Rootkits danger and prevention
Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections.
what are rootkits?
A rootkit is a collection of programs that enable administrator-level access to a computer or computer network.
They will simply alter the table SSDT hook to redirect system calls to either the Windows API, but to their own API to distort the result.So when you want to list the running processes .. Windows will always look at the table SSDT but the address of the API was modified by the rootkit and points now to their code, the rootkit no longer refer to the process list .
A kernel mode rootkit is always composed of at least one driver. System in general, the driver is loaded via a service.The file driver is of course hidden in the disc and the service is not present in service.msc or via the registry regedit: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services.Blue Pill is the codename for a controversial rootkit based on x86 virtualization technology that targets Microsoft's Windows Vista operating system.Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer
Here are some examples of current rootkits:
How Rootkits works
The operation of rootkits
There are several different types of rootkits.They are user-mode, kernel-mode, and firmware rootkits.The kernel-mode rootkits that operate at the kernel level.For all software and hardware resources on the computer code has unrestricted access.Crashes in kernel mode is not recoverable.
In User mode access is restricted for code on the computer to software and hardware resources.Due to the restricted access,crashes are recoverable.A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in firmware, because firmware is not often inspected for code integrity.
The Windows API: These are functions used in programming, there are several categories.
Some categories can interact with the operating system to gain access to file systems, processes, the Windows registry, network etc. .. Specifically in our case when a program wants list of processes files, instead of writing a piece of code Microsoft has provided developers the APIs to do so.
System Calls Syscall: When a program makes a call to a PLC via a CALL
Table SSDT :System Service Descriptor Table is the table that contains the address of the API.
When a system call is made .. Windows looks in the table SDDT address of the API to manage the system call to the API in order to execute.
Here is what happens when a program (Antivirus, Task Manager) wishes to obtain the list of running processes, the program makes a call system, Windows looks in the table SSDT address this API then execute.You then get the process list.Similarly for the list of files in a directory etc. ..
Re: Rootkits danger and prevention
Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections such as: Win32.Packed.Tibs / Win32.Email-Worm.Zhelatin
The dangers of rookits
On a machine:
Than scanned with anti-rootkit software gmer it shows some result by detecting rootkits
Items infected from rootkits.
As i observed carefully i found that the file C: \ Windows \ System32 \ koos.exe is not present.
IceSword shows the process koos established a connection on the address 126.96.36.199 with linelisting TCP.The process netstat-ano causing the connection to port but in task manager no process any such process were visible.
This rootkit is therefore provides an opportunity for hackers to connect to the computer on which the rootkit is present.
So that rootkits are a really dangerous since they are able to hide in the system of the user but also operates other programs, including antivirus and online self establishment.The rootkit once installed it is the master of the system and can do what it was programmed :
Here is a video about gmr that rootkit can hide: http://www.youtube.com/watch?v=qRv2JBT5278
Prevention and removal of rootkits
Prevention and removal of rootkits
The virus does not allow you to delete them with any way as ability to detect the dropper.That is the file that installs the rootkit in the system since it is not hidden.
Here is how the whole antivirus detect an infection:
An IDS (Intrusion Detection System) is a program that scans your system to detect any changes or suspicious activity, it is able to detect the injection of the dropper rootkit on the system.also improving the security of your PC with the IDS / HIPS.Manly do not to surf sites which are not recommended, avoid downloading cracks on sites and networks P2P as you sooner or later lead to infection.
how to remove and there rootkits?
Clearly it is depends on your antivirus software and it updated definition and technology.Unupdated antivirus nothing can do against rootkits, although it is important to know that some antivirus are not capable to search rootkit. Once the rootkit becomes visible antivirus detect it.Scan a system for a rootkit virus is useless if the rootkit is hidden.
F-Secure BlackLight Rootkit Elimination Technology detects objects that are hidden from users and security tools and offers the user an option to remove them. The main purpose is to fight rootkits and all kinds of malware that use rootkits. The F-Secure BlackLight Rootkit Elimination Technology works by examining the system at a deep level.
Anti-Rootkit / Rootkit Scanner these are the programs that are designed to detect the presence of rootkits.Like antivirus software some are more successful than others.Mostly antirootkits securities are generally in beta version in which some features are not present like module detection or suppression not quite worked.The best anti-rootkit is: Gmer
Even the antirootkit program is installed it is never 100% sure that the system is healthy, especially if the rootkit technologies is unknown to antirootkit.
Boot CDLive / slave HDD
The rootkit is a program it loads the operating system if you boot healthy operating system. You can boot with external hard drive So you can see all files, the files including rootkit.You can then scan the hard disk with one or more viruses.also bootable antivirus cd also works with latest updates only .
More help see this
|Tags: antirootkit, antivirus, blacklight, blue pill, downloads, f secure, icesword, kaspersky, portable, rootkits, trojan, worm|
|Thread Tools||Search this Thread|
|Similar Threads for: "Rootkits danger and prevention"|
|Thread||Thread Starter||Forum||Replies||Last Post|
|How to get rid of 270 rootkits||Loyalpalm||Technology & Internet||5||23-11-2010 06:28 AM|
|Danger Den DD for GTX470||Fragant||Hardware Peripherals||7||25-07-2010 05:33 AM|
|Joe Danger Video Game||GaMeR-BoY||Reviews||1||23-06-2010 12:26 PM|
|Danger of using cracks website||Balamohan||Networking & Security||3||10-12-2009 01:43 AM|
|Dolphins are in danger in Cornwall||Logan.M||Off Topic Chat||3||12-06-2008 02:28 PM|