BleepingComputer.com: Rootkit, Keylogger, & Backdoor Detection & Removal

I've just finished my 3rd re-reading of "Rootkits, Spyware/Adware, Keyloggers, and Backdoors", by Oleg Zaytsev. Unless you possess a degree in some area of computer science, or you're a genius, you will probably find the book pretty much impenetrable, as I did. I am not a genius, but I'm not depriving some village, somewhere, of their idiot, either. After reading the book for the 3rd time, I have a few comments, and have come to a few conclusions:

* The Russians are pretty smart, and surprisingly prolific in the number of publications out there regarding "malware" topics.

* You may think you have your system "locked down", or you are smart enough to lock it down, but don't kid yourself; an intelligent, cunning, and resourceful hacker WILL hack you, once they've decided to put you on their "owned" list.

* The really good hackers, including those who work for government agencies, will hack you in the twinkling of an eye. A fairly long period of time will have elapsed before you discover that you've been had, if you ever do.

* Unless, as I said earlier, you possess a degree in some area of computer science, good luck detecting, let alone removing some of the more malicious malware lurking about out there. Although I only dimly understood some of the examples Zaytstev included in his book, it was all I needed to know that most detection & removal applications are, at best, limited in their usefulness, and, at worst, useless.

* Hackers, being on the offensive, are naturally going to stay one step ahead of us.

* Unless someone devises the hack-proof OS, we will always be playing catch-up.

* About the only bright spot I see, is the new generation of applications that protect your system by using "virtualization" technology. Instead of using definition updates, or heuristic engines (and there ARE some good heuristic engines that do manage to catch a lot), these newer applications protect at the application level. Used properly, write requests never make it to your OS and/or registry. But, there's probably someone, somewhere out there, who is developing code that will crack even this technology.

* So don't be surprised the next time your mucking about in your system, open a file, and are horrified to find function intercept code (ZWSetValueKey, ZWDeleteValueKey, ZWOpenProcess, etc.) from some Kernel-Mode Rootkit. Short of reformatting your drive, and doing a full-blown OS reinstall, maybe more than once, or, in a worst-case scenario, buying a new hard drive, good luck getting rid of this type of Rootkit, as it "knows" you're looking for it, and modifies registry keys faster than you can fix or delete them.

Zaytstev happens to mention Autoruns in his book. While he was quick to praise its merits, he didn't pull any punches regarding its drawbacks, either. To name a few:

* lack of protection against the most common, and simplest rootkits
* inability to detect automatic startup malware programs that create autostart registry keys during shutdown....said keys are deleted after the startup of a malicious program when the system is booting
* lack of modification protection.....malware programs can forcibly terminate Autoruns.exe process, or modify its functionality in the memory

Zaytstev's book has lead me to formulate hijakd's 1st Law: THERE IS NO SUCH THING AS "ANONYMOUS" SURFING

Well, unless you have sensitive material on your computer, which you shouldn't have (like bank account numbers, credit card numbers, important passwords,...) you don't have too much to worry about. Get the most effective antimalware software with excellent heuristic capabilities (NOD32) with a good firewall or router and you're decently protected.

Use common sense on the Internet:

- Stay away from porn sites or other questionable sites;

- Don't download files (P2P, torrents), it's illegal anyway;

- Don't open questionable emails from people you don't know or their attachments, especially .exe files;

- Don't be a victim of "phishing". Never give personal informations to a bank requesting them by email because legitimate institutions will never proceed that way;

- Disable AutoComplete from your Web browser (with this function, passwords are stored on your computer and can be easily obtained with backdoor trojans);

- And so on...

If you want a certain level of acceptable anonymity but don't mind a slower connection, use anonymous proxies to surf the web.

Quote

Malware of old has evolved. The programmers are getting better. Crapware that actually checks for a "virtual" environment...you bet.

DesktopSmiley Toolbar

Quote

This particular app also steals ssh credentials from PuTTY, an ssh client for Windows.

Quote

Downloading copyrighted material is illegal. P2P itself is not.

Downloading copyrighted material is illegal. P2P itself is not.

Yeah, but who uses P2P for legal purposes...

This post has been edited by karbo1: 01 January 2009 - 03:20 PM

I do...
Linux distros, legal Mp3's, my own software.