what is the best rootkit prevention/protection?

i see this type of malware becoming very popular lately,people should be aware of rootkits infections as they are hard to remove and sometimes very hard to remove that only format is the only way out so again what is the best recomendation to prevent or get protection againts roorkits?thanks

note:i am using prevx for scaning rootkits and in familie pc's defensewall what are you using to prevent this type of infection?

 

.
Panda Cloud AV received very high scores for preventing rootkit infections in a pcmag.com review.

http://www.pcmag.com/article2/0,2817,2355844,00.asp

 

very cool i didnt know about panda detecting rootkits thanks also i was thinking of winpatrol plus as it detects services dll's and other stuff alerts when they want to get into the system,it may be a lite hips but now can be combine with panda cloud if they like each other

 

Prevention for rootkit trojan executable files is the same as for any trojan.

One example:

An early remote code execution exploit from 2006 had two files that were identified as having rootkit behavior:

http://www.hijackthis-forum.de/archiv/14545-help-logfile.html

However, because the initial dropper is an executable, it's prevented from installing by any security setup for such exploits. Here it is from 2006:

http://www.urs2.net/rsj/computing/tests/haxdoor/


----
rich

 

rmus dont forget that rootkits can be introduce not only from trojans but now from rouges and fake antivirus also and some of them are not detected by antivirus company that much,last week i cleaned 2 computers with fake/rouges antivirus and atleast 2 rootkits in each machine

 

Point taken. My example was a remote code execution type.

So, I'll expand my original answer to a Part 2:

Why did the owners of the computers you cleaned install that stuff in the first place?

The answer to that question is the beginning for them to understand effective prevention.

Of course, that means less business for you!

----
rich

 

these friends dont have a clue about security so,i dont know why they did that maybe they are careless

 

Limited User Account

And maybe add with SRP or Applocker or any default-deny policy software.

But still it will fail against social engineering

 

good points

 

IMHO Rootkit prevention is very different from detection of active Rootkits.

For Rootkit prevention you need something that stops or isolates unknown programs on the system, like LUA, HIPS, Sandbox etc.

For the detection of active Rootkits most likely ARKs (nomen est omen...) like RkU, GMER etc. may be helpful.

Plain stupid AVs/Suites are not very helpful against active Rootkit infections, at least not when I tested 20 against a Rootkit like described here:
http://vms.drweb.com/virus/?i=441481

This is only about the detection (no removal tested):
http://img13.imageshack.us/img13/3205/rktdss.png

Many vendors claim that their apps detect Rootkit infections, but most often this is just a marketing bubble.

Cheers

 

Agree exactly.

 

yeah hips will be a good tool for preventing rootkits infection in the first place

 

what is the best rootkit prevention/protection?

well that's easy HIPS Sandbox etc.

 

I read the PDF from the link provided by subset http://vms.drweb.com/virus/?i=441481
99% of which was over my head. Nevertheless it seemed pretty scary to me.

What I took away was that in this case this threat has a non-typical method for injection into a system process and that the driver which performs the installation is saved as binary data instead of an executable image.

If this is the case would a LUA with or without SRP be able to stop this rootkit? How about an anti-executable such as Returnil 2008 (which also monitors for driver installs) or Trust no Exe or Faronics?

Would this rootkit install be detected (when trying to install) only by software that monitors process injection?

Also can privilege escalation be accomplished through process injection? I ask this because I noticed that surun uses process injection to elevate LUA.

I understand that Defensewall, Sandboxie, etc would protect, I just want to understand how this rootkit infects and which types of security would protect. Thanks.

 

As pointed out in other posts, the above will prevent any unauthorized executable that attempts to install by the remote code execution method of delivery:

• Drive-by download - browser exploit
  
  
• Infected PDF file
  
  
• Infected Media files; etc
  
  
• Infected MSOffice documents; etc

However, if the user is tricked into granting permission for an infected file to install, then the above security is disabled for the installation. Such as,

• Infected Codecs
  
  
• Infected software on crack/pirated sites
  
  
• Infected rogue security products
  
  

This is the so-called Social Engineering method of delivery. The surest prevention techniques involve knowing/insuring what you are installing is safe.

The rest of your post deals with detection/monitoring, which someone else can take up.

----
rich

 

well how effective would be Prevx and Defensewall 2.56 in rootkit prevention/protection ? that is if run in conjunction...

 

DWall is great at prevention if used right. I don't know how good Prevx is at prevention but it has proved itself among the best at detection and removal of rootkits.

 

Rich, thanks for your reply. I always learn much from your posts.

What sets this particular rootkit apart from run-of-the-mill executables is that it installs (without better understanding) without being an executable.

If anyone can explain what this PDF http://www.drweb.com/static/BackDoor.Tdss.565_(aka TDL3)_en.pdf is reporting I would be extremely grateful.

 

This is a TDL3 infection monitored with Malware Defender.
http://img716.imageshack.us/img716/6803/mdlog.png

I just set DLL loading to ask, which is allowed by default.
This may also be overlooked by other HIPS, but every should warn about the loading of the kernel driver by the spoolsv.exe.
If this is blocked the installation of this Rootkit fails.

Cheers

 

I think that this article might explain it a little better fo you. Hope this helps. http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

 

ummm.....not quite for TDL3

 

A well configured sandboxie sandbox

 

subset and dcrowe thanks for your replies.

 

The best rule of thumb is if it can run it can't infect so if someone lets malware run then deal with the consequences! Don't let go past your defenses! Just think that most of us here are very interested in Computer Security right? Just think of all the one's that don't know or use any or let there security run out OMG does this happen? LOL What are we in the stone age?? I guess to many Brown Pops tonight!

TH

 

hey triple good pictures