do HIPS protect against rootkit installs?

just wondering if HIPS could prevent a rootkit being installed, possibly by detecting a system change during the installation process?

 

Yes, interesting point - not sure if PrevX qualifies as a HIPS but I'm also wondering if it can potentially prevent a rootkit from installing?

 

A qualified yes, if you are smart enough to respond correctly to the prompt.

A rootkit doesn't have any godlike powers during installation, it's exactly the same as how a virus, adware or any malware installs. If your HIPS happens to be monitoring the areas or changes that the rootkit tries to change, you will be prompted just like any other kind of malware.

So for kernel rootkits, they basically need to install a driver/service.

Essentially if you have anything watching service/driver installs hooking NTloadriver?? (eg Processguard), or changes to c:\windows\system32\drivers (eg Prevx) or registry entries
HKEY_LOCAL_MACHINE\System\*controlset*\Services\* etc (say regdefend) you basically cover some of it.

or you could run without admin rights for the same thing.

I'm still doing research on what user mode rootkits do and where they typically install. Once i figure that out, I will then see if these changes are monitored by HIPS.

 

Samurai does prevent rootkit installation to an extent, it observes any hidden or other drivers being loaded by new programs and warns and blocks it till you do the likewise.

 

thanks for the information, whatdoiknow and Arup, much appreciated.

it's good to know that rootkits are "not stealthy" during installation, so at least they have an achilles heel there.

whatdoiknow - do you have any indication whether Spybot's TeaTimer utility can monitor any of those changes you mentioned would be involved for a kernel rootkit install?

also, are there any indications whether Windows 98 SE is more/less/equally vulnerable to rootkits?

thanks for any thoughts )

 

sorry, didn't mean to post an "eek" at the end of my last post - meant to post a smiley!

 

You are welcome, given the FUD about rootkits, I thought that would be more informative than just saying program x can stop rootkit installations.

Looking at the list of entries monitored by teatimer, my guess is probably not,
I mean the rootkit would install then hide the autostart entries from teatimer.

But what do I know?

kernel rootkits thesedays are all? for win2k/xp/nt and wouldn't work on win98.

Not sure about other rootkits, but probably same thing.

But what do i know?

 

The thing to understand about Windows 9x is that there is no user mode vs kernel mode. In Win9x any app can do pretty much anything it wants - apps can access hardware directly, write to eachother's memory spaces, and just about anything else they want to. It's basically like running everything in kernel mode and throwing away any protected user mode space. This was the reason that, back in the day, you could run games on Win9x but not NT (or 2000, usually). So pretty much any piece of malware could act just like a rootkit on Windows 9x without having to employ any special tricks that rootkits use now. Rootkits are kits that give the attacker root (administrator) access to the machine.. in Win9x that's no achievement, because it's all root (administrator).

Edit: (Administrator is the Windows equivilant to "root" in Linux & Unix, for anyone that missed previous threads.)

 

Thank you notok for clearing that up. I really think people who don't know anything shouldn't answer.

 

many thanks again whatdoiknow for the interesting insights, and thanks to notok for the background on Win98.

fernando villega - i don't think your comment was fair or useful - the information provided by all the previous posters in this thread is clearly useful - just because someone is not an expert in all areas does not mean they cannot provide useful information in some areas. that is what a forum is for - people try and make contributions and others can pick up and provide extra pieces of the jigsaw. nb i happened to read your minimally informative post in another thread - your post was not useful at all - no rationale, explanation or even background information. maybe you are so expert you expect your word to be taken as law? i know which posters in this thread i would seek help from, they would be those who offer information and are modest enough to acknowledge their limitations. safe to say you would not be among them.

 

Yup, I fully agree with those statements. If no one answered our questions, unless they thought they were a qualified expert, then we would probably get very very few answers to our questions at this forum. And often the answers are enough anyway even if they are not as complete as some would like to see. Or you will get a different perspective on something that will give you new insite into the matter. So thanx to all the posters here who try to help us out, it is appreciated.

 

I didn't say only experts should answer. I said if you don't know anything you shoudn't answer. What's the point of pretending to know the answer anyway?

Which post are you talking about? There is one post where I stated I liked something. I didn't say it was better objectively. What is there to explain?

 

i suspect you have no real knowledge pertinent to this thread - but you could prove me wrong by posting some useful information i guess

 

Superfly as guests I don't think we should be rude to registered members.

And your attempt to use reverse psychology to get more information is childish and unnecessary.

But what do I know?

 

reverse psychology? i didn't know i was that sophisticated! (grins) i just wondered if FV could enlighten us mere mortals with some of his rarefied knowledge (winks)

but seriously - i took exception to FV's dismissive remarks about your contributions - i find all his remarks bizarre and incorrect, and clearly i'm not the only one

anyhow, you're obviously more laidback about it than i am so all credit to you. i'm grateful for your excellent help in contributing to this thread, and i'll take your hint to desist (smiles)

 

Going back onto topic in answer to whatdoiknow Prevx1 does have the ability to prevent rootkit installations. As a hips product it will monitor various system calls, system file creation and hook the driver section of the registry to detect the creation of rootkits.

In addition the latest release v1.1.0.32 now has a rootkit scanner, although i have seen some positing on some issues with it.