# ROOTKITS...the new threat !?



## anandk (May 28, 2005)

Did you know that it is possible to hide spyware or a virus in a way that will fool even the traditional antivirus/antispyware products? Some spyware programs are already using so-called rootkits to hide deep on your pc !

F-Secure has developed a new Beta version of their BlackLight Rootkit Eliminator. it is a tool that detects files, folders and processes that are hidden from the user and other programs. BlackLight is also able to remove hidden malware by renaming them.            

Rootkits for Windows work in a different way and are typically used to hide malicious software from, for example, an antivirus program. it is used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what as known as full stealth viruses. Rootkits are more common in the spyware field and they are now also becoming more commonly used among virus authors as well. 

for more info and a download visit :  *www.f-secure.com/blacklight/


----------



## digen (May 28, 2005)

Yeah they linux users must be familiar with "rootkits"
Its becoming common in the windows environment too.

Check Rootkit.com


Sysinternals have a Rootkit Revealer.You may as well check that out.


----------



## netcracker (May 28, 2005)

Is F-Secure Blacklight  the only solution?


----------



## swatkat (May 28, 2005)

No...SysInternals RootkitRevealer is a tool which is freely available.
*www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml


----------



## grinning_devil (May 29, 2005)

downloaded ..... 

nice link digen ..  rootkit.com sure has loads of info!!


----------



## pq (May 29, 2005)

Thanks anandk for ur info. I m goin to try it.


----------



## anandk (Aug 17, 2005)

ROOTKITS are now an emerging type of â€œSuper Spywareâ€?   
which affect both Windows and Linux operating systems, hide 
themselves efficiently, impact the operating system kernel directly,
and usually carry a more serious secondary payload. 
Use this tool when you have done all other reasonable cleaning, have 
also checked for viruses, and you are sure your system is still 
seriously infested with malware even though no tool is showing it. 
'ROOTKIT REVEALER' as mentioned above by swatkat is really worth a try. www.sysinternals.com


----------



## QwertyManiac (Aug 17, 2005)

so, y doesnt it appear, wats the problem with anti's code ?


----------



## anomit (Aug 18, 2005)

For geek stuff on RootKit detection

I don't think rootkits can be completely removed from a system. Or am I wrong?


----------



## digen (Aug 18, 2005)

Nice link there anonmit.Its a pity that phrack is no more around.
As far as your question goes,as far as my knowledge goes rootkits operate under the so called "stealth" mode hence majortiy of them wont be detectable with say HijackThis or any port to application mapping program like Process Explorer.
The low level or kernel level operation of programs makes it a dangerous threat.
Detecting is a thing while removing is another.Completely removing even the slight traces of a rootkit would involve detailed or simple "forensics" on the comprimised machine depending upon the level of detail the rootkit posses.

Usually & especially in a corporate environment from what I heard the best practise if its a "server" machine that is comprimised is to format it & install a clean copy with all the patches & necessary updates.The gamble of knowing that the malicous threat has been removed would be a disaster.Infection of a server machine shouldnt happen in the first place but thats another story.


----------



## siriusb (Aug 18, 2005)

Here's another one from a friend of mine: *research.microsoft.com/rootkit/


----------



## anomit (Aug 19, 2005)

digen said:
			
		

> Usually & especially in a corporate environment from what I heard the best practise if its a "server" machine that is comprimised is to format it & install a clean copy with all the patches & necessary updates.



I too had learnt that the best way to get rid of rootkits is to make a bcakup and then make a clean reinstall of the OS. But I was confused at the way soome others have posted about rootkit removal softwares. I thought maybe new techniques have been developed.

And about Phrack, they had given this indication almost a year ago. Just when I had started to learn. 
WHY DOES THIS HAPPEN TO ME???!!!

I have to make do with the archive issues.


----------



## anandk (Nov 13, 2005)

"Recently, Sony was discovered to have been installing software on people's computers without the user knowing it.  When a user inserted a Sony CD into their computer CD-ROM drive, a "root kit" was installed that enabled the music giant to install "copy protection" without the user knowing. Some spyware developers and trojan horse virus makers have already begun to make use of Sony's root kit to hide their presence on the user's machine".

check out
*news.com.com/FAQ+Sonys+rootkit+CDs/2100-1029_3-5946760.html?tag=nefd.top

 INCIDENTALLY webroot spy sweeper 4.5 has added the 'rootkit' detection option to its arsenal. its cool, eh !? 
www.webroot.com


----------



## swatkat (Nov 13, 2005)

The lastet version of WebRoot SpySweeper is also able to detect the spyware which "hide" themselves using Rootkit technology.


----------



## AcceleratorX (Nov 14, 2005)

Norton AntiVirus, Kaspersky Anti-Virus and NOD32 also detect rootkits.....


----------



## anandk (Nov 15, 2005)

now even Microsoft has decided to "root" out Sony spyware 

..."Sony has come under heavy fire for using so-called "rootkit" 
cloaking techniques, normally associated with hackers..." 

*www.infoworld.com/article/05/11/14...d.com/article/05/11/14/HNmicrosoftsony_1.html


----------



## anandk (Aug 18, 2006)

"Symantec has released details of a new rootkit labeled Rustock.A that uses a cunning combination of techniques to evade detection by current rootkit detectors.  First, Rustock.A has no process. The malicious code runs inside the driver and in kernel threads." Second, "Rustock.A uses NTFS Alternate Data Stream to hide its driver into the \System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.

The news is not all bad; F-Secure has already updated their BlackLight rootkit detector to pick up Rustock.A. The cat and mouse game continues..."


----------



## anandk (Aug 24, 2006)

here is a nice new anti-rootkit freeware tool from SOPHOS
click *www.sophos.com/products/free-tools/sophos-anti-rootkit.html for download and info.


----------



## anandk (Aug 27, 2006)

Also Just Released : AVG Anti-Rootkit - can even remove Trojans and Rootkits that are hiding inside NTFS Alternate Data Streams
*www.majorgeeks.com/AVG_Anti-Rootkit_d5249.html


----------



## shaunak (Sep 2, 2006)

The systeminternals link is not working.


----------



## anandk (Sep 3, 2006)

shaunak said:
			
		

> The systeminternals link is not working.


*www.sysinternals.com/Utilities/RootkitRevealer.html works.


----------



## swatkat (Oct 9, 2006)

Nice info here:
Rooting Out the Dangers: Rootkit Removal for Beginners.


----------



## anandk (Oct 12, 2006)

nice link thanx !

guys for more about rootkits *swatrant.blogspot.com/ is worth a visit !


----------

