backdoor intrusions or logged-key transmissions.  Of course it is possible under certain circumstances to bypass these protections.


I submit it would be trival to beat outbound protection of almost all firewalls. Heck even the routine adware encountered beats software firewalls trivally and there are dozens of other methods. You don't really think a kernel rootkit would have any problems do you?

Again, this is besides the point, since this discussion fascinating has it has being, isn't the main thrust of my argument.

I'm not sure if you are trying to argue that any malware will in the end have some
'real world effect' and hence it will be detected. Eg Whether it is an attacked machine complaining to your isp, or the user realising that his bank account as being cleaned up. But that obviously, as nothing to do with the debate about whether rootkits are easy to detect are not.

In any case, you seem to be shifting goal posts here. I didn't say rootkits were undetectable, just that they were not as easy as running a HJT log.

My speculations on the differences between traditional rootkits and adware was to try to explain why the later might not require full blown 100% stealth. And even then, HJT is getting less and less effective as a detection tool :)

But I can't resist adding a few more thoughts.

Adware based programs main aim is to resist removal. Traditional rootkits main aim is to avoid detection. That is a very fundmental difference.

I suppose traditional rootkits could be made to be as hard to remove as possible even when found, but I doubt this is much incentive for that, because the typical reaction of an experienced sysadmin on finding a rooted system is to save the data files, then reformat. This is so even, if the rootkit is very well known, and can be removed 100%

The assumption is that there might be a million other traps already put in by the attacker. An adware type program in comparison seldom leads to a eformat.



  There is no system that can ever be totally secure.  But the flip side of that is:  there is no rootkit that can ever be totally undetected.


That's of course a truism. I thank you for explaining that to me. But I never claimed rootkits are 100% undetectable. I do claim that you almost always need to have some clever way of looking at the file system and registry though before "anomalous entries in the registry" appear.

You don't seem to agree on this point. Hence your attempt to Use Qoologic

Bottom line is that some rootkits can be extremely hard to detect; this is why they are getting so much attention lately.  And this is scary.  But it IS impossible to write a rootkit, or any other malicious hack, that is both totally undetectable AND effective, from the perspective of a rootkit author.

View Post


Obviously the more actions you do, the more you have to cover up and the more likely you make a mistake.

The point as you know is if you can control the OS, you can make it lie. That makes it possible to in theory have any action undetectable. You know this too.

But this has nothing to do with my point about the nature of adware which NEEDS to be noticed, and other forms of malware which work fine without being noticed.

The latter has incentive to hide itself completely, the former has no (or little) incentive, since everyone knows it's there.

Let's be clear again, this is what I was objecting to.

There are antihooking applications that may be employed, but the primary method is to look for anomalous entries in the registry that might belie a rootkit.  This is basically what HijackThis does, checking "hotspot" registry locations. 


The first part is okay, but the second part is extremely misleading, except for maybe adware type malware where hiding itself completely is not the point.

You decided then to attach yourself to my secondary post where I speculated about the difference between adware and traditional rootkits....

Edited by Paranoid, 26 July 2005 - 01:34 PM.

Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#16 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 26 July 2005 - 02:24 PM

I see. Thank you for clarifying what the "main thrust of your argument" was, because amidst your condescending and patronizing tone I had not been able to determine what in fact you were saying.

I don't think we are disagreeing with one another, so I am not sure why we are arguing. You agree that it is impossible and pointless from the perspective of a malware author for a rootkit ever to be 100% undetectable and silent to the outside world. I agree that there is a distinction between the stealthier behavior of a traditional rootkit as compared with the lesser degree of secrecy demanded by adware. We can dispute minor points over how easy it would be for a firewall to pick up outbound backdoor traffic, or about filesystem comparison methods, but we both agree that there do exist potential avenues of detection.

This is true:

I do claim that you almost always need to have some clever way of looking at the file system and registry though before "anomalous entries in the registry" appear.


However, the key word is "almost". In simpler cases, the sort that appear more commonly today and in variations more bordering on malware (like Qoologic), some signs can appear. In a true kernel-level rootkit such signs might not appear. In that case, of course, "clever ways of looking at the registry" would need to be employed.

This is NOT true:

That makes it possible to in theory have any action undetectable. You know this too.


It is NOT possible even in theory to have an action totally undetectable. The OS is NOT the lowest level of processing, and so even assuming the rootkit were to control the entire OS, a method of detection that extended beyond the tools of the OS should not be affected. (for example, the use of the Recovery Console in Windows XP)

Your argument seems to be this:

I didn't say rootkits were undetectable, just that they were not as easy as running a HJT log.


which is of course true. Perhaps I should have struck "the primary method" from my original statement, and replaced it with "one method". Checking for anomalous registry entries is the first line of attack when confronting a malware infection with rootkit-like behavior, but you are right that filesystem methods would be a better approach for a more traditional kernel-level rootkit (although even some traditional rootkits, like hackerdefender, do sometimes leave visible registry trails).

Primarily what I object to is your rhetorical use of fear tactics --- as though you are trying to scare the users who read the SWI boards. The common rootkit-like infections we see here every day are not undetectable, and I do not want to scare people into believing otherwise. Why would you do that?

#17 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 27 July 2005 - 06:28 AM

I see.  Thank you for clarifying what the "main thrust of your argument" was, because amidst your condescending and patronizing tone I had not been able to determine what in fact you were saying.


Well I'm as condescending and patronizing as I need to be. Espically when dealing with people who do the same.

I don't think we are disagreeing with one another, so I am not sure why we are arguing.


