How does one get rootkits?

now im scared of these things. I have heard about them. But how do you get them and can you get rid of them?

 

You get a rootkit the same way as any other malware. Most of the usual methods apply, drive-by sites, infected downloads, installed by another trojan, e-mail attachment, etc. Most rootkits use some form of an installer.

That depends on whether you can find it. The author of Hacker Defender had an antidetection service that could defeat most any detection method at will. http://hxdef.org/antidetection.php It was primarily done to try to force security vendors to develop real protection. According to him, they haven't done so yet. While he no longer offers this service, it's entirely possible that someone else has something similar, so there are no guarantees that all rootkits can be detected. While the vendors of rootkit tools like to claim that their products are effective, nothing detects them all. Just like anti-spyware apps, none of them can get the whole job done. I'm not convinced that using all of them will find everything. Other than accessing the hard drive from another OS and checking every file (lots of files), it's impossible to be completely sure. That said, the rootkit tools that are available do detect a lot of them. They can be very hard to remove. The only real solution is prevention, not letting one install. Unless you're using some form of process firewalling (HIPS), the problem there is knowing when you've contacted one. Just because an AV or spyware scanner says a file is clean doesn't mean it is. Just means they don't detect anything. Short of completely locking down a newly formatted system and installing or allowing nothing new, the best you can do is to only install trusted apps from their original sources, then scan everything that comes in with every available tool, local and online. I'd rely on a good HIPS with rules as tight as I could make them, and either deny any process I didn't recognize or investigate each new one completely until you are sure about what it is and what it does. Oftentimes exploits are used to get a rootkit onto a system. Keep up to date. If you use HIPS, limit what each app is allowed to do to only what it absolutely needs. Set it to either block or prompt you when any app tries to do anything outside its normal operation. Yes, this is the paranoid approach, inconvenient but effective.
There is another way to avoid rootkits, but you won't like it. Don't use an NT based version of windows. The DOS based versions don't allow files and processes to be hidden like they are in XP.
Rick

 

To answer the question that is the topic of this thread -- you get a rootkit because your security protection failed. A rootkit is simply a trojan that succeeding in getting itself established on your computer. Rootkits install as a exe, driver, dll - the same as any trojan, and can be prevented in the same way.

If your AV/AT/HIPS/etc blocks the executable from getting into your computer's living room, you prevent the rootkit from installing. No trojans, no rootkits.

As to how to get rid of them -- BOClean stops them & kills them on your computer's front porch. Other programs can do that job, too. I'm sure folks will come along to suggest more options.

 

Rick:

You said something very interesting here:

"I'd rely on a good HIPS with rules as tight as I could make them, and either deny any process I didn't recognize or investigate each new one completely until you are sure about what it is and what it does. Oftentimes exploits are used to get a rootkit onto a system. Keep up to date. If you use HIPS, limit what each app is allowed to do to only what it absolutely needs. Set it to either block or prompt you when any app tries to do anything outside its normal operation. Yes, this is the paranoid approach, inconvenient but effective"

My question is what is an HIPS? I think my ZA pro program control is one but is that right? Sorry to be so pesky.

Escalader (Craig)

 

so HIPS can protect me?

 

Use common sense mate, then you won't get anything not just rootkits.

Common sense means here:

1. Updated XP.

2. Surf under a limited account.

3. Sensible protective measures: router, software firewall with inbound & outbound, AV, etc.

4. E-mail spam blocker and never open anything suspicious even from acquitances (remember that social engineering is a technique used by malware)

5. Avoid the Internet's "dark alley" (no need to get into further detail, we all know).

 

HIPS is short for Host Intrusion Protection System. I haven't looked at ZA in years so I can't say if the pro version has a HIPS component. I like System Safety Monitor.
I'm referring to the "classical HIPS" here, not the sandbox programs, which operate differently. HIPS can protect you. Whether it actually will depends on you and how you answer an alert for a new process or activity. When properly set up, only processes you allow will run. A rootkit won't slip past a HIPS program. But, if you allow an installer for a rootkit to run, possibly thinking it's something else, then it may not defend you. There's several good threads here on HIPS in general and more that are brand specific.
A lot of security apps will recognize the installers of the known rootkits, "known" being the operative word here. Bellgamin mentioned BoClean, which is highly recommended. How well it does against newly released malware depends on the item being detected. If it's a new variant of something previously released, it has a good chance. If it's brand new, it might not. BoClean does better than most of them, but no software detects or identifies everything.
Which approach is better depends on the user. If you're one who likes to get into the "nuts and bolts" of your system, HIPS is a good choice. If you want the software to do the work for you, classic HIPS wouldn't be a good choice. The difference between using an app like BoClean and classic HIPS is that HIPS doesn't try to identify the item. Malware installers/processes are treated the same as system processes and legit software. Think of classic HIPS as an enforcer on your system that enforces rules you make. If your rules are good, the protection is good. You have to decide what can run, which requires that you either know what the processes are or are willing to take time to find out. Classic HIPS is not suitable for casual users, but is ideal for those who know their systems in depth.
Rick

 

ZAP is a sort of Behavioural blocker I think and is really nice.

 

Regarding rootkits and any other malware, I don't depend on detection anymore, I just rollback with a frozen snapshot and everything is gone. Not only complete but also very fast, faster than any scanner or group of scanners ever will be.

 

Beside the measure of doing frequently an image of my partition, i am scanning (in this case wrong word) my system frequently with IceSword which should detect 99,9% of Rootkits. Also the internal com detecion feature of Jetico v2 prevents and helps a lot.

 

Just ignorant, but what is a "drive by site?"

Thanks,
Jerry

 

jerry i think i can field this one, its where there is a box that comes up and says clikc yes and if you click no it says you must click yes. if you click yes you get infected. its takes advantage of the netsend messenger function. so i downloaded xp-antispy to disable the netsend service since as a home user i dont need it. its called the messening service used by admins.
sometimes only option is yes and in that case have to stop via task manager.

so if home user disable it somehow. spysweeper can disable it as well but migth as well use xp-antispy.

hope this helps jerry

 

Not ignorant at all Jerry and I'll stand corrected if wrong but I feel certain Rick's use of the phrase "drive-by sites" refers to a site where-by you receive a possible drive-by download of an item you probably did not want.

Bubba

 

So you basically vacuum the whole carpet after messing it all up, hey?

 

Thanks for the replies. I understand better now.
Jerry

 

It sounds that way, but it isn't.
I also installed Faronics Anti-Executable with level "High" in my frozen snapshot. So in theory there is no mess if AE does its job.
The frozen snapshot is just an extra safety, if AE fails or my router fails or my firewall fails. Right now, I just can't choose between AE and Prevx1.
Of course I have to test all this, but I haven't freetime enough to do it.

At this moment, I'm working on "nLite" to create an "Updated WinXPproSP2 Installation CD", because I'm planning to reinstall my computer, not because I'm in trouble, but because I would like to move the folder "Documents and Settings" completely from my system partition [C:] to my data partition [D:]. The pre-tests were very promising to continue this separation.
This separation is priority #1, simply because you have to install Windows first and then your security.
Not many members seem to be interested in this separation and my security setup, so I have to do it myself.

I'm just trying new things. It's all in my head, but I need more time to execute/test it.