|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
 Posted: Fri Feb 09, 2007 12:02 pm Post subject: Confounded by Rootkits |
|
|
Hi, I'm new to the forum and I was wondering if I could get a little bit of clarity about rootkits. The other day, I was scanning my computer with my antispyware/malware tools, and even though my computer wasn't showing any symptoms of being infected by a rootkit, I thought about using a rootkit scanner. Well, I downloaded and installed the Rootkit Hook Analyzer program(with the ugly "bat" icon) and quite a feel hooked items(in red) showed up in my scan. Well, I couldn't make heads or tales as to what the meaning was to these hooked items, therefore, I registered at the Antirootkit.com Forum:
http://www.antirootkit.com/forums/index.php
to try and get some help, however, you have to wait and get approval from the administrator to join the forum, however, I never received an e-mail from them. But meanwhile, I had read how hackers can change and hide rootkits from scans, and several days later I scanned my computer again with the Rootkit Hook Analyzer program....however, this time, only one item showed up as being hooked. Well, that kind of concerned me, however, I also scanned my computer with the F-Secure Blacklight program, but it was shown that "No hidden items were found."
But anyway, if I'm not showing any symptoms of being infected and if the rootkit scans that I've performed didn't really show any infection, is it safe to say that I'm not infected by a rootkit....or can one ever really know? Also, I read a couple places on the internet that the only 100% surefire way of getting rid of a rootkit is to erase your hard drive and reformat. ....Now am I just being very cautious, or am I actually being overly cautious?
P.S. I also wanted to mention that unfortunately, I really don't have the time or the inclination to read the ton of material that it seems like a person has to read in order to be able to understand rootkits. And even if a person did read all the material, I read that there wasn't really a 100% full-proof method of detecting and getting rid of rootkits....
Rooting Out the Dangers: Rootkit Removal for Beginners
| Quote: | Removing rootkits can be very complicated, even for advanced users. Several versions exist and many have specific removal procedures. That is why we advise you to come to the Rootkit Revelations forum here, at CastleCops if you suspect a rootkit has taken over your system or you would just like to see the latest news related to rootkits.
Below we have included a set of anti-rootkit tools. These tools are not fail-safe, a clean scan log with these tools doesn't guarantee your system is clean of rootkits, and if an item is detected it's not necessary for it to be a rootkit. Thus, you can easily render your system useless if you fix a wrong item. That's why we ask you to come to the Rootkit Revelations Forum and ask for expert help.
Keep in mind that it is normal for a Firewall, some Anti-virus and Anti-malware software (i.e. ProcessGuard, Ewido), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS in order to protect your system and you shouldn't be alarmed if you see any hidden entries created by the software programs described above. |
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Fri Feb 09, 2007 5:45 pm Post subject: |
|
|
There are many things that can create false positives in rootkit analysis. Some of the most frequent are the ones listed above. Others will identify items in browser caches and other temporary files; or, files temporarily file protected by Windows while they are running, possibly invisibly in the background. It takes a lot of experience and training to learn what is a FP and what is not, as well as to identify and tell which programs create legitimate rootkit hooks required by the nature of the way they have to work (firewalls, for example).
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Sun Feb 18, 2007 11:25 pm Post subject: |
|
|
| PCBruiser wrote: | | It takes a lot of experience and training to learn what is a FP and what is not, as well as to identify and tell which programs create legitimate rootkit hooks required by the nature of the way they have to work (firewalls, for example). |
PCBruiser, from your signature, I know that you are an advocate of reading and learning, but I just have a basic question or two for you. It's been a while since I posted in this thread, and from the time that has past, would you say that if a person had some sort of rootkit infection, they would have noticed by now? Or can a rootkit infection be totally stealth while the hacker or infector is doing what they want to do with the victim's computer?
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Mon Feb 19, 2007 11:09 pm Post subject: |
|
|
Good questions, and I'm sorry for the delay in responding - we were under attack and off line for a while. I guess we are doing something right.
Anyway, your questions. It really all depends on what the rootkit is intended to do. A rootkit is like other malware, some intentionally create problems on the subject system, some intentionally do not, and are more or less invisible to the owner. Examples of the latter would be for systems that are zombied by the malware, and then used for DDoS attacks or spamming by the infection.
What makes malware a rootkit is the method it uses to infect the subject system, not what it does thereafter. Rootkits are usually harder to fix because the way they infect buries them deep into the operating system, although better tools to disinfect rootkits are coming available every day, or so it seems.
So, the answer is it may create problems and be noticed, or equally well, it may not.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Thu Mar 01, 2007 6:41 am Post subject: |
|
|
| PCBruiser wrote: | Good questions, and I'm sorry for the delay in responding - we were under attack and off line for a while. I guess we are doing something right.
