Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about trojans and rootkits and removal software


  • Please log in to reply
14 replies to this topic

#1 Allybee

Allybee

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 February 2014 - 11:05 AM

Hi,I was just wondering about the differences between trojans and rootkits and have alot of questions.

I understand that trojans can give access to your pc to a hacker,but why are rootkits considered more dangerous?

I was also wondering....if your pc was to become infected by a trojan or a rootkit can they all be removed or is there any that can't be?

What is it that they attack on your pc?

I always thought they attacked the os and wondered why you can't just repair the os to get rid of them rather than use removal tools.

Also what are some good programs to detect these types of malware and what security software should be installed on a pc?

And what are the ways in which you are susceptible to these types of malware,I can only think of file-sharing p2p or opening a spam e-mail but are there other ways?

Any info is appreciated,thanks.



BC AdBot (Login to Remove)

 


#2 smccain

smccain

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:04 AM

Posted 21 February 2014 - 01:00 PM

 

Hi,I was just wondering about the differences between trojans and rootkits and have alot of questions.

I understand that trojans can give access to your pc to a hacker,but why are rootkits considered more dangerous?

I was also wondering....if your pc was to become infected by a trojan or a rootkit can they all be removed or is there any that can't be?

What is it that they attack on your pc?

Allybee, that's a big set of questions.

I have some experience in this area, but I'm not an expert such as you would surely find with the moderators and techno-magicians on this forum.

That said, here's a response to your inquiry, with an invitation for anyone interested to chime in and correct me where appropriate:

A trojan is a type of malware that -- when executed -- allows the bad guys to do certain things or to access certain things on a computer. But in essence, it's really just another program running alongside other programs on a computer. It's bad, because it's doing things other than what the user wanted it to do and because bad people will use this kind of access to attack other computers, steal your files or information and/or ... to install a rootkit.

A rootkit implies that the bad guys have gained root- or Administrator-level privileges on your computer. With that level of access, they're able to create/install new programs on your computer without you or your anti-virus software noticing. Also with such access, the option is theirs to modify your kernel, install virtual machine(s) and/or infect your computer's firmware. Once somebody with some expertise has gained such unfettered access to the very core of your computer, it's much more difficult to either (1) confirm that your machine has been made clean again or (2) feel comfortable with your computer moving forward.

All that said, I do believe that with proper guidance & action -- and, for me, bleepingcomputer is the best source on the planet for such guidance -- any trojan and most rootkits can be cleaned from a computer. It's always easier for someone like me to make such confident claims, because I can also disclaim honestly that I, personally, am not good enough to give such guidance.

 

 

 

I always thought they attacked the os and wondered why you can't just repair the os to get rid of them rather than use removal tools.

The bottom line on a simple OS-level defense is that the OS runs on its kernel; and if the kernel is tainted, then it can make repairs very difficult ... like trying to look under a rug you're standing on. If by "repair the os", you mean to re-install the OS, then you've got a solution ... usually. If a rootkit has been used to infect the firmware/bios of a computer, then reinstalling Windows won't necessarily help in the long term.

 

 

Also what are some good programs to detect these types of malware and what security software should be installed on a pc?

And what are the ways in which you are susceptible to these types of malware,I can only think of file-sharing p2p or opening a spam e-mail but are there other ways?

Any info is appreciated,thanks.

I'm not so sure about susceptibility and protection. I believe there's a direct correlation between how useful you want your computer to be and how susceptible your computer is to malware. To be absolutely sure you don't get any new malware infections on your computer, you would need to:
* Not plug in to the Internet
* Not install any programs

Assuming you wanted to actually *do* something with your computer, I would look around bleepingcomputer to weigh the costs/benefits of various security software & procedures ... and then read through the below link for some lists of things **NOT** to do:
http://www.bleepingcomputer.com/forums/t/69440/the-ten-most-dangerous-things-users-do-online/

And ... if you do find/suspect your computer to be infected, don't go crazy trying to fix things before consulting the experts* herein.

