PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

Vicious Rootkit

https://www.purebasic.fr/english/viewtopic.php?t=23373

Page 1 of 1

Vicious Rootkit

Posted: Thu Aug 24, 2006 11:01 pm
by Straker
This is a long but must read for Windows users (you'll have to click the PDF link for the technical info).

http://www.realtechnews.com/posts/3412

Posted: Sun Aug 27, 2006 12:43 pm
by mskuma
Recently due to my weird ExamineKeyboard() issue, I was beginning to wonder whether I had a rootkit - seems like there's not many broad-spectrum detectors for them (unlike virus & spyware scanners) but during my research I came across this interesting-looking tool (called ProcessGuard) which seems to do a good job of avoiding them from the outset. I just pass this on in case anyone is curious about how to avoid (I'm tempted to get this PG tool..).

Posted: Mon Aug 28, 2006 2:00 pm
by Dare
Nice link, thanks mskuma.

BTW, what exactly is a rootkit?

I know (or think) Sony opened the whole can of worms with their attempt to protect their software. But I am not sure what the heck a rootkit is - what makes it so hard to deal with?

Is it like infecting the boot sector back in the days of DOS?

Posted: Mon Aug 28, 2006 3:26 pm
by Inf0Byt3
Hmm, it's a proggie that hooks API calls in kernel-mode (getting in ring0 with a driver). For example to hide files it can hook FinFirstFileA, FinedNextFileA, etc, and filter the parameters. If it finds the name of the file it hides, it just doesn't call the original function anymore. (I think)

[Edit]

So what makes us still live and not having a hell of a time fixing or machines it's that there is no perfect rootkit, one that hides itself completely. If someone would do that, we would be doomed.

Posted: Mon Aug 28, 2006 3:27 pm
by Dare
Thanks Inf0Byt3. :)

Posted: Mon Aug 28, 2006 3:56 pm
by techjunkie
Read Mark's Blog (at the end),

http://www.sysinternals.com/Blog/

I think he was one of the first that discovered Rootkits, or at least told the World about them (on Windows, they have been "common" on Unix platforms before).

They also have a tool that discovers Rootkits;
http://www.sysinternals.com/Utilities/R ... ealer.html

More info;
http://en.wikipedia.org/wiki/Rootkit

Posted: Mon Aug 28, 2006 4:33 pm
by Straker
Inf0Byt3 wrote:So what makes us still live and not having a hell of a time fixing or machines it's that there is no perfect rootkit, one that hides itself completely. If someone would do that, we would be doomed.
Did you read the PDF?
Removing this infection, on
the other hand, would turn out to be much more difficult than expected.
In August 2006, three months later, this infection is still spreading widely - not
only in Italy, but to other countries as well. No security company has released
an update for their engine or found a solution which totally removes the
infection.

Posted: Mon Aug 28, 2006 5:11 pm
by Inf0Byt3
Whoops, it seems we allready are doomed. However, i'm sure it has got to be a way to kill it... Nothing is perfect in this world (luckily) so it won't be a problem in the future :roll: . Thanks for the PDF, it's a good read!
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited