CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 940
Comments: 25
block bottom
spacer spacer
image Sunday Feature: Windows Security Checklist - Part 31: Rootkit Revelations image
CastleCops

Windows Security Checklist - Part 31: Rootkit Revelations





by Larry Stevenson, aka Prince_Serendip, CastleCops Staff Writer
November 13, 2005

No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it could possibly bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist - Part 31: Rootkit Revelations.

It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members, Host and Moderator consultants at CastleCops can help you, if you have questions about any of these techniques or featured applications.

Rootkit Revelations

Rootkits are not malware but programs that provide a system or means to hide other programs, including malware. They do this by using smart stealthing techniques to modify the Windows operating platform in ways which prevent detection by normal methods. Windows programs, most scanners and even HijackThis will see nothing.

Rootkits install themselves in the Root Drive of computers. The Root is a foundation for all operating system functions. It's the great connector between all programs and applications. On Windows platforms the Root is the "" that follows "C:" thus "C:." The "" is the Root Drive. Rootkits are themselves a form of operating system, independent of Windows and other popular platforms, also hiding from them.

Rootkits were used mostly in the past by hackers hiding trojans and keyloggers on their victims machines. More recently, they are being used to spread viruses, spywares and worms. They are even being used to promote Digital Rights Management by large corporations. In both cases, users are unwittingly installing these nefarious programs on their computers and in greater numbers than ever before.

Detecting the presence of Rootkits and their payloads is a difficult task, even for the experts. Most anti-spyware and antivirus scanners are unable to find them, although a few have taken steps towards improving that. Both Symantec and Microsoft have removal tools for the Digital Rights Management Rootkit distibuted by Sony Corporation on their music CDs.

"We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component," wrote Jason Garms, a spokesperson from Microsoft.

You can download the Malicious Software Removal tool at Microsoft's Update site or from Automatic Updates for Windows XP.

Symantec has a removal tool for this same DRM Sony Rootkit: SecurityRisk.First4DRM

Like these specific Rootkit removal tools, you need special Rootkit detectors and removers for the rest. The easiest way to detect them is to compare the file system of an infected machine with a copy of its clean file list, but that rarely occurs in the real world. Detecting Rootkits is difficult from within an infected system, but by employing different techniques and applications, it can be done. You are strongly urged to obtain the guidance of a security expert before attempting to remove any Rootkit.

The first step is to discover the presence of a Rootkit with a Rootkit Detector (RKD). More than a dozen of these are available. Most are for Windows 2000 and later, but TrojanHunter will detect and remove Rootkits from all Windows platforms, including Windows 98.

Download and Install the 30-day trial: Direct Download of TrojanHunter TrojanHunter runs on Windows 95, 98, ME, NT, 2000 and XP.

With the trial version of TrojanHunter you need to manually update the rule files before you can start scanning. Manually Updating TrojanHunter Rule Files.

Open the TrojanHunter scanner and click on the Trojan icon on the left side, then do a search for "rootkit" and you will see the list of rootkits that it detects and removes.

The following Rootkit Detectors are freeware, requiring Administrator rights to run:

F-Secure Blacklight (Beta): For Windows 2000 and up. F-Secure provides little information on how this program works. It detects hidden processes, files and folders but not invisible registry keys. They have promised to allow it to continue as freeware until January, 2006. It's updated monthly. The Blacklight engine has been added to the F-Secure Internet Security 2006 suite. Blacklight is easy to use, requiring no installation and scans quickly.

Sysinternals: Rootkit Revealer runs on Windows NT 4 and up. It compares users mode information to kernel mode and reports differences that exist in the Windows Registry and file system. It requires no installation, just double click the .exe file and to begin a scan select File/Scan.

The program includes an option to scan NTFS alternate data streams for hidden code. This option is off by default since it can produce a lot of false positives. Experienced users may wish to "play" with this option?

RootkitRevealer does not remove rootkits. The authors suggest that users conduct a Google search on how to remove any detected malware or to re-format the drive and do a fresh install of Windows. We would suggest that you come to CastleCops. We can help you.

The usual practice for detecting and removing Rootkits is to first detect and identify them, then attempt removal, but with some Rootkits this can leave Windows unusuable. With those you can only be certain by doing a full re-format followed by a fresh install. For those where the Rootkit can be safely removed you need to then clean up all the malware which the Rootkit had been hiding.

CastleCops Malware Removal and Prevention procedure is ideal for this task. It's a new system devised by the CastleCops Team of Professionals to enable users to either partially, or fully clean their systems without the direct aid of an expert. If you still need help, there are more steps they can guide you on to get you cleaned up.

