tw,
I've seen rootkits that have patched Windows DLL files and caused functions which other programs depend upon to be disabled.
If a rootkit is going to infect your system, it's going to patch the Win32 APIs for IP Activity, Unexplained Processes, CPU Time, and Registry Entries, and patch other functions as needed. This is what rootkits do via APIs on Windows, and via APIs or trojaned copies of ls, ps, and other file utilities on Linux or UNIX variants.
Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.
I caught one because it didn't patch functions well enough and I was able to use Rootkit Revealer to figure out its existence due to that.
Quote:
Originally Posted by tw
Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?
Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.
|