are powerful system-monitoring programs that are almost impossible to detect. Rootkits are not an infection in and of themselves. They are used by backdoor Trojans
, and IRCBots
to conceal their presence. Thus a rootkit's purpose is to hide itself
from view in order to prevent detection of an attacker's software and make removal more difficult. Rootkits are especially dangerous
because they compromise system integrity
by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult.
There are no guarantees or shortcuts
when it comes to malware removal, especially when dealing with rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee
that all traces of it will be removed as they may not find all the remnants.
There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Keep in mind that not all hidden components detected
by anti-rootkit (ARK) scanners and security tools are malicious
. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators
sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.
API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.
To learn more about Rootkits
, please refer to:
To learn more about the TDSS rootkit
, please refer to:
These are .pdf documents with more comprehensive information.
Edited by quietman7, 24 May 2011 - 01:19 PM.