Discussion in 'malware problems & news' started by KERANO, Mar 22, 2005.
What is rootkit? Is it type of malware or just a technique they use?
This explanation might help: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?.
They explane what rootkit technique is and there is no answer on my question
A rootkit together with a trojan/backdoor is malware. Normally there is no serious reason to have a rootkit installed one your machine that said: If a rootkit is detected there is almost for sure more than just the rootkit.
Kernel mode rootkits (Device Drivers) which running on ring0 can even do serious damage to your machine, for instance you can do very nasty hardware things with ring 0 power. Turning off a CPU fan for instance. No need to explain what happens if you do that
Beside of this expierenced developers/analysts can easily detect such rootkits with ntoskrnl.dll functions, there existing a few very useful functions such as context swapping which even a rootkit cannot really avoid
Quoting from the link:
"...on Windows typically the word 'rootkit' is used to discuss a specific sub-set of malware that provides stealth functionality i.e. the ability to hide stuff and nothing more..."
Removed this thread from the TDS forum as it is more appropriate here
ProcesGuard will protect you from all current kernel mode root kits
Here is a quote from the DCS website:
Rootkits are another serious threat, because once they've infected your system they can often be extremely difficult to detect (as they modify the operating system itself in order to hide, effectively becoming a stealth trojan). ProcessGuard allows you to block the installation of rootkit drivers, preventing any infection from occurring. Firewall bypass techniques are also another big security problem where ProcessGuard can lend a hand.
Yes, ProcessGuard is indeed a very helpful tool for this, i'm also a proud licensed user of PG
At least from my point of view it's highly recommended.
As a PG user I sure hope that is true! But is it not technically possible for a kernel level rootkit to be so fast at bootup that it beats PG to the punch, installs itself, gets stealthed and then becomes impossible to deal with?
The dropper would have to run during normal session, PG's security would pop up before it could execute and if allowed would also require that a service / driver be installed. If all that occurred and you did reboot then the the race would be on but there would still be no guarantee that PG would load after the rootkit.
Also AV's and AT's may see the rootkit dropper programs though I am not sure how effective they would be.
Thanks Pilli, that sounds reassuring!
Oh yes . Pilli is very correct . And Happy . WELCOME to PG land . lol
Thumbs up for PG ... and RegDefend. Proactive tools are the way to go.
Separate names with a comma.