Rootkit defense ?

I'm probably opening a can of worms here. I thought i was pretty secure with the various security measures i take and the software i have installed. Now i'm hearing about rootkits. Any opinions on what ( if any ) programs are best for keeping them out of my computer or alternatively for finding and removing them if it's too late to keep one out ?




Mike

 

I would say to keep from being infected, try keeping Windows up to date, latest patches etc... be extra careful what things you download and install, same goes for email. You could also surf in a limited user account.

For actual programs to help prevent rootkits, you could try things like AntiHook and SSM, both freebies. Also for scanning your computer for possible rootkit infections you could try RootkitRevealer, Unhackme and Blacklight beta. You can run the three of them, one at a time, to look for any rootkits that may be on your system.

I think rootkits still tend to be at least somewhat fairly uncommon. I'm surprised more people aren't getting infected with them far more often though, but that doesn't seem to be the case as of yet. That will probably change though, so do what you can now to protect yourself.

 

You could also try ShadowUser - Deepfreeze - Clean Slate - Drive Vaccine,
With a simple reboot you wipe out any nasties that might have landed on your computer (I personally use ShadowUser and a classic layered defense).

@mr.n00d135.Quote I'm surprised more people aren't getting infected with them far more often though, but that doesn't seem to be the case as of yet.

How do you know? Rootkits by definition can completely disappear and go undetected, RootkitRevealer, AntiHack, BlackLight beta can detect some but you'll never know for sure.

 

Hi,
Just format every 6 months... And keep your data linuxed.
Now seriously, guns don't kill people. People kill people. Nothing will protect you from an infection if you let it happen. All your security programs can pop up alerts, but you can decide to ignore them and let things happen. Blacklisted things could be stopped, but what about new versions? They would just be ordinary unknown files / drivers trying to execute. And if you let them, then all your security can be flushed down the toilet.
The question is this: how often do you KNOW you are handling a file that could possibly contain a malware? How often do you risk it, with downloads of this and that from here and there? How often do you execute unknown files before consulting with people at different security forums?
Mrk

 

I should have looked at the documentation of what i already have. DUHHHHH.i already have Process Guard from DCS, and looking at it see that it says it prevents rootkits from installing.



Mike

 

Process Guard is good but it may not be the panacea that you think it is against all rootkits. You still need common sense and careful actions to avoid rootkits.

Also some folks say that Process Guard can be surpassed by some rookit techniques anyway now, but I'm not sure what techniques or rookits they're talking about.

 

As far as I know, rootkits require Administrator level privileges in order to install the kernel mode driver code which is capable of patching the filesystem and system call table so that they can hide themselves from other apps and utilities. Therefore, one thing you can do is to configure your system and learn how to run your system with limited user accounts for 98% of your computing needs. Only run as an Administrator when you have to. Of course, many legitimate apps require Administrator level access in order to install properly and so you have to be extremely careful of trojan code. As others have stated, just be very careful of what you install and what you allow to execute while running as Admin. Of course, even pros like Mark Russinovich can unwittingly pick up a rootkit even while being vigilent and installing software only from "trusted" sources (link details his experience with a Sony music CD with DRM that installed itself using rootkit techniques).

 

Exactly. Most valuable hints regarding this issue can be found on http://blogs.msdn.com/Aaron%5FMargosis/ . Highly recommended!

 

Some of my friends think i'm a bit paranoid when it comes to online security matters, i try to have at least 2 complimentary programs for each type of attack that might be mounted. I know from experience of my own and others that trusting ANY one security application to do the job completely is not a good idea. I'm running PG and another anti rootkit program i've seen spoken well of in this forum.


Mike

 

I don't think it would be a good idea to run Process Guard along with AntiHook. They are both similar in the protection they offer, and it could cause problems running both simultaneously. More is NOT always better. Same goes for using two software firewalls and two AVs resident (realtime). I would choose one or the other, PG or AH.

 

"How can I possibly know if I've been r00ted" is fast becoming a modern epistemological difficulty. I don't think there is a software solution to this kind of problem. There's a handful of scanners made by (mostly) well-meaning folks that may or may not detect some ordinary rootkits, but there is no way you can ever be absolutely sure that your box hasn't been 0wned. I don't think anyone should get almighty hung up about this. Two sensible precautions:1/ Surf with a sandbox e.g. http://www.sandboxie.com/. (but any will do) This will reduce the risk of a website stealth install. Much more important; 2/ Don't DL and install every gew gaw you find on the net: This is route#1 into your computer. Apart from that just get on with life! Let's hope that rootkit authors manage to get a life as well one day.

 

RootkitRevealer, Unhackme and Blacklight beta, ShadowUser - Deepfreeze - Clean Slate - Drive Vaccine.

are any of these free? any links to the ones that are?

 

RootkitRevealer is a free rootkit detector. It doesn't remove rootkits, but is nevertheless quite helpful. A must have IMO. http://www.sysinternals.com/Utilities/RootkitRevealer.html

UnHackme is very good rookit detector/remover. It has a free trial version, it's shareware. http://greatis.com/unhackme/

Blacklight Beta is another good temporarily free rootkit detector/remover. http://www.f-secure.com/blacklight/

Other programs you mentioned are all payware as far as I know, but could have free trials available, try to google them for more info. They are good programs to auto revert your hard drive to a safe time before any possible malware infections.

 

I don't entirely disagree with you; however I suspect that one day in the near future we will have some pretty reliable scanning utilities that can be run straight from a bootable CD-ROM. Additionally, I think operating systems will begin to make use of mechanisms that increasingly restrict the ability of 3rd party drivers to effectively insert themselves into trusted portions of the filesystem and the API stack (as Mark Russinovich noted the system call hooking used in the Sony DRM instance is apparently not permitted under Win64).

The other point I would make is that for a rootkit to really have a purpose, it sort of has to have a clandestine networking component to it. That is, if a hacker can't access the "rooted" machine or the "rooted" machine can't report back via some sort of network communications or the "rooted" machine can't begin auto-generating worm or spam traffic, then the rootkit is sort of just deadweight on the box without much of a purpose (not that I want any code on my box wasting CPU cycles). Given this "requirement", I would also point out that network sniffing/IDS/IDP utilities may grow to become sufficiently accurate to nevertheless pick up the malicious traffic being issued since the rootkit can't really hide the packets on the wire. Yes, it can perhaps bury malicious packets in with legitimate traffic on well-known and oft-used protocols and ports; yet, nevertheless, they cannot be completely concealed and some footprint will be left.

 

Hi,
You do have reliable engines that scan from CD.
You can combine Bart PE boot disk with Ultimate Boot CD plugins pack, and you will have Ad-Aware, Spybot, Antivir, ETR, CWS, HijackThis and several other utilities mounted on the disk!
Now, if I'm not mistaken, if you boot from the disk, you will skip the local kernel, and therefore anything hidden will now be exposed as any other file and folder. Therefore, all it takes is to try to combine Bart disk with maybe some anti-rootkit? Am I offline here?
Mrk