Anyway, your questions. It really all depends on what the rootkit is intended to do. A rootkit is like other malware, some intentionally create problems on the subject system, some intentionally do not, and are more or less invisible to the owner. Examples of the latter would be for systems that are zombied by the malware, and then used for DDoS attacks or spamming by the infection. |
Hey, I'm glad to see that you guys are back online. Also, PCBruiser, what do you mean by "systems that are zombied by the malware"? My initial conclusion would be that you meant that the zombied system would be disabled or in a deathlike state for the owner, however, you had used the example of a system zombied by malware as one that has been infected, but where the infectinon is "more or less invisible to the owner."
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16536
|
| Posted: Thu Mar 01, 2007 3:16 pm Post subject: |
|
|
In this context zombie means:
| Quote: | | n. - automaton, zombi, zombie -- (someone who acts or responds in a mechanical or apathetic way; "only an automaton wouldn't have noticed") |
The whole idea is that the malware perp wants to subvert the computer for nefarious purposes. They want to keep that use hidden so that the owner doesn't notice and take corrective action. So using a rootkit to hide the actual trojan is a great solution from the perp's perspective. The term "zombie" has been used to describe the subverted state of such a compromised computer.
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Mon Mar 12, 2007 5:05 am Post subject: |
|
|
Thanks for reply, Ikeb, and sorry for taking so long to get back to this thread, however, what can I do to test my computer to see whether or not something is deeply hidden in my computer? Also, since I last posted here, I was doing some web searching and ever since I clicked on this one site, my pc has been responding slightly slower. Actually, I have more of a concern about the recent "delaying" of my computer than I do for a concern about a rootkit infection. Although I still would like to to know what to do to check for any type of deeply imbedded rootkit infection.
|
|
| Back to top |
|
|
wawadave
Special Response Team
Special Response Team
Joined: Nov 22, 2002
Posts: 21503
Location: Installing Vista http://tinyurl.com/2l9qyd
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Tue Apr 10, 2007 3:47 am Post subject: My Specs |
|
|
| wawadave wrote: | i would run through this to start with.
Malware Removal and Prevention
then see what the others recommend here allso.
what are your system spects,and what av, antimalware,antitrojin apps are you useing? |
Sorry about taking so long to reply. I have still yet to run through the Malware Removal and Prevention, however, as far as my specs and things go:
I use Windows XP OS.
Presently, I'm using a 90 day trial version of Windows Live OneCare which includes my Firewall, my Antivirus, and one of my Antispywares.
And my remaining AnitSpyware programs are:
SUPERAntiSpyware Free Edition
Ad-Aware SE Personal
SpywareBlaster
30 day free trial of Trend Micro Anti-Spyware
Also, I use:
CCleaner
Plus, I'll get back to this thread after I've run through the Malware Removal and Prevention.
P.S. By the way, does anyone know what this is:
http://img254.imageshack.us/img254/2203/dllerrorjy3.jpg
If your browser has "zoom" control, you will have to zoom in on this image. I couldn't get it any larger.
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Tue Apr 10, 2007 4:17 am Post subject: Re: My Specs |
|
|
By the way, this DLL error message first showed up about a week ago after Windows downloaded automatic updates.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Tue Apr 10, 2007 4:54 am Post subject: |
|
|
That message relates to a conflict arising from the "animated cursor handling" patch that was released out of sequence on April 3rd. Some Realtek HD Audio Control Panel users are reporting that user32.dll memory error. It's possible other applications may trigger it, as well. If you are experiencing this problem, Microsoft recommends that you install this Hotfix to correct it.
http://www.microsoft.com/downloads/details.aspx?familyid=74AD4188-3131-429C-8FCB-F7B3B0FD3D86&displaylang=en
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Wed Apr 11, 2007 12:57 am Post subject: |
|
|
Thanks much, Negster22. That Hotfix did the job. Also, does anyone know anything about Windows Live OneCare? The reason why I ask is because I believe that Windows Live OneCare has caused my system to drag slightly because it appears that it is a resource hog. By the way, I finally ran through the Malware Removal and Prevention and everything checked out okay.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
|
| Back to top |
|
|
David37
Trooper
Joined: Feb 09, 2007
Posts: 23
|
| Posted: Wed Apr 11, 2007 3:24 am Post subject: |
|
|
Thanks again, Negster22. Also, in the users' comments, I noticed that one person did say that, "You may find that the speed of opening files or web pages is decreased after installing the software." I have found that to be the case with my computer.
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Wed Apr 11, 2007 4:29 am Post subject: |
|
|
Yes, I saw that too, but other users - especially those that are running Vista, liked how it integrated very easily with that OS. Since you're running XP, that isn't an important consideration for you.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
