The Cellar  

Go Back   The Cellar > Main > Technology
Reload this Page comp/net virus protection
FAQ Community Calendar Today's Posts Search

Technology Computing, programming, science, electronics, telecommunications, etc.

Reply
 
Thread Tools Display Modes
Old 02-05-2009, 09:10 AM   #1
mbpark
Lecturer
 
Join Date: Jan 2001
Location: Carmel, Indiana
Posts: 761
This is what I have seen
tw,

I've seen rootkits that have patched Windows DLL files and caused functions which other programs depend upon to be disabled.

If a rootkit is going to infect your system, it's going to patch the Win32 APIs for IP Activity, Unexplained Processes, CPU Time, and Registry Entries, and patch other functions as needed. This is what rootkits do via APIs on Windows, and via APIs or trojaned copies of ls, ps, and other file utilities on Linux or UNIX variants.

Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.

I caught one because it didn't patch functions well enough and I was able to use Rootkit Revealer to figure out its existence due to that.

Quote:
Originally Posted by tw View Post
Other than appropriate software, any symptoms to detect or suspect that rootkit? For example, IP activity? Unexplained processes? Excessive CPU time? Unexplained disk activity? Disabled functions? Registry entries?

Never looked at Systeminternals Rootkit Revealer because I never saw any reason to need it.
mbpark is offline   Reply With Quote
Old 02-05-2009, 01:33 PM   #2
tw
Read? I only know how to write.
 
Join Date: Jan 2001
Posts: 11,933
Quote:
Originally Posted by mbpark View Post
Your average user will not be running Wireshark on another PC and scanning their network to see the unexplained IP traffic. If they did, chances are that they are smart enough to not get rooted.
I routinely see unsolicited probing lately of port 445 - a file download port and what is used by Microsoft Download Service. Don't recall seeing these many months ago. These unsolicited probes are now numerous - more numerous than the constant message from China that attempts to pop up and says, "Your computer is corrupted. Click on this to download a cleaner." I once would see (and block) that one maybe every 40 minutes.

Is there somewhere to look at a currently stored DNS table? Is that where a rootkit would corrupt DNS? (Had not thought about that type of corruption).

Popups are supposed to be blocked on my machine. However zedo.com does get their advertisement pop up when I access one web site. I have their IP address blocked in the firewall. However that has always bothered me that that their popup gets through.
tw is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -5. The time now is 10:50 PM.

Eat cookies · Contact Us - The Cellar - Archive - Top

Powered by: vBulletin Version 3.8.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.