Let's cut to the chase, the only reason why you feel the need to argue is because
of this

Perhaps I should have struck "the primary method" from my original statement, and replaced it with "one method".  Checking for anomalous registry entries is the first line of attack when confronting a malware infection with rootkit-like behavior, but you are right that filesystem methods would be a better approach for a more traditional kernel-level rootkit (although even some traditional rootkits, like hackerdefender, do sometimes leave visible registry trails).


I pointed that out, and you just felt the need to confuse the issue by dragging in other points (which i made a mistake of speculating), maybe because you thought you somehow 'lost face'.

And all this talk about rootkits being 100% undetectable, that was brought up by you. I just maintain that some are almost impossible to detect.

Primarily what I object to is your rhetorical use of fear tactics --- as though you are trying to scare the users who read the SWI boards.  The common rootkit-like infections we see here every day are not undetectable, and I do not want to scare people into believing otherwise.  Why would you do that?

View Post


I do agree that the common rootkit-like infections you see *here* are not undetectable (for reasons already mentioned in prior posts). I even agree that there is no such thing as an undetectable malware, but did I insist otherwise?

If you read the post that began this thread, it was a theorical question on what rootkits can do, and my correction of your post was entirely accurate and fair and hardly scare mongering, sorry if you felt insulted.

Is it scare tactics to point out that rootkits can hide registry entries? Is it scare tactics to point out that traditional rootkits are almost impossible to detect unless you know what you are dealing with? And I suppose it scare tactics to maintain so just because you can handle Qoologic?

Give me a break.
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#18 Alpha_Blue

Alpha_Blue

    Malware Fyta

  • Full Member
  • PipPipPipPip
  • 417 posts

Posted 18 September 2005 - 07:55 PM

Is a rookit a trojan, or a RAT? How exactly does it get onto the comp, and which programs block it, anti-virus programs, or firewalls, or what?
I am not quite sure how to prevent a rootkit from getting on my computer...i havent heard of anti-rootkit programs..other than rootkitrevealer which shows u them when they have already gained access...my question is HOW do they get on your comp and WHAT programs keep them from getting on?

#19 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 19 September 2005 - 02:46 AM

[quote name='Anti_Spyware' date='Sep 18 2005, 08:55 PM']
Is a rookit a trojan, or a RAT? How exactly does it get onto the comp,

View Post

[/quote]

Let me try to clear this up.

The classical defintion of malware breaks them down into Trojans, viruses and worms. This is a classification based on how they spread and/or how they get on your computyer

A worm - loosely speaking a worm spreads automatically without user intervation, through network shares , by emailing themselves as attachments, and nowdays through IM, P2P etc.

A trojan cannot spread by itself. The user normally is tricked into running them, because he thinks it's some other program. Eg, you download this crack for a hot game, and it is actually something else.

A virus spreads by infecting other files. And when someone runs one of those infected files, he is infected too.

All types of malware will fall into one of these 3 categories if not all of them. Admittedly, te defintion kinds of break down when we consider drivebys downloads.

Rootkits are not defined by how they spread, but rather what functions they do.
Similarly, you have keyloggers, RAT (Remote access trojans), Adware, Spyware, browser hijackers , backdoors.

Traditionally though and most often, rootkits are spread as trojans. They could also be spread by worms in theory.


[quote]

and which programs block it, anti-virus programs, or firewalls, or what?
[/[quote]


One defintion of a rootkit is this. "A root kit is a set of tools used by an intruder *after cracking* a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes".

Most/ALL? modern rootkits also have features for keylogging, screencapture, remote access control, so they could also be considered RATS and keyloggers, but strictly speaking this is not part of the primary aim of a rootkit which is to maintain control by hiding the other components used by a hacker from being detected.

I would add that the way it does this, is by replacing parts of your operating system , so that it effectively lies to you, all for the purposes of hiding. This can be as simple as dropping compromised copies of system files to replace the legimate ones, or as complicated as kernel hooking.

This makes it very difficult to detect after it is installed, because the Operating system itself lies to you.

[quote]
I am not quite sure how to prevent a rootkit from getting on my computer...
[/quote]

Notice the defintion talks about mainitaining access "after cracking". A rootkit doesn't have any special powers to get on your computer, it has to spread using the usual methods (worm,virus,trojan,physical access).

From the point of view of any scanner, detecting any rootkit sample before it is installed is no more difficult than any other malware, if signatures exist. After they are installed is a different ball game.

Most Antiviruses have the most common rootkit samples out there in their signatures, but if you are truly worried, going for a dedicated antitrojan like Ewido Security Suite or Boclean is one way.

Then there are other preventative software like ProcessGuard that warn you if anything is touching your kernel, a common tactic of rootkits. But these warnings are generic in nature, they alert on any such event, including lots of legimate ones.

I can also point you to various generic rootkit detectors like rootkitdetector, icesword, unhackme, etc which try to detect rootkits after they are installed but these are very difficult to interprete and use and are not 100% foolproof anyway.

Your best bet is to focus on preventing the stuff from getting on , in the first place. This means the usual precautions of getting your system fully patched, good browser settings and exercise caution in installing software (VERY IMPORTANT).
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#20 Nick

Nick

    SWI Junkie

  • Trusted Advisor
  • PipPipPipPip
  • 319 posts

Posted 19 November 2005 - 05:23 AM

Lots of info on rootkits posted at spyware Warrior here

After the Sony XCP rootkit, expect more rootkit problems to appear in the future.

#21 chrono_trigger666

chrono_trigger666

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 November 2005 - 05:01 AM

Hello!!!

Im a newbie here. Can you tell me the difference between a usermode rootkit and kernel more rootkit? can you give me examples for both? can you also give me examples of malware using such rootkit technology?




Member of UNITE
Support SpywareInfo Forum - click the button