what is the best rootkit prevention/protection?

Discussion in 'other anti-malware software' started by jmonge, Jan 25, 2010.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    i see this type of malware becoming very popular lately,people should be aware of rootkits infections as they are hard to remove and sometimes very hard to remove that only format is the only way out:) so again what is the best recomendation to prevent or get protection againts roorkits?thanks

    note:i am using prevx for scaning rootkits and in familie pc's defensewall:thumb: what are you using to prevent this type of infection?
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    .
    Panda Cloud AV received very high scores for preventing rootkit infections in a pcmag.com review.

    http://www.pcmag.com/article2/0,2817,2355844,00.asp
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very cool i didnt know about panda detecting rootkits thanks;) also i was thinking of winpatrol plus as it detects services dll's and other stuff alerts when they want to get into the system,it may be a lite hips but now can be combine with panda cloud if they like each other;)
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Prevention for rootkit trojan executable files is the same as for any trojan.

    One example:

    An early remote code execution exploit from 2006 had two files that were identified as having rootkit behavior:

    http://www.hijackthis-forum.de/archiv/14545-help-logfile.html

    However, because the initial dropper is an executable, it's prevented from installing by any security setup for such exploits. Here it is from 2006:

    http://www.urs2.net/rsj/computing/tests/haxdoor/


    ----
    rich
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    rmus dont forget that rootkits can be introduce not only from trojans but now from rouges and fake antivirus also and some of them are not detected by antivirus company that much,last week i cleaned 2 computers with fake/rouges antivirus and atleast 2 rootkits in each machine:D
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Point taken. My example was a remote code execution type.

    So, I'll expand my original answer to a Part 2:

    Why did the owners of the computers you cleaned install that stuff in the first place?

    The answer to that question is the beginning for them to understand effective prevention.

    Of course, that means less business for you!

    ----
    rich
     
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    these friends dont have a clue about security so,i dont know why they did that:D maybe they are careless:D
     
  8. Jav

    Jav Guest

    Limited User Account :p

    And maybe add with SRP or Applocker or any default-deny policy software.

    But still it will fail against social engineering :doubt:
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good points:thumb:
     
  10. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    IMHO Rootkit prevention is very different from detection of active Rootkits.

    For Rootkit prevention you need something that stops or isolates unknown programs on the system, like LUA, HIPS, Sandbox etc.

    For the detection of active Rootkits most likely ARKs (nomen est omen...) like RkU, GMER etc. may be helpful.

    Plain stupid AVs/Suites are not very helpful against active Rootkit infections, at least not when I tested 20 against a Rootkit like described here:
    http://vms.drweb.com/virus/?i=441481

    This is only about the detection (no removal tested):
    http://img13.imageshack.us/img13/3205/rktdss.png

    Many vendors claim that their apps detect Rootkit infections, but most often this is just a marketing bubble.

    Cheers
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Agree exactly.
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    yeah hips will be a good tool for preventing rootkits infection in the first place;)
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    what is the best rootkit prevention/protection?

    well that's easy HIPS Sandbox etc.
     
  14. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    I read the PDF from the link provided by subset http://vms.drweb.com/virus/?i=441481
    99% of which was over my head. Nevertheless it seemed pretty scary to me.

    What I took away was that in this case this threat has a non-typical method for injection into a system process and that the driver which performs the installation is saved as binary data instead of an executable image.

    If this is the case would a LUA with or without SRP be able to stop this rootkit? How about an anti-executable such as Returnil 2008 (which also monitors for driver installs) or Trust no Exe or Faronics?

    Would this rootkit install be detected (when trying to install) only by software that monitors process injection?

    Also can privilege escalation be accomplished through process injection? I ask this because I noticed that surun uses process injection to elevate LUA.

    I understand that Defensewall, Sandboxie, etc would protect, I just want to understand how this rootkit infects and which types of security would protect. Thanks.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As pointed out in other posts, the above will prevent any unauthorized executable that attempts to install by the remote code execution method of delivery:

    • Drive-by download - browser exploit

    • Infected PDF file

    • Infected Media files; etc

    • Infected MSOffice documents; etc
    However, if the user is tricked into granting permission for an infected file to install, then the above security is disabled for the installation. Such as,

    • Infected Codecs

    • Infected software on crack/pirated sites

    • Infected rogue security products

    This is the so-called Social Engineering method of delivery. The surest prevention techniques involve knowing/insuring what you are installing is safe.

    The rest of your post deals with detection/monitoring, which someone else can take up.

    ----
    rich
     
  16. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    well how effective would be Prevx and Defensewall 2.56 in rootkit prevention/protection ? that is if run in conjunction...
     
  17. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    DWall is great at prevention if used right. I don't know how good Prevx is at prevention but it has proved itself among the best at detection and removal of rootkits.
     
  18. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    Rich, thanks for your reply. I always learn much from your posts.

    What sets this particular rootkit apart from run-of-the-mill executables is that it installs (without better understanding) without being an executable.

    If anyone can explain what this PDF http://www.drweb.com/static/BackDoor.Tdss.565_(aka TDL3)_en.pdf is reporting I would be extremely grateful.
     
  19. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    This is a TDL3 infection monitored with Malware Defender.
    http://img716.imageshack.us/img716/6803/mdlog.png

    I just set DLL loading to ask, which is allowed by default.
    This may also be overlooked by other HIPS, but every should warn about the loading of the kernel driver by the spoolsv.exe.
    If this is blocked the installation of this Rootkit fails.

    Cheers
     
  20. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC

    I think that this article might explain it a little better fo you. Hope this helps. http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html
     
  21. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
    ummm.....not quite for TDL3:doubt:
     
  22. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    A well configured sandboxie sandbox
     
  23. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA
    subset and dcrowe thanks for your replies.
     
  24. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    The best rule of thumb is if it can run it can't infect so if someone lets malware run then deal with the consequences! :doubt: Don't let go past your defenses! Just think that most of us here are very interested in Computer Security right? Just think of all the one's that don't know or use any or let there security run out OMG does this happen? LOL o_O What are we in the stone age?? :D I guess to many Brown Pops tonight! ;)

    TH
     

    Attached Files:

    Last edited: Jan 26, 2010
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    hey triple good pictures:D
     
Loading...
Thread Status:
Not open for further replies.