comp/net virus protection

mbpark · 02-04-2009, 07:56 PM

TW,

A rootkit is a type of virus/malware that uses "cloaking" techniques to hide itself from the OS and end user. If you've read what I've mentioned, the Windows API makes it really easy to create one.

And, yes I have seen them. Rootkits are the reason why I scan machines with a bootable CD that has the latest virus definitions and tools I can use to determine what loads when a machine boots up. The only effective way to get rid of a rootkit is to scan the machine with a known good alternate OS, not the OS itself. When you have a rootkit, the only way to be sure is to use an alternate OS.

Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer).

UNIX, Linux, and Windows have this issue, as does any other OS that runs on a Von Neumann architecture where the OS and program data are loaded into the same memory banks and intermingle.

The best way to rid yourself of a rootkit is the same on UNIX, Linux, Windows, or any other OS. Boot into an alternate OS and scan that way, because you cannot be sure that the OS that has been compromised has any integrity.

tw · 02-04-2009, 08:16 PM

Quote:

Originally Posted by mbpark

Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer).

Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?

Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.

mbpark · 02-05-2009, 09:10 AM

tw,

I've seen rootkits that have patched Windows DLL files and caused functions which other programs depend upon to be disabled.

If a rootkit is going to infect your system, it's going to patch the Win32 APIs for IP Activity, Unexplained Processes, CPU Time, and Registry Entries, and patch other functions as needed. This is what rootkits do via APIs on Windows, and via APIs or trojaned copies of ls, ps, and other file utilities on Linux or UNIX variants.

Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.

I caught one because it didn't patch functions well enough and I was able to use Rootkit Revealer to figure out its existence due to that.

Quote:

Originally Posted by tw

Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?

Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.

tw · 02-05-2009, 01:33 PM

Quote:

Originally Posted by mbpark

Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.

I routinely see unsolicited probing lately of port 445 - a file download port and what is used by Microsoft Download Service. Don't recall seeing these many months ago. These unsolicited probes are now numerous - more numerous than the constant message from China that attempts to pop up and says, "Your computer is corrupted. Click on this to download a cleaner." I once would see (and block) that one maybe every 40 minutes.

Is there somewhere to look at a currently stored DNS table? Is that where a rootkit would corrupt DNS? (Had not thought about that type of corruption).

Popups are supposed to be blocked on my machine. However zedo.com does get their advertisement pop up when I access one web site. I have their IP address blocked in the firewall. However that has always bothered me that that their popup gets through.

02-04-2009, 07:56 PM	#1
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	TW, A rootkit is a type of virus/malware that uses "cloaking" techniques to hide itself from the OS and end user. If you've read what I've mentioned, the Windows API makes it really easy to create one. And, yes I have seen them. Rootkits are the reason why I scan machines with a bootable CD that has the latest virus definitions and tools I can use to determine what loads when a machine boots up. The only effective way to get rid of a rootkit is to scan the machine with a known good alternate OS, not the OS itself. When you have a rootkit, the only way to be sure is to use an alternate OS. Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer). UNIX, Linux, and Windows have this issue, as does any other OS that runs on a Von Neumann architecture where the OS and program data are loaded into the same memory banks and intermingle. The best way to rid yourself of a rootkit is the same on UNIX, Linux, Windows, or any other OS. Boot into an alternate OS and scan that way, because you cannot be sure that the OS that has been compromised has any integrity.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)