Best regards and always take care of your security.

Article Resources
Posted on Monday, 14 November 2005 @ 00:45:20 UTC by Robin (11103 reads)
[ Trackback ]		image

"Sunday Feature: Windows Security Checklist - Part 31: Rootkit Revelations" | Login/Create an Account | 6 comments | Search
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Windows Security Checklist - Part 31: Rootkit Revelations (Score: 1)
by negster22  on Monday, 14 November 2005 @ 01:57:18 UTC
(User Info | Send a Message) http://www.secure-computer-solutions.com
Nice article!

It seems as if it might be helpful, for diagnostic purposes, to do a series of baseline scans with the rootkit detection programs now available and save those logs. Then one could compare any future scan results to those obtained in the baseline logs, to see if any differences were evident. Just a thought, since RK detection programs detect more than just 'harmful' files.

Just thought I'd mention (for those that have an always an internet connection), that it is best to disable internet connections thru Control Panel->Network Connections or disconnect the cable before scanning so security programs cannot autoupdate during a scan. By the same token, it is best to leave your PC completely alone during the scan since system changes can produce entries in the scan results.




Re: Windows Security Checklist - Part 31: Rootkit Revelations (Score: 1)
by wng_z3r0  on Monday, 14 November 2005 @ 02:10:19 UTC
(User Info | Send a Message | _JOURNAL) http://spyware-free.us
Hmm... looks like it didn't go through the first time...
Rootkits install themselves in the Root Drive of computers. The Root is a foundation for all operating system functions. It's the great connector between all programs and applications. On Windows platforms the Root is the that follows C: thus C:. The is the Root Drive. Rootkits are themselves a form of operating system, independent of Windows and other popular platforms, also hiding from them.

The term rootkit derived from *nix days when you could get 'root' permissions which is the master account of those systems. If you got control of the root account, you controlled the computer. Also, rootkits are not an operating system. They are programs, and because they are programs, they are most decidedly operating system specific. I think you should add something as to HOW rootkits work. It doesn't have to be technical or anything, but it would do something to take the mystical qualitiy out of rootkits. THey are not some mysterious code that can randomly hide things. Some basic explination into the windows API and how rootkits can affect that would do wonders. (yes i know there are many other types of rootkits out there, but that is one of the most prevalent types out there for windows computers today)
wng



Re: Windows Security Checklist - Part 31: Rootkit Revelations (Score: 1)
by getsteppin  on Monday, 14 November 2005 @ 07:24:49 UTC
(User Info | Send a Message)
GET, Benign (.b9) and Mailwasher Pro from www.firetrust.com Ive been running both for almost 3 years and HAVE NEVER BEEN INFECTED BY ANY EMAIL....matter of fact I've not had this PC go wacky with the NIVIDA D (?) virus in '03-04.
>
> I WATCHED MAIL WASHER PRO CATCH THEM AND SHOW THEM AS A VIRUS.........WITH NO UPDATES OR SUBSCRIPTION. AND REPORTS THEM TO, 2 DIFFERENT GLOBAL SPAM DATA BASE.
>
> .b9 has cleaned, screened and cavity searched EVERY peice of email which has come thru this PC, it is coupled to MAILWASHER PRO and the 2 of them have never had to be upgraded to encoding the known and hated 'subscriptions'.
> ALL my mail including SPAM is readable on the MailWasher server/stash of programming all unknown and known is therefore dumped REPORTED TO global anti spam data bases in stead of just deleting.... AND IS THEREFROE MADE, benign.
I would call that about as close to ZERO as you or I could get.

>
> Thanks for listening and check out the guys at Firetrust and tell 'Hamish', getsteppin sent you. IF you are READY to feel more comfortable with email, check em' out

>
> >
> By the way SBC and its sbcglobal.net PRO, hi-DSL uses ZAPro...version what ever the version #, is used ...and ONLY FOR OUT BOUND EMAIL. I have a router for the inbound..........ITS CALLED THE LAYER EFFECT!
> And the layer effect is IN these days, because it works so well.
>
>
>
> getsteppin


 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· Microsoft
· Microsoft
· Linux Kernel Archives
· HotScripts
· Linux Manuals
· Google Search Engine
· W3 Consortium
· Sony HomePage
· CastleCops
· More about CastleCops
· News by Robin

Most read story about CastleCops:
Acceptable Use Policy
block bottom
Article Rating
spacer
Average Score: 4.71
Votes: 7


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
156ppm 0.654s (0.087s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer