About Rootkit

Discussion in 'malware problems & news' started by KERANO, Mar 22, 2005.

Thread Status:
Not open for further replies.
  1. KERANO

    KERANO Guest

    What is rootkit? Is it type of malware or just a technique they use?

    Thanks
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  3. KERANO

    KERANO Guest

    They explane what rootkit technique is and there is no answer on my question :(
     
  4. Happy Bytes

    Happy Bytes Guest

    A rootkit together with a trojan/backdoor is malware. Normally there is no serious reason to have a rootkit installed one your machine that said: If a rootkit is detected there is almost for sure more than just the rootkit.

    Kernel mode rootkits (Device Drivers) which running on ring0 can even do serious damage to your machine, for instance you can do very nasty hardware things with ring 0 power. Turning off a CPU fan for instance. No need to explain what happens if you do that ;)

    Beside of this expierenced developers/analysts can easily detect such rootkits with ntoskrnl.dll functions, there existing a few very useful functions such as context swapping which even a rootkit cannot really avoid :D

    Cheers,
    Happy Bytes
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Quoting from the link:

    "...on Windows typically the word 'rootkit' is used to discuss a specific sub-set of malware that provides stealth functionality i.e. the ability to hide stuff and nothing more..."

    Nick
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Removed this thread from the TDS forum as it is more appropriate here :)

    ProcesGuard will protect you from all current kernel mode root kits ;)

    Here is a quote from the DCS website:
    Rootkits are another serious threat, because once they've infected your system they can often be extremely difficult to detect (as they modify the operating system itself in order to hide, effectively becoming a stealth trojan). ProcessGuard allows you to block the installation of rootkit drivers, preventing any infection from occurring. Firewall bypass techniques are also another big security problem where ProcessGuard can lend a hand.
     
  7. Happy Bytes

    Happy Bytes Guest

    Yes, ProcessGuard is indeed a very helpful tool for this, i'm also a proud licensed user of PG :D

    At least from my point of view it's highly recommended.

    Cheers,
    Happy Bytes
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    As a PG user I sure hope that is true! But is it not technically possible for a kernel level rootkit to be so fast at bootup that it beats PG to the punch, installs itself, gets stealthed and then becomes impossible to deal with?
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The dropper would have to run during normal session, PG's security would pop up before it could execute and if allowed would also require that a service / driver be installed. If all that occurred and you did reboot then the the race would be on :) but there would still be no guarantee that PG would load after the rootkit.
    Also AV's and AT's may see the rootkit dropper programs though I am not sure how effective they would be.

    Pilli :)
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanks Pilli, that sounds reassuring! :-*
     
  11. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Oh yes . Pilli is very correct . And Happy . WELCOME to PG land . lol
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thumbs up for PG ... and RegDefend. Proactive tools are the way to go.
     
Loading...
Thread Status:
Not open for further replies.