Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, Keylogger, & Backdoor Detection & Removal


  • Please log in to reply
4 replies to this topic

#1 hijakd

hijakd

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 30 December 2008 - 08:56 PM

I've just finished my 3rd re-reading of "Rootkits, Spyware/Adware, Keyloggers, and Backdoors", by Oleg Zaytsev. Unless you possess a degree in some area of computer science, or you're a genius, you will probably find the book pretty much impenetrable, as I did. I am not a genius, but I'm not depriving some village, somewhere, of their idiot, either. After reading the book for the 3rd time, I have a few comments, and have come to a few conclusions:

* The Russians are pretty smart, and surprisingly prolific in the number of publications out there regarding "malware" topics.

* You may think you have your system "locked down", or you are smart enough to lock it down, but don't kid yourself; an intelligent, cunning, and resourceful hacker WILL hack you, once they've decided to put you on their "owned" list.

* The really good hackers, including those who work for government agencies, will hack you in the twinkling of an eye. A fairly long period of time will have elapsed before you discover that you've been had, if you ever do.

* Unless, as I said earlier, you possess a degree in some area of computer science, good luck detecting, let alone removing some of the more malicious malware lurking about out there. Although I only dimly understood some of the examples Zaytstev included in his book, it was all I needed to know that most detection & removal applications are, at best, limited in their usefulness, and, at worst, useless.

* Hackers, being on the offensive, are naturally going to stay one step ahead of us.

* Unless someone devises the hack-proof OS, we will always be playing catch-up.

* About the only bright spot I see, is the new generation of applications that protect your system by using "virtualization" technology. Instead of using definition updates, or heuristic engines (and there ARE some good heuristic engines that do manage to catch a lot), these newer applications protect at the application level. Used properly, write requests never make it to your OS and/or registry. But, there's probably someone, somewhere out there, who is developing code that will crack even this technology.

* So don't be surprised the next time your mucking about in your system, open a file, and are horrified to find function intercept code (ZWSetValueKey, ZWDeleteValueKey, ZWOpenProcess, etc.) from some Kernel-Mode Rootkit. Short of reformatting your drive, and doing a full-blown OS reinstall, maybe more than once, or, in a worst-case scenario, buying a new hard drive, good luck getting rid of this type of Rootkit, as it "knows" you're looking for it, and modifies registry keys faster than you can fix or delete them.

Zaytstev happens to mention Autoruns in his book. While he was quick to praise its merits, he didn't pull any punches regarding its drawbacks, either. To name a few:

* lack of protection against the most common, and simplest rootkits
* inability to detect automatic startup malware programs that create autostart registry keys during shutdown....said keys are deleted after the startup of a malicious program when the system is booting
* lack of modification protection.....malware programs can forcibly terminate Autoruns.exe process, or modify its functionality in the memory

Zaytstev's book has lead me to formulate hijakd's 1st Law: THERE IS NO SUCH THING AS "ANONYMOUS" SURFING

BC AdBot (Login to Remove)

 


#2 karbo1

karbo1

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:31 PM

Posted 30 December 2008 - 10:44 PM

Well, unless you have sensitive material on your computer, which you shouldn't have (like bank account numbers, credit card numbers, important passwords,...) you don't have too much to worry about. Get the most effective antimalware software with excellent heuristic capabilities (NOD32) with a good firewall or router and you're decently protected.

Use common sense on the Internet:

- Stay away from porn sites or other questionable sites;

- Don't download files (P2P, torrents), it's illegal anyway;

- Don't open questionable emails from people you don't know or their attachments, especially .exe files;

- Don't be a victim of "phishing". Never give personal informations to a bank requesting them by email because legitimate institutions will never proceed that way;

- Disable AutoComplete from your Web browser (with this function, passwords are stored on your computer and can be easily obtained with backdoor trojans);

- And so on...

If you want a certain level of acceptable anonymity but don't mind a slower connection, use anonymous proxies to surf the web.
Please post back if we found the solution

#3 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:31 PM

Posted 01 January 2009 - 12:22 AM

About the only bright spot I see, is the new generation of applications that protect your system by using "virtualization" technology.

Malware of old has evolved. The programmers are getting better. Crapware that actually checks for a "virtual" environment...you bet.

DesktopSmiley Toolbar

“A non-virtualized hardware system is required”, of course anybody technical gets how lame this lie is
why would an IE toolbar “require” a “non-virtualized hardware”, why would it even bother to check if it’s running
under a virtualized environment unless it has some illegal actions to hide?!

This particular app also steals ssh credentials from PuTTY, an ssh client for Windows.

Don't download files (P2P, torrents), it's illegal anyway

Downloading copyrighted material is illegal. P2P itself is not.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#4 karbo1

karbo1

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:31 PM

Posted 01 January 2009 - 03:20 PM

Downloading copyrighted material is illegal. P2P itself is not.

Yeah, but who uses P2P for legal purposes... :thumbsup:

Edited by karbo1, 01 January 2009 - 03:20 PM.

Please post back if we found the solution

#5 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:31 PM

Posted 01 January 2009 - 06:58 PM

I do...
Linux distros, legal Mp3's, my own software. :thumbsup:

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users