ROOTKITS...the new threat !?

[anandk]

Did you know that it is possible to hide spyware or a virus in a way that will fool even the traditional antivirus/antispyware products? Some spyware programs are already using so-called rootkits to hide deep on your pc !

F-Secure has developed a new Beta version of their BlackLight Rootkit Eliminator. it is a tool that detects files, folders and processes that are hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.

Rootkits for Windows work in a different way and are typically used to hide malicious software from, for example, an antivirus program. it is used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what as known as full stealth viruses. Rootkits are more common in the spyware field and they are now also becoming more commonly used among virus authors as well.

for more info and a download visit : *www.f-secure.com/blacklight/

 

[digen]

Yeah they linux users must be familiar with "rootkits"
Its becoming common in the windows environment too.

Check Rootkit.com


Sysinternals have a Rootkit Revealer.You may as well check that out.

 

[netcracker]

Is F-Secure Blacklight the only solution?

 

[swatkat]

No...SysInternals RootkitRevealer is a tool which is freely available.
*www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

[grinning_devil]

downloaded .....

nice link digen .. rootkit.com sure has loads of info!!

 

[pq]

Thanks anandk for ur info. I m goin to try it.

 

[anandk]

ROOTKITS are now an emerging type of “Super Spyware�
which affect both Windows and Linux operating systems, hide
themselves efficiently, impact the operating system kernel directly,
and usually carry a more serious secondary payload.
Use this tool when you have done all other reasonable cleaning, have
also checked for viruses, and you are sure your system is still
seriously infested with malware even though no tool is showing it.
'ROOTKIT REVEALER' as mentioned above by swatkat is really worth a try. www.sysinternals.com

 

[QwertyManiac]

so, y doesnt it appear, wats the problem with anti's code ?

 

[anomit]

For geek stuff on RootKit detection

I don't think rootkits can be completely removed from a system. Or am I wrong?

 

[digen]

Nice link there anonmit.Its a pity that phrack is no more around.
As far as your question goes,as far as my knowledge goes rootkits operate under the so called "stealth" mode hence majortiy of them wont be detectable with say HijackThis or any port to application mapping program like Process Explorer.
The low level or kernel level operation of programs makes it a dangerous threat.
Detecting is a thing while removing is another.Completely removing even the slight traces of a rootkit would involve detailed or simple "forensics" on the comprimised machine depending upon the level of detail the rootkit posses.

Usually & especially in a corporate environment from what I heard the best practise if its a "server" machine that is comprimised is to format it & install a clean copy with all the patches & necessary updates.The gamble of knowing that the malicous threat has been removed would be a disaster.Infection of a server machine shouldnt happen in the first place but thats another story.

 

[siriusb]

Here's another one from a friend of mine: *research.microsoft.com/rootkit/

 

[anomit]

Usually & especially in a corporate environment from what I heard the best practise if its a "server" machine that is comprimised is to format it & install a clean copy with all the patches & necessary updates.

I too had learnt that the best way to get rid of rootkits is to make a bcakup and then make a clean reinstall of the OS. But I was confused at the way soome others have posted about rootkit removal softwares. I thought maybe new techniques have been developed.

And about Phrack, they had given this indication almost a year ago. Just when I had started to learn.
WHY DOES THIS HAPPEN TO ME???!!!

I have to make do with the archive issues.

 

[anandk]

"Recently, Sony was discovered to have been installing software on people's computers without the user knowing it. When a user inserted a Sony CD into their computer CD-ROM drive, a "root kit" was installed that enabled the music giant to install "copy protection" without the user knowing. Some spyware developers and trojan horse virus makers have already begun to make use of Sony's root kit to hide their presence on the user's machine".

check out
*news.com.com/FAQ+Sonys+rootkit+CDs/2100-1029_3-5946760.html?tag=nefd.top

INCIDENTALLY webroot spy sweeper 4.5 has added the 'rootkit' detection option to its arsenal. its cool, eh !?
www.webroot.com

 

[swatkat]

The lastet version of WebRoot SpySweeper is also able to detect the spyware which "hide" themselves using Rootkit technology.

 

[AcceleratorX]

Norton AntiVirus, Kaspersky Anti-Virus and NOD32 also detect rootkits.....

 

[anandk]

now even Microsoft has decided to "root" out Sony spyware

..."Sony has come under heavy fire for using so-called "rootkit"
cloaking techniques, normally associated with hackers..."

*www.infoworld.com/article/05/11/14...d.com/article/05/11/14/HNmicrosoftsony_1.html

 

[anandk]

"Symantec has released details of a new rootkit labeled Rustock.A that uses a cunning combination of techniques to evade detection by current rootkit detectors. First, Rustock.A has no process. The malicious code runs inside the driver and in kernel threads." Second, "Rustock.A uses NTFS Alternate Data Stream to hide its driver into the \System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.

The news is not all bad; F-Secure has already updated their BlackLight rootkit detector to pick up Rustock.A. The cat and mouse game continues..."

 

[anandk]

here is a nice new anti-rootkit freeware tool from SOPHOS
click *www.sophos.com/products/free-tools/sophos-anti-rootkit.html for download and info.

 

[anandk]

Also Just Released : AVG Anti-Rootkit - can even remove Trojans and Rootkits that are hiding inside NTFS Alternate Data Streams
*www.majorgeeks.com/AVG_Anti-Rootkit_d5249.html

 

[shaunak]

The systeminternals link is not working.