Rootkits
Published: October 6, 2005
By Mike Danseglio and Tony Bailey
See other Security Tip of the Month columns
A rootkit is a special type of malware (malicious software). Rootkits are special because you don't know what they're doing. Rootkits are nearly undetectable and they're almost impossible to remove. Although detection tools are proliferating, malware developers are constantly finding new ways to cover their tracks.
A rootkit's purpose is to hide itself and other software from view. This is done to prevent a user from identifying and potentially removing an attacker's software. A rootkit can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and thus enable an attacker to store many files on your computer invisibly.
Rootkits do not infect computers by themselves like viruses or worms do. Instead, an attacker identifies an existing vulnerability in a target system. Vulnerabilities may include an open network port, an unpatched system, or a system with a weak administrator password. After gaining access to a vulnerable system, the attacker can install a rootkit manually. This type of stealthy directed attack does not usually trigger automated network security controls such as intrusion detection systems.
Identifying rootkits can be difficult. There are several software packages that detect rootkits. These software packages fall into two categories: signature-based and behavior-based detectors. Signature-based detectors, such as most virus scanners, look for specific binary files that are known to be rootkits. Behavior-based detectors attempt to identify rootkits by looking for hidden elements, which is the primary behavior of rootkits. One popular behavior-based rootkit detector is Rootkit Revealer.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Preventing rootkits from getting onto your system is the best strategy you can use. This is done with the same defense-in-depth strategy that you should use to prevent all malware from attacking your computer. Elements of defense-in-depth include virus scanners, regular software updates, a firewall on the host and the network, and a strong password strategy.
For more information on rootkits, see the excellent webcast Rootkits in Windows.
In addition, the Microsoft Solutions for Security and Compliance (MSSC) team has produced the Antivirus Defense-in-Depth Guide, which provides an easy-to-understand overview of different types of malware, including information about the risks they pose. The guide also discusses malware characteristics, means of replication, and payloads.
You can also find other MSSC guidance on the TechNet Web site.
I figured I'd throw this out there for anyone who has malware problems. There are hidden things in your OS and you need to watch them as carefully as possible. I've been trying to figure out how this spycrap is getting on my computer and I think I've found out how it's getting through my defenses. This is actually the first time I've heard about rootkits, so I'm learning about them.
I ran this program called Rootkit Revealer and it picked up a few renegade directories that I had no clue were even there. Right now, I'm trying to figure out what C:\Program Files\Sienkind is since that is a dir that showed up on my scan. If any other techies know anything about this dir, please let me know. I google'd it and came up with nothing, so I'm kind of stuck at the moment.
I then downloaded Winpatrol and found a few iffy programs running, so I decided I'd remove them. So far the pop ups have diminished to nothing, so I think I'm making progress in my conquest on taking my computer back from the crapware that has invaded my PC.
Sorry about the "geeky" post. I'm a geek and I like trying to figure this stuff out. I made a post about this since I know alot of people have problems with spyware, adware etc. and maybe someone could benefit from this.
Other than that, nothing new is going on here. Everyone who has seen me wearing Hollister cloths has given me compliments on my new look. You can actually see that I have an ass now. I guess I like the new look, but change is never easy :p.
Ohh and incase you haven't noticed, I added a bunch of new links on the right hand side. If you're bored and want to read something new, go ahead and check them out. The dictionary is kinda fun to read every once in awhile too (Yes, I've been that bored).
By Mike Danseglio and Tony Bailey
See other Security Tip of the Month columns
A rootkit is a special type of malware (malicious software). Rootkits are special because you don't know what they're doing. Rootkits are nearly undetectable and they're almost impossible to remove. Although detection tools are proliferating, malware developers are constantly finding new ways to cover their tracks.
A rootkit's purpose is to hide itself and other software from view. This is done to prevent a user from identifying and potentially removing an attacker's software. A rootkit can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and thus enable an attacker to store many files on your computer invisibly.
Rootkits do not infect computers by themselves like viruses or worms do. Instead, an attacker identifies an existing vulnerability in a target system. Vulnerabilities may include an open network port, an unpatched system, or a system with a weak administrator password. After gaining access to a vulnerable system, the attacker can install a rootkit manually. This type of stealthy directed attack does not usually trigger automated network security controls such as intrusion detection systems.
Identifying rootkits can be difficult. There are several software packages that detect rootkits. These software packages fall into two categories: signature-based and behavior-based detectors. Signature-based detectors, such as most virus scanners, look for specific binary files that are known to be rootkits. Behavior-based detectors attempt to identify rootkits by looking for hidden elements, which is the primary behavior of rootkits. One popular behavior-based rootkit detector is Rootkit Revealer.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Preventing rootkits from getting onto your system is the best strategy you can use. This is done with the same defense-in-depth strategy that you should use to prevent all malware from attacking your computer. Elements of defense-in-depth include virus scanners, regular software updates, a firewall on the host and the network, and a strong password strategy.
For more information on rootkits, see the excellent webcast Rootkits in Windows.
In addition, the Microsoft Solutions for Security and Compliance (MSSC) team has produced the Antivirus Defense-in-Depth Guide, which provides an easy-to-understand overview of different types of malware, including information about the risks they pose. The guide also discusses malware characteristics, means of replication, and payloads.
You can also find other MSSC guidance on the TechNet Web site.
I figured I'd throw this out there for anyone who has malware problems. There are hidden things in your OS and you need to watch them as carefully as possible. I've been trying to figure out how this spycrap is getting on my computer and I think I've found out how it's getting through my defenses. This is actually the first time I've heard about rootkits, so I'm learning about them.
I ran this program called Rootkit Revealer and it picked up a few renegade directories that I had no clue were even there. Right now, I'm trying to figure out what C:\Program Files\Sienkind is since that is a dir that showed up on my scan. If any other techies know anything about this dir, please let me know. I google'd it and came up with nothing, so I'm kind of stuck at the moment.
I then downloaded Winpatrol and found a few iffy programs running, so I decided I'd remove them. So far the pop ups have diminished to nothing, so I think I'm making progress in my conquest on taking my computer back from the crapware that has invaded my PC.
Sorry about the "geeky" post. I'm a geek and I like trying to figure this stuff out. I made a post about this since I know alot of people have problems with spyware, adware etc. and maybe someone could benefit from this.
Other than that, nothing new is going on here. Everyone who has seen me wearing Hollister cloths has given me compliments on my new look. You can actually see that I have an ass now. I guess I like the new look, but change is never easy :p.
Ohh and incase you haven't noticed, I added a bunch of new links on the right hand side. If you're bored and want to read something new, go ahead and check them out. The dictionary is kinda fun to read every once in awhile too (Yes, I've been that bored).
posted by Mikey B. at 10:54 PM
0 Comments:
Post a Comment
<< Home