Rootkits danger and prevention
Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections.
what are rootkits?
A rootkit is a collection of programs that enable administrator-level access to a computer or computer network.
They will simply alter the table SSDT hook to redirect system calls to either the Windows API, but to their own API to distort the result.So when you want to list the running processes .. Windows will always look at the table SSDT but the address of the API was modified by the rootkit and points now to their code, the rootkit no longer refer to the process list .
A kernel mode rootkit is always composed of at least one driver. System in general, the driver is loaded via a service.The file driver is of course hidden in the disc and the service is not present in service.msc or via the registry regedit: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services.Blue Pill is the codename for a controversial rootkit based on x86 virtualization technology that targets Microsoft's Windows Vista operating system.Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer
Here are some examples of current rootkits:
- User Rootkit - A variant of Zlob / Trojan.DNS which is a fairly common rootkit redirects when doing searches on Google
- Kernelmode Rootkit - Haxdoor / Goldun
- Kernelmode Rootkit - Email-Worm.Win32.Zhelatin.a / Rootkit.Agent.dh / Trojan.Peacomm hidden with driver: C: \ Windows \ System32 \ wincom32.sys
- Kernel-mode Rootkit - Rootkit.Win32.Agent.ea
Re: Rootkits danger and prevention
Rootkits are not new but they have emerged as new dangerous attacks recently, particularly against computers running one of the Microsoft Windows operating systems with new technology.It is now regularly in various infections such as: Win32.Packed.Tibs / Win32.Email-Worm.Zhelatin
The dangers of rookits
On a machine:
- Kaspersky does not detect any malicious code in the system32 folder of Windows.
- I have really not found any thing special on the HijackThis report.
- Task manager or Process Explorer does not shows any malicious process running.
Than scanned with anti-rootkit software gmer it shows some result by detecting rootkits
Items infected from rootkits.
- Modules loaded at the kernel level (kernel) Windows
- A process (Process) and a library (library): C: \ Windows \ System32 \ koos.exe
- A service pe386
As i observed carefully i found that the file C: \ Windows \ System32 \ koos.exe is not present.
- The report does not mention HijackThis service pe386
- Process Explorer does not process koos.exe
The Processes tab of gmer shows that the process koos is running which displayed in red because it is hidden.
IceSword shows the process koos established a connection on the address 68.115.160.110 with linelisting TCP.The process netstat-ano causing the connection to port but in task manager no process any such process were visible.
This rootkit is therefore provides an opportunity for hackers to connect to the computer on which the rootkit is present.
So that rootkits are a really dangerous since they are able to hide in the system of the user but also operates other programs, including antivirus and online self establishment.The rootkit once installed it is the master of the system and can do what it was programmed :
- Open access to pirates (port)
- Turn the computer machine to send spam, and this without the knowledge of the firewall
- Disable / remove antivirus / firewall
- Download & install other malware
- Save keyboard keystrokes to recover your passwords / credit card number
As long as the rootkit is active the files will not be visible and not detected by antivirus software but once this system off the files become visible and the virus can do its work.
Here is a video about gmr that rootkit can hide: http://www.youtube.com/watch?v=qRv2JBT5278
Prevention and removal of rootkits
Prevention and removal of rootkits
Prevention
The virus does not allow you to delete them with any way as ability to detect the dropper.That is the file that installs the rootkit in the system since it is not hidden.
Here is how the whole antivirus detect an infection:
- Either by detection signature, That is a sequence of bytes in the file infectious to suggest that the file belongs to a particular infection. Hence the race to add signature in the database and antivirus updates the virus definitions of your antivirus.
- Either by the generic detection, code specific to a family of Vundo malware, Bagle, etc Zlob.
- If the malware is unknown, the virus can say whether or not the original file is malware, through heuristic detection. By scanning the file, the virus can be determined by the file structure if it can be infectious or not. This detection can generate false positives.
An IDS (Intrusion Detection System) is a program that scans your system to detect any changes or suspicious activity, it is able to detect the injection of the dropper rootkit on the system.also improving the security of your PC with the IDS / HIPS.Manly do not to surf sites which are not recommended, avoid downloading cracks on sites and networks P2P as you sooner or later lead to infection.
how to remove and there rootkits?
Clearly it is depends on your antivirus software and it updated definition and technology.Unupdated antivirus nothing can do against rootkits, although it is important to know that some antivirus are not capable to search rootkit. Once the rootkit becomes visible antivirus detect it.Scan a system for a rootkit virus is useless if the rootkit is hidden.
F-Secure BlackLight Rootkit Elimination Technology detects objects that are hidden from users and security tools and offers the user an option to remove them. The main purpose is to fight rootkits and all kinds of malware that use rootkits. The F-Secure BlackLight Rootkit Elimination Technology works by examining the system at a deep level.
Antirootkits
Anti-Rootkit / Rootkit Scanner these are the programs that are designed to detect the presence of rootkits.Like antivirus software some are more successful than others.Mostly antirootkits securities are generally in beta version in which some features are not present like module detection or suppression not quite worked.The best anti-rootkit is: Gmer
Even the antirootkit program is installed it is never 100% sure that the system is healthy, especially if the rootkit technologies is unknown to antirootkit.
Boot CDLive / slave HDD
The rootkit is a program it loads the operating system if you boot healthy operating system. You can boot with external hard drive So you can see all files, the files including rootkit.You can then scan the hard disk with one or more viruses.also bootable antivirus cd also works with latest updates only .
More help see this