About Rootkit

What is rootkit? Is it type of malware or just a technique they use?

Thanks

 

Hi KERANO,

This explanation might help: Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?.

Nick

 

They explane what rootkit technique is and there is no answer on my question

 

A rootkit together with a trojan/backdoor is malware. Normally there is no serious reason to have a rootkit installed one your machine that said: If a rootkit is detected there is almost for sure more than just the rootkit.

Kernel mode rootkits (Device Drivers) which running on ring0 can even do serious damage to your machine, for instance you can do very nasty hardware things with ring 0 power. Turning off a CPU fan for instance. No need to explain what happens if you do that

Beside of this expierenced developers/analysts can easily detect such rootkits with ntoskrnl.dll functions, there existing a few very useful functions such as context swapping which even a rootkit cannot really avoid

Cheers,
Happy Bytes

 

Quoting from the link:

"...on Windows typically the word 'rootkit' is used to discuss a specific sub-set of malware that provides stealth functionality i.e. the ability to hide stuff and nothing more..."

Nick

 

Removed this thread from the TDS forum as it is more appropriate here

ProcesGuard will protect you from all current kernel mode root kits

Here is a quote from the DCS website:
Rootkits are another serious threat, because once they've infected your system they can often be extremely difficult to detect (as they modify the operating system itself in order to hide, effectively becoming a stealth trojan). ProcessGuard allows you to block the installation of rootkit drivers, preventing any infection from occurring. Firewall bypass techniques are also another big security problem where ProcessGuard can lend a hand.

 

Yes, ProcessGuard is indeed a very helpful tool for this, i'm also a proud licensed user of PG

At least from my point of view it's highly recommended.

Cheers,
Happy Bytes

 

As a PG user I sure hope that is true! But is it not technically possible for a kernel level rootkit to be so fast at bootup that it beats PG to the punch, installs itself, gets stealthed and then becomes impossible to deal with?

 

The dropper would have to run during normal session, PG's security would pop up before it could execute and if allowed would also require that a service / driver be installed. If all that occurred and you did reboot then the the race would be on but there would still be no guarantee that PG would load after the rootkit.
Also AV's and AT's may see the rootkit dropper programs though I am not sure how effective they would be.

Pilli

 

Thanks Pilli, that sounds reassuring!

 

Oh yes . Pilli is very correct . And Happy . WELCOME to PG land . lol

 

Thumbs up for PG ... and RegDefend. Proactive tools are the way to go.