How smart are rootkits/trojans?

Hi,

Several weeks ago I was using Process Explorer ( http://www.sysinternals.com/Utilities/ProcessExplorer.html ), and started questioning its accuracy.

Given that a rootkit, trojan, etc. can delink itself from the active process list, would Process Explorer or another similar tool still be able to detect its presence?

Your thoughts?

Thanks.

 

Rootkit detection

What is the best software for rootkit detection? Also, how do you get infected with a rootkit?, is it in the same way you get infected with viruses/trojans? I use nod32, does this detect rootkits?

Thanks

 

NOD32 doesn't detect rootkits

You could get infected by many methods. Hard to say.
Casual web browsing sometimes does it or installing
already infected software etc

Best rootkit detection?
For the layman perhaps Sysinternals Rootkit Reveller though there
are more advanced tools like Ice Sword. Some Rootkits are very
difficult to track

========

Process Explorer could easily miss a well hidden rootkit
Check their Rootkit Reveller

 

Cheers for reply.

 

I just found this on Process Explorer's description page:

Suggers, you can download Rootkit Revealer here: http://www.sysinternals.com/Utilities/RootkitRevealer.html

Ok here's the next question...

Would a kernel-mode rootkit be able to outsmart a software firewall?

 

Re: Rootkit detection

Rootkits use the same infection vectors as any other malware (exploiting either OS, applications or users). Safe hex goes a long way toward preventing these.
I've been trying out NOD and am impressed with it's detection of standard threats and small footprint but when it comes to the really devious exploits such as rootkits, I wouldn't be caught dead without my BOClean.

 

From what I understand about rootkits, once you get one - it's game over. Once you get infected with a rootkit just about anything could be done by the perpetrator. That why as R. Morris said, prevention is the real key.

If I found I was infected with a rootkit, I would reformat, even with all the anti-rootkits tools available. Of course that would only be after much testing to ensure that I really had a rootkit and not just some FPs like Rootkit Revealer has been known to throw up from time to time.

 

Re: Rootkit detection

I think I remember reading somewhere else on here that BOClean is good at detecting rootkits. How does it do this? If BOClean only scans memory, then won't the rootkit have to actually start before BOClean detects it? By then is it not too late?

 

A rootkit, or any malware for that matter, is only capable of doing bad things when it's active in some way/s. Just sitting on your hard drive it's not doing anything at all, so you could have dozens/hundreds in there all sitting pretty, and harmless.

Only when something is loaded/active/running etc can it do any work/damage. So BOClean doesnt waste time on inaction, and only needs to jump in to kill whatever, when it's in memory, which it does very quickly and effectively.

Of course not getting nasty in your PC in the first place, that could do harm etc, is the best option of all. That's why locking down your PC and Browser is so important, before you even think of adding any other Apps, apart from a good and properly configured FW naturally.

BitDefender have also launched an anti rootkit product. Bitdefender AntiRootkit RootKit Uncover http://news.bitdefender.com/NW253-en--BitDefender-Releases-Antirootkit-Beta.html BitDefenders next AV v10 - Pro - Standard - Internet Security will have the BD RKU technology built into it. A few other vendors are also waking up to the possible real threats faced by some comsumers, and releasing or incorporating AntiRootkit products.


StevieO

 

I want to ask how effective is Sandboxing and Virtualization against root kits?

 

Re: Rootkit detection

BOClean will nail a rootkit when it *begins* to execute, preventing it from having the chance to complete installation, same as it does for any malware. It will also detect a rootkit or other malware that's already running on a system, so the user is protected both ways.

In our lab, we work with rootkits every day. Haven't needed to reinstall an OS after cleaning up after one with BOClean yet.....

 

Re: Rootkit detection

Thanks Nancy, you've just persuaded me to buy a second BOClean license for my laptop too.

 

Re: Rootkit detection

A running rootkit .exe may not show up in the process list of Process Explorer, but if you highlight the "system process" (not really a process), you can see the loaded drivers in the lower pane, and if you look at the .dll's loaded by explorer.exe you can often spot loaded .dll's. This may not be 100%, but Process Explorer definitely gives you some advantages over the standard task manager, even beyond all the other great features

 

http://news.zdnet.com/2100-1009_22-6095762.html

 

Process Explorer is a valuable asset in my inventory but i also believe PROCESS VIEWER AN INVALUABLE TOOL that also keeps a running tally on EXACTLY what processes ran last in exact order from last boot. This helps to identify where and more important, WHEN a process file was running and before or after other normal files in that list.

Give it a try, it's an old faithful thats been around.

You will want to access the top menu of the program and under TOOLS select PROCESS MONITOR and there you are.

Hats off to all these Third Party developers for their efforts in helping to track down intruders and the research that offers an end user or professional accurate confidence on just what WAS/IS running and WHERE/WHEN.

Excellent assistance.

Of course if you're interest is a concern over possible rootkit intrusion there are several pretty decent interragators like ICE SWORD and the like that delves deeper into their hidden wares on an active running system

 

Well, to answer the question, I believe they can be very smart, at the moment I have the feeling that I´m infected (might be because I´m paranoid) but something just doesn´t feel right.

The problem is that none of my security tools can find anything strange on my system. So if I´m infected this is one smart son of a b*tch. This also tells me that I must have made a mistake (with not being careful enough) and my setup is (or was) not strong enough, apparently.

 

What makes you think you're infected? I'm just curious what you mean by "something just doesn't feel right".

In any event, I have a feeling--just a feeling, mind you, since I am neither an expert nor a nefarious piece of human excrement who creates such things--that people have too much faith and confidence in the ability of mainstream (and even sidestream) security software to detect the best rootkits.

 

Well, I do not want to go into details, you never know if those bastards are also reading these forums, and they could perhaps use this info to perfect their rootkit. Yes, I know what y´all thinking, "this guy has lost it".

But anyway, my system is not really unstable, programs are not crashing and stuff, however there is a certain kind of behavior that´s kind of strange, of course it might also be a conflict on my system. But I´m going to reinstall my system and the plan is to install only apps that I really need and trust. And I also hope that my security setup will be strong enough to stop those zero day malware attacks in the future.

 

Someone mentioned here a while back you are allowed to install BoClean on up to 5 personal home computers and I remember Kevin mentioning you could install it for sure on two.

controler

 

Hi Folks

I found this a while ago which some might find interesting concerning rootkits and their detction.

Some of it too complicated for a newb such as myself


http://www.vigilantminds.com/files/inside_windows_rootkits.pdf

 

pffew , you're really paranoïd, don't you !!



Why don't you post a Hijackthis log somewhere, to get an opinion about it?


nicM

 

Hijack this log can detect rootkits? I really doubt.
BTW, I agree he seesn paranoid, sorry to say. Rootkits are still not so common.

 

The Sony rootkit and the Symantec protected recycle bin were very common.

Rootkits are much more common then they were a year ago. It was not more then a year ago I was posting about rootkits only to have the experts post they were science fiction and not to worry.

Now look!!!!!!!!!!!!!!

 

As you probably know, HJT can't show rootkits, but the spyware helper taking care of the HJT log should suspect its presence if there is one , him (depends of the kind of malware found in the log), and then help to remove it.

That's why I advised Rasheed187 to ask for help on a HJT analysis forum.


nicM