*Disclaimer: I am not an expert ... neither herein nor elsewhere. But I read a lot.



#3 Allybee

Allybee
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 February 2014 - 01:28 PM

thanks for the informative reply and apologies for all those questions :)

I didn't realise that rootkits could infect the bios etc.I guess thats why they are more dangerous than trojans.

I was wondering if rootkits can go unnoticed in malware removal as they surely must be able to hide themselves from av scans and rootkit scans etc?

And if you have a rootkit in your bios or firmware is it still possible to detect and remove it with software?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 21 February 2014 - 01:30 PM

The difference is not as black and white as you may think. There can be similar behavior and characteristics so sometimes the line for a definition is blurred.

For a detailed explanation of Trojans and rootkits and what they can do, please read this Glossary of Malware Related Terms. It also defines other types of malware and what damage they.

Attackers can use a variety of methods to compromise a computer including exploiting outdated popular software such as Adobe (Acrobat Reader, Flash Player, Shockwave Player), Java, Windows Media Player, Web Browsers. Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

For more information on this and other attack vectors you noted and didn't note, please read How Malware Spreads - How did I get infected.

Most Trojans and rootkits can be removed. However, there are no guarantees or shortcuts when it comes to malware removal. The severity of infection will vary from system to system, some causing more damage than others. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious browser extensions which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes. Depending on the infection you are dealing with, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous and security tools may not find all the remnants.

When dealing with Remote Access Trojans (RATS), there is a greater chance the computer has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

In some cases, such as with polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

In fact, many experts in the security community believe that once a computer has been compromised or infected with a file infector, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


As for protection, be sure to read Best Practices for Safe Computing - Prevention of Malware Infection. Scroll through the entire topic as it covers choosing an anti-virus program, anti-malware tools, firewalls and much more.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 21 February 2014 - 01:36 PM

...And if you have a rootkit in your bios or firmware is it still possible to detect and remove it with software?


Bios virus's are very rare. However, researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of common systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists in-the-wild and is not generic...meaning it cannot modify all types of BIOS.

Fortunately, as the below articles note, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social networking where they can use sophisticated but less technical means than a BIOS virus.Most known Bios virus's have been found primarily in older Windows operating system versions like Windows 9x/NT. These types of virus's erased the BIOS of flashable BIOS's resulting in a machine that would not boot properly and on certain chip sets, the virus was reported to flash the BIOS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Allybee

Allybee
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 February 2014 - 02:14 PM

Thank you Bleepin Janitor,

Lots of great info there.

I used to always re-format when getting an infection but its very time consuming and I have a bad habit of not backing up my data as I don't know how to.

I was wondering if you have a RAT on your system and you backed up some files to put onto the re-formatted PC could that backup re-infect the newly reformatted PC?

eg.would you need to backup when you are sure your PC is malware free?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 21 February 2014 - 02:29 PM

If you are considering reformatting and a clean install or doing a factory restore with a Recovery Disk/Recovery Partition due to malware infection, you can back up all your important documents, personal data files, photos, music, videos to a CD or DVD drive, not a flash drive or external hard drive as they are more susceptible to malware infection.

The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), .ini, .bat, .com, .cmd, .msi, .pif, or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable or there isn't one installed, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.If your computer will not boot properly, please refer to:Again, do not back up the following file extensions with your personal data files: .exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Allybee

Allybee
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 February 2014 - 02:52 PM

thank you.

I'm going to back up all my music before I forget.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 21 February 2014 - 03:21 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:06:04 AM

Posted 22 February 2014 - 10:55 AM

Allybee

 

Thanks for starting the thread, very interesting discussion.

 

I'm no expert so I'll add my disclaimer in addition to smccain  :)

 

Having a routine backup strategy is, in my opinion, the best way to maintain that "peace of mind" factor with your PC since there's no AV / anti-malware product that can provide 24/7 guaranteed protection against all malicious threats that are constantly being introduced into the cyberworld on a daily basis.

 

I rely on my AV & antimalware tools to alert me if something's wrong, as well as looking at CPU usage and processes in Task Manager.

 

If you have a proven recovery methodology that is maintained on a regular basis, you'll be able to recover from virtually any malicious intrusion into your PC.

 

As quietman7 provided in his posts and links, fortunately, the BIOS and firmware infection scenarios are rare.  That being the case, the HDD is where I focus my backup routines.

 

I clone my HDD every couple of weeks in addition to having a few full-HDD images that are stored on an external HDD.  My storage HDD remains disconnected to my PC except when processing an image.

 

I read some info about BIOS malware a while back and with quietman7's help with his info at this site, that helped ease my concerns about the topic.  I've only read 1 or 2 posts on the 'net, so far, where someone had confirmed a case of their BIOS being compromised.  The repair scenarios are interesting so I looked into the topic for a while and my MoBo's BIOS chip is socketed (easily replaceable) so in the event of a rare BIOS hit, I can obtain a BIOS chip replacement at an inexpensive price that comes pre-flashed with my Asus MoBo's BIOS code. 

 

Since the BIOS Chip loads the configuration information from the on-board CMOS Ram chip on the MoBo, any malicious code that resided in the CMOS can be erased with the removal of the CMOS battery on the MoBo due to the CMOS device being a "volatile" memory component (memory is lost when power is removed).

 

I have a backup BIOS .ROM file stored in a disconnected Flash Drive in the event it's needed to restore the BIOS code.

 

In some cases, such as with polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

 

↑  As quietman7 mentioned, that's the sure way to insure complete* removal of malicious intrusions from your HDD.

 

I delete the partitions before recloning or restoring a full-HDD image to an affected HDD.  I've recovered twice from malicious infections over the last 3 years using this method.

 

I prefer the partition-removal method since, in rare instances, a format and OS reinstall may not remove a malicious item.  Another member posted their experience about such an apparent incidence in the "Crypolocker" thread in this forum.  The member's post caught my attention since they had reformatted, then re-installed the OS and the next day, the Cryptolocker "ransom" screen appeared on his PC again.  The member then deleted the partitions on the infected HDD, reinstalled the OS, and all was ok.

 

 

* There are rare cases where a forensic disk-wipe may be required but I think those situations are very rare as I've not seen many incidences mentioned around the 'net where a partition-delete and a restore method or OS re-install didn't accomplish successful removal results.

 

The reason that in rare cases, it may be required, is that some HDD's have hidden areas that contain data, such as the HPA, or "Host Protected Area" of the HDD.  That area is usually located at the end of the HDD's location, after the user partitions.

 

Some disk-wipe tools, such as the popular "DBAN" freeware tool, don't access the HPA.  There are other tools that can access that area by unhiding the HPA.

 

I've read conflicting information whether malicious code can even access the HPA.  According to an article I read about it, it's not possible to access Protected Service Areas, such as the HPA, without a BEER (Boot Engineering Extension Record).

 

In any case, as quietman7 mentioned, it's not practical for malicious code writers to use elaborate methods such as would be required to access such areas of the HDD. 


Edited by Scoop8, 22 February 2014 - 11:33 AM.


#11 Allybee

Allybee
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 22 February 2014 - 11:18 AM

I was very glad to hear that the bios infections are rare as that could end up making you distrust your own computer.

It is bad enough that hackers use Remote Access Trojans to get into your pc and steal private data such as bank details.

Cybertheft is on the increase and I don't think it is taken seriously enough.

The rare bios rootkits are probably the malware of the future.

I enjoyed reading your post and will start backing up on a regular basis in future and will hopefully remain malware free.



#12 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:06:04 AM

Posted 22 February 2014 - 11:42 AM

↑ You're welcome :)

 

I didn't mention the other backup routine that I use:

 

- For my "must-have" items, those items that are frequently edited or that change daily, such as my Outlook *.pst data file, and a few excel files, I run twice-daily automated backups for those items.

 

Those backups are vulnerable (with a "Cryptolocker" intrusion or similar