Posted 30 December 2008 - 08:56 PM
I've just finished my 3rd re-reading of "Rootkits, Spyware/Adware, Keyloggers, and Backdoors", by Oleg Zaytsev. Unless you possess a degree in some area of computer science, or you're a genius, you will probably find the book pretty much impenetrable, as I did. I am not a genius, but I'm not depriving some village, somewhere, of their idiot, either. After reading the book for the 3rd time, I have a few comments, and have come to a few conclusions:
* The Russians are pretty smart, and surprisingly prolific in the number of publications out there regarding "malware" topics.
* You may think you have your system "locked down", or you are smart enough to lock it down, but don't kid yourself; an intelligent, cunning, and resourceful hacker WILL hack you, once they've decided to put you on their "owned" list.
* The really good hackers, including those who work for government agencies, will hack you in the twinkling of an eye. A fairly long period of time will have elapsed before you discover that you've been had, if you ever do.
* Unless, as I said earlier, you possess a degree in some area of computer science, good luck detecting, let alone removing some of the more malicious malware lurking about out there. Although I only dimly understood some of the examples Zaytstev included in his book, it was all I needed to know that most detection & removal applications are, at best, limited in their usefulness, and, at worst, useless.
* Hackers, being on the offensive, are naturally going to stay one step ahead of us.
* Unless someone devises the hack-proof OS, we will always be playing catch-up.
* About the only bright spot I see, is the new generation of applications that protect your system by using "virtualization" technology. Instead of using definition updates, or heuristic engines (and there ARE some good heuristic engines that do manage to catch a lot), these newer applications protect at the application level. Used properly, write requests never make it to your OS and/or registry. But, there's probably someone, somewhere out there, who is developing code that will crack even this technology.
* So don't be surprised the next time your mucking about in your system, open a file, and are horrified to find function intercept code (ZWSetValueKey, ZWDeleteValueKey, ZWOpenProcess, etc.) from some Kernel-Mode Rootkit. Short of reformatting your drive, and doing a full-blown OS reinstall, maybe more than once, or, in a worst-case scenario, buying a new hard drive, good luck getting rid of this type of Rootkit, as it "knows" you're looking for it, and modifies registry keys faster than you can fix or delete them.
Zaytstev happens to mention Autoruns in his book. While he was quick to praise its merits, he didn't pull any punches regarding its drawbacks, either. To name a few:
* lack of protection against the most common, and simplest rootkits
* inability to detect automatic startup malware programs that create autostart registry keys during shutdown....said keys are deleted after the startup of a malicious program when the system is booting
* lack of modification protection.....malware programs can forcibly terminate Autoruns.exe process, or modify its functionality in the memory
Zaytstev's book has lead me to formulate hijakd's 1st Law: THERE IS NO SUCH THING AS "ANONYMOUS" SURFING