Is there a standard for Trojan/Rootkit to phone home ?

eyes-open

The video does explain it in very easy to understand terms. The author shows the difference between usermode and kernel mode kits, which in turn shows how those two modes interact with windows. he also goes into BIOS rootkits (video cards ect) briefly.

After you watch the video, come back and let us know what you think.

controler

 

You know what would be funny......if you got a rootkit from downloading and watching that video about how to stop rootkits.

 

yea but Microsoft would never do that would they?

Can the nest generation Vista stop rootkits?

 

I was just joking around.....I don't think M$ would ever purposefully infect anyone with a rootkit....but then again who knows if they haven't already....after all they did have some secret meetings with US Homeland security not too long ago.

Maybe M$ is now just a front operation for the men in black. Or better still maybe M$ is now run by the MIB, who is run by the shadow government, run by aliens for outer space...... who are really on a mission to take over the world....make slaves of everyone..... and mate with earth women.

 

Hi eyes-open,

One thing to keep in mind is that, even if you are able to somehow identify the remote address, it will very likely be a proxy in a chain of proxies used to hide the cracker. If you suspect a rootkit infection, your time would be better spent pulling out the HD, slaving it to a clean machine, and doing some forensics on it. If you find a rootkit and its accessories, salvage what's important to you from the HD, and then format it.

Nick

 

@ controler > Excellent video - first thing it does is crucial, gets the terminology right. Just this one act makes rootkits more definable and therefore easier to deal with as a technology.

It certainly doesn't present any magic bullets - but that's ok too. Yet again it presents the responses that many of us are already familiar with. Layered/in-depth protection, secure passwords, patched systems etc - the basics. You don't have to be a whizzkid - just diligent.

The sections on proprietary Rootkit detectors and also going the way of making your own comparative file lists using, for example a portable OS such as a LiveCD is also very accessible. It doesn't go into great depth - just enough to add to the overview that helps demystify the whole subject.

Here is the link again - for those that want to get the video:-
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

@ nick s

Hi nick, I totally agree, the reason I was interested in accessing the port information wasn't to track a cracker. It was more about trying to identify patterns of illegitimate port activity that may or may not have been able to confirm the presence of malicious software stealthed by a rootkit. Specifically I wondered if you can't detect a positive infection, if you waited and watched long enough, would the absence of a call that wasn't explainable, be sufficient to re-assure. That's why I wondered if there was a standard that would indicate the length of such a time scale. I see now how netstat can be compromised and that at least from within the OS this activity would remain invisible (assuming it could retain stability).

The irony being that I have discovered that the Rootkit .ini file may indeed reference a pattern of behaviour - unfortunately the same file initiates hiding the very activity that would identify the pattern (at least from the compromised OS), It's actually very tidy.

Well, for me this has been a really useful thread. Many thanks everyone for all your help

 

Unfortunately, the external .ini file, which could be seen in Safe Mode, is probably a thing of the past. Although, ATM, you have to pay for that feature. The latest free version of Hacker Defender runs in Safe Mode and hides its external .ini there as well.

Regarding identifiable-patterns-of-behavior, I would assume that the cracker knows that the trick to not getting caught is not to have any.

Nick