ROOTKIT Question

Discussion in 'other security issues & news' started by nightbass, Feb 27, 2011.

Thread Status:
Not open for further replies.
  1. nightbass

    nightbass Registered Member

    Joined:
    Feb 27, 2011
    Posts:
    1
    Hi Guys,

    Rootkits hide themselves from attention of our programs and it is bad but can't we use it to our advantage?
    My idea is if I use free disk space wipe utility which would be not aware of any hidden data (and rootkits), would it not wipe all that trash out of a disk? (all those that are not resident in MBR)

    Appreciate all opinions!
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hello nightbass :)

    have a look at this article for more thorough understanding on rookits. Some interesting reading follows at the bottom in references.
     
  3. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Just use HMP or AVG 2011 to detect and dump them, then forget Rootkits.

    John
     
  4. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Not going to work with all rootkits. Sorry. A rootkit, by definition, has complete access to the OS kernel, which means it can simply disable any AV software. The only way to "treat" a rootkit infection is a wipe and reinstall of the OS.
     
  5. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    When things become nasty, you need to use Anti-Rootkit Tools:
    GMER, TDSSKiller (Kaspersky), TDSS Cleaner (Norman), UnHackMe, Teazer Rootkit Razor etc.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Mr.PC et al

    Hi, that should be Tizer Rootkit Razor ;)
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is there any legitimate reason for Unlinking EPROCESS or is it a rootkit only type of hiding technique?
    Are there any popular softwares that use this outside of malware?
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    The rootkit is in control and loaded is not going to make cleaning easy.
    Rootkits have protection mechanisms as well as habitating hard to access locations.
    Free space on the disk is used by Rootkits to hide data it collects and maybe other modules it may need.
    If a rootkit is active, trying to wipe free space with something like Heidi eraser, it will take action by creating system instability or crash the program doing the wiping, but will not remove the threat.
     
  9. katio

    katio Guest

    But how does it get into the kernel?
    If you install the AV after the rootkit you got a problem. However if you run the rootkit installer/dropper after the AV and the AV knows the rootkit it can protect you.

    There are ways around that (e.g. privilege escalation shellcode disables AV, downloads dropper which installs rootkit which patches and enables AV again). But that's for Stuxnet 2.0 or Mission Impossible 4 and not your email torjan and browser drive by. A more realistic scenario is a "0day rootkit" which isn't detected yet or one that uses encryption and permutation to evade detection. That's were other layers of security come into play: anti-executables, HIPS and sandboxes.
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    If the rootkit is in the AV database, sure. That might work. But how can you be sure that all rootkits are in all databases of AV vendors? You can't. It's trivial to tweak a rootkit to pass AV scans.

    It's not really all that Mission Impossible. Have you scanned the leaked HBGary e-mails? Those guys were working on a number of rootkits (one they called "12 Monkeys"). These rootkits resided only in memory and were not detectable on the drive at all, making them impossible to find and remove without sophisticated memory analysis. Hoglund, who was involved with HBGary, wrote the first ever known Windows NT rootkit, so his credentials are among the best in this area. Here is his description of it:

    And this is why blacklisting techniques (like AV scanning) is always going to be doomed to failure and always be behind in the "arms race." A better way is to whitelist, sandbox, and have a savvy user behind the keyboard.
     
  11. katio

    katio Guest

    Then it's not a rootkit but memory only malware just like the dll from memory technique and meterpreter recently discussed on the forum. They are scary as info-stealers but by design non-persistent threats.

    Agreed, and it's basically what I already said above. But let me note when it comes to statistics getting hit by a yet undetected malware isn't all that likely - for the average non-target desktop user. I'd welcome a shift to more proactive and whitelisting based security for everyone but the reactive blacklisting security that is the standard now is still holding up pretty well.
    Now about the user...
     
  12. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Hello nightbass,

    An ounce of prevention is worth a pound of cure.
     
Loading...
Thread Status:
Not open for further replies.