Do you have an example where there is no signs of infection?
An older example would be NAVIPROMO
(EGDACCESS Dialer)...there were no signs of infection in normal mode but specialized tools run in safe mode to create logs would show certain entries trained experts can recognize. The TDSS rootkit infects a driver and specialized tools used by experts can reveal it's presence. More sophisticated rootkits don't always show obvious signs.
So nothing related to the exclusion zone?
Not sure what you mean. Are you referring to security zones in Internet Explorer
? If so, some infections will change those settings.
So , malware=rootkits,viruses,trojans,etc..
is a general term and broad category. It often refers to unsolicited commercial software
, hostile or intrusive software like Rogue security programs
which downloads itself onto your system. Once install, the malware performs certain behaviors and hidden activities such as advertising, collecting personal information, or changing the configuration of your computer without your knowledge of permission
. Some will force pop-up adds, redirect your browser's home page or search page, or add additional components to your browser you don't need or want. Some will track your Web movements, collect demographic, personal and usage information from your computer and report back to their creators with the data. Others will offer free enhancements to your operating system or browser such as extra toolbars, special buttons, enhanced search capabilities and make it very difficult to change your settings back to the way you originally had them. Rootkits
are powerful stealth system-monitoring programs that are almost impossible to detect. Rootkits are not a malware infection in and of themselves but are used by backdoor Trojans
to conceal their presence
in order to prevent detection of the attacker's software and make removal more difficult. Rootkits can effectively hide its presence by intercepting and modifying low-level application programming interface (API) functions and can hide the presence of processes, folders, files and registry keys.
Not all rootkits are malicious. Legitimate programs can use rootkits for legitimate reasons so it's presence is not always indicative of a malware infection. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators
sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.
When used for malicious reasons, a rootkit takes active measures to obscure its presence (hide itself from view
) within the host system through subversion or evasion of standard operating system security tools and APIs
used for diagnosis, scanning, and monitoring. Rootkits are able to do this by modifying the behavior of an operating system's core parts through loading code into other processes, the installation or modification of drivers, or kernel modules. Rootkits hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Some algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of detecting the presence of the rootkits hooks. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Most rootkits are classified as malware, because the payloads they are bundled with are malicious
API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Anti-rootkit (ARK) scanners do not differentiate between what is good and what is bad...they only report what is found
. Therefore, even on a clean system some hidden components may be detected when performing a scan to check for the presence of rootkits and you should not be alarmed if any hidden entries created by legitimate programs are detected. In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.
Rootkits can be especially dangerous
because they compromise system integrity
by making changes that allow it to be used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and other machines on the network. Rootkits can result in browser search redirects to malicious web pages, the downloading of additional malware, and the ability to receive commands from attackers. Some rootkits can disable anti-virus and security tools in order to prevent detection and even thwart attempts to terminate them.