Re: New rootkit detection technology

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Ian JP Kenefick wrote:
Quoted text here. Click to load it

Typical AV industry: call something by a buzzword that gives no clue to
the uninitiated of how the threat actually works.

Could anyone explain how this type of infection works, and how it
differs from existing stealth viruses, trojans and so on?
Julian Moss
Tech-Pro Limited

Re: New rootkit detection technology


Quoted text here. Click to load it

Wikipedia has a good entry for this...

Functions of a root kit

A root kit typically hides logins, processes, and logs and often
includes software to intercept data from terminals, network
connections, and the keyboard. In many sources root kits are counted
as trojan horses.

A rootkit may also include utilities to help the attacker subsequently
access the system more easily. For example, the rootkit may include an
application that spawns a shell when the attacker connects to a
particular network port on the system.

Types of root kits

Rootkits come in two different flavours, kernel and application level
kits. The idea of kernel level rootkits is to replace a portion of
kernel code with modified code that helps the intruder cover his
tracks. This is often accomplished by existing means of adding new
code to the kernel such as Loadable Kernel Modules in Linux. One
common tactic of kernel root kits is to replace system calls with
versions that hide information about the attacker. With Application
level rootkits regular application binaries are replaced with trojaned

Detecting root kits

There are several programs available to detect root kits. On Unix
based systems two of the most popular of these are chkrootkit and
rkhunter. On Windows based systems two rootkit detectors currently
available rootkitrevealer are at available
( ) from
Sysinternals and unhackme from Greatis software /. An additional powerful tool for
detecting Ring 0 (kernel level) rogue processes is taskinfo, the
mother of all process listing utilities at

... and now of course F-Secure's Blacklight.

Regards,        |Windows XP Professional SP2
Ian Kenefick        |NOD32 Antivirus system [resident] |AVP 3.5 - [On Demand]
no snake oil here!    |Sygate Personal Firewall 5 professional
            |Forte Agent 2
            |Eudora 6.2 (Paid)

Site Timeline