Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Re: New rootkit detection technology
March 10, 2005, 6:28 pm
rate this thread
Ian JP Kenefick wrote:
Typical AV industry: call something by a buzzword that gives no clue to
the uninitiated of how the threat actually works.
Could anyone explain how this type of infection works, and how it
differs from existing stealth viruses, trojans and so on?
Re: New rootkit detection technology
Wikipedia has a good entry for this...
Functions of a root kit
A root kit typically hides logins, processes, and logs and often
includes software to intercept data from terminals, network
connections, and the keyboard. In many sources root kits are counted
as trojan horses.
A rootkit may also include utilities to help the attacker subsequently
access the system more easily. For example, the rootkit may include an
application that spawns a shell when the attacker connects to a
particular network port on the system.
Types of root kits
Rootkits come in two different flavours, kernel and application level
kits. The idea of kernel level rootkits is to replace a portion of
kernel code with modified code that helps the intruder cover his
tracks. This is often accomplished by existing means of adding new
code to the kernel such as Loadable Kernel Modules in Linux. One
common tactic of kernel root kits is to replace system calls with
versions that hide information about the attacker. With Application
level rootkits regular application binaries are replaced with trojaned
Detecting root kits
There are several programs available to detect root kits. On Unix
based systems two of the most popular of these are chkrootkit and
rkhunter. On Windows based systems two rootkit detectors currently
available rootkitrevealer are at available
(http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml ) from
Sysinternals and unhackme from Greatis software
http://greatis.com/unhackme /. An additional powerful tool for
detecting Ring 0 (kernel level) rogue processes is taskinfo, the
mother of all process listing utilities at
... and now of course F-Secure's Blacklight.
Regards, |Windows XP Professional SP2
Ian Kenefick |NOD32 Antivirus system [resident]
http://www.ik-cs.com |AVP 3.5 - [On Demand]
no snake oil here! |Sygate Personal Firewall 5 professional
|Forte Agent 2
|Eudora 6.2 (Paid)