This is a long but must read for Windows users (you'll have to click the PDF link for the technical info).
http://www.realtechnews.com/posts/3412
Vicious Rootkit
Recently due to my weird ExamineKeyboard() issue, I was beginning to wonder whether I had a rootkit - seems like there's not many broad-spectrum detectors for them (unlike virus & spyware scanners) but during my research I came across this interesting-looking tool (called ProcessGuard) which seems to do a good job of avoiding them from the outset. I just pass this on in case anyone is curious about how to avoid (I'm tempted to get this PG tool..).
Nice link, thanks mskuma.
BTW, what exactly is a rootkit?
I know (or think) Sony opened the whole can of worms with their attempt to protect their software. But I am not sure what the heck a rootkit is - what makes it so hard to deal with?
Is it like infecting the boot sector back in the days of DOS?
BTW, what exactly is a rootkit?
I know (or think) Sony opened the whole can of worms with their attempt to protect their software. But I am not sure what the heck a rootkit is - what makes it so hard to deal with?
Is it like infecting the boot sector back in the days of DOS?
Dare2 cut down to size
Hmm, it's a proggie that hooks API calls in kernel-mode (getting in ring0 with a driver). For example to hide files it can hook FinFirstFileA, FinedNextFileA, etc, and filter the parameters. If it finds the name of the file it hides, it just doesn't call the original function anymore. (I think)
[Edit]
So what makes us still live and not having a hell of a time fixing or machines it's that there is no perfect rootkit, one that hides itself completely. If someone would do that, we would be doomed.
[Edit]
So what makes us still live and not having a hell of a time fixing or machines it's that there is no perfect rootkit, one that hides itself completely. If someone would do that, we would be doomed.
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)
-
techjunkie
- Addict
- Posts: 1126
- Joined: Wed Oct 15, 2003 12:40 am
- Location: Sweden
- Contact:
Read Mark's Blog (at the end),
http://www.sysinternals.com/Blog/
I think he was one of the first that discovered Rootkits, or at least told the World about them (on Windows, they have been "common" on Unix platforms before).
They also have a tool that discovers Rootkits;
http://www.sysinternals.com/Utilities/R ... ealer.html
More info;
http://en.wikipedia.org/wiki/Rootkit
http://www.sysinternals.com/Blog/
I think he was one of the first that discovered Rootkits, or at least told the World about them (on Windows, they have been "common" on Unix platforms before).
They also have a tool that discovers Rootkits;
http://www.sysinternals.com/Utilities/R ... ealer.html
More info;
http://en.wikipedia.org/wiki/Rootkit
(\__/)
(='.'=) This is Bunny. Copy and paste Bunny into your
(")_(") signature to help him gain world domination.
Did you read the PDF?Inf0Byt3 wrote:So what makes us still live and not having a hell of a time fixing or machines it's that there is no perfect rootkit, one that hides itself completely. If someone would do that, we would be doomed.
Removing this infection, on
the other hand, would turn out to be much more difficult than expected.
In August 2006, three months later, this infection is still spreading widely - not
only in Italy, but to other countries as well. No security company has released
an update for their engine or found a solution which totally removes the
infection.
Whoops, it seems we allready are doomed. However, i'm sure it has got to be a way to kill it... Nothing is perfect in this world (luckily) so it won't be a problem in the future :roll: . Thanks for the PDF, it's a good read!
None are more hopelessly enslaved than those who falsely believe they are free. (Goethe)