Rootkits danger and prevention

[Humberto]

Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections.

what are rootkits?

A rootkit is a collection of programs that enable administrator-level access to a computer or computer network.
They will simply alter the table SSDT hook to redirect system calls to either the Windows API, but to their own API to distort the result.So when you want to list the running processes .. Windows will always look at the table SSDT but the address of the API was modified by the rootkit and points now to their code, the rootkit no longer refer to the process list .


A kernel mode rootkit is always composed of at least one driver. System in general, the driver is loaded via a service.The file driver is of course hidden in the disc and the service is not present in service.msc or via the registry regedit: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services.Blue Pill is the codename for a controversial rootkit based on x86 virtualization technology that targets Microsoft's Windows Vista operating system.Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer

Here are some examples of current rootkits:

• User Rootkit - A variant of Zlob / Trojan.DNS which is a fairly common rootkit redirects when doing searches on Google
• Kernelmode Rootkit - Haxdoor / Goldun
• Kernelmode Rootkit - Email-Worm.Win32.Zhelatin.a / Rootkit.Agent.dh / Trojan.Peacomm hidden with driver: C: \ Windows \ System32 \ wincom32.sys
• Kernel-mode Rootkit - Rootkit.Win32.Agent.ea

[Humberto]

The operation of rootkits

There are several different types of rootkits.They are user-mode, kernel-mode, and firmware rootkits.The kernel-mode rootkits that operate at the kernel level.For all software and hardware resources on the computer code has unrestricted access.Crashes in kernel mode is not recoverable.

In User mode access is restricted for code on the computer to software and hardware resources.Due to the restricted access,crashes are recoverable.A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in firmware, because firmware is not often inspected for code integrity.

The Windows API: These are functions used in programming, there are several categories.
Some categories can interact with the operating system to gain access to file systems, processes, the Windows registry, network etc. .. Specifically in our case when a program wants list of processes files, instead of writing a piece of code Microsoft has provided developers the APIs to do so.

System Calls Syscall: When a program makes a call to a PLC via a CALL

Table SSDT :System Service Descriptor Table is the table that contains the address of the API.
When a system call is made .. Windows looks in the table SDDT address of the API to manage the system call to the API in order to execute.

Here is what happens when a program (Antivirus, Task Manager) wishes to obtain the list of running processes, the program makes a call system, Windows looks in the table SSDT address this API then execute.You then get the process list.Similarly for the list of files in a directory etc. ..

[Humberto]

Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections such as: Win32.Packed.Tibs / Win32.Email-Worm.Zhelatin

The dangers of rookits

On a machine:

• Kaspersky does not detect any malicious code in the system32 folder of Windows.
• I have really not found any thing special on the HijackThis report.
• Task manager or Process Explorer does not shows any malicious process running.

Than scanned with anti-rootkit software gmer it shows some result by detecting rootkits

Items infected from rootkits.

• Modules loaded at the kernel level (kernel) Windows
• A process (Process) and a library (library): C: \ Windows \ System32 \ koos.exe
• A service pe386

As i observed carefully i found that the file C: \ Windows \ System32 \ koos.exe is not present.

• The report does not mention HijackThis service pe386
• Process Explorer does not process koos.exe

The Processes tab of gmer shows that the process koos is running which displayed in red because it is hidden.

IceSword shows the process koos established a connection on the address 68.115.160.110 with linelisting TCP.The process netstat-ano causing the connection to port but in task manager no process any such process were visible.

This rootkit is therefore provides an opportunity for hackers to connect to the computer on which the rootkit is present.

So that rootkits are a really dangerous since they are able to hide in the system of the user but also operates other programs, including antivirus and online self establishment.The rootkit once installed it is the master of the system and can do what it was programmed :

• Open access to pirates (port)
• Turn the computer machine to send spam, and this without the knowledge of the firewall
• Disable / remove antivirus / firewall
• Download & install other malware
• Save keyboard keystrokes to recover your passwords / credit card number

As long as the rootkit is active the files will not be visible and not detected by antivirus software but once this system off the files become visible and the virus can do its work.

Here is a video about gmr that rootkit can hide: http://www.youtube.com/watch?v=qRv2JBT5278

[Humberto]

Prevention and removal of rootkits

Prevention

The virus does not allow you to delete them with any way as ability to detect the dropper.That is the file that installs the rootkit in the system since it is not hidden.

Here is how the whole antivirus detect an infection:

• Either by detection signature, That is a sequence of bytes in the file infectious to suggest that the file belongs to a particular infection. Hence the race to add signature in the database and antivirus updates the virus definitions of your antivirus.
• Either by the generic detection, code specific to a family of Vundo malware, Bagle, etc Zlob.
• If the malware is unknown, the virus can say whether or not the original file is malware, through heuristic detection. By scanning the file, the virus can be determined by the file structure if it can be infectious or not. This detection can generate false positives.

An IDS (Intrusion Detection System) is a program that scans your system to detect any changes or suspicious activity, it is able to detect the injection of the dropper rootkit on the system.also improving the security of your PC with the IDS / HIPS.Manly do not to surf sites which are not recommended, avoid downloading cracks on sites and networks P2P as you sooner or later lead to infection.

how to remove and there rootkits?
Clearly it is depends on your antivirus software and it updated definition and technology.Unupdated antivirus nothing can do against rootkits, although it is important to know that some antivirus are not capable to search rootkit. Once the rootkit becomes visible antivirus detect it.Scan a system for a rootkit virus is useless if the rootkit is hidden.

F-Secure BlackLight Rootkit Elimination Technology detects objects that are hidden from users and security tools and offers the user an option to remove them. The main purpose is to fight rootkits and all kinds of malware that use rootkits. The F-Secure BlackLight Rootkit Elimination Technology works by examining the system at a deep level.

Antirootkits

Anti-Rootkit / Rootkit Scanner these are the programs that are designed to detect the presence of rootkits.Like antivirus software some are more successful than others.Mostly antirootkits securities are generally in beta version in which some features are not present like module detection or suppression not quite worked.The best anti-rootkit is: Gmer

Even the antirootkit program is installed it is never 100% sure that the system is healthy, especially if the rootkit technologies is unknown to antirootkit.


Boot CDLive / slave HDD

The rootkit is a program it loads the operating system if you boot healthy operating system. You can boot with external hard drive So you can see all files, the files including rootkit.You can then scan the hard disk with one or more viruses.also bootable antivirus cd also works with latest updates only .
More help see this

• Guide to Kaspersky Rescue Disk
• How to remove rootkits and other spyware without booting hard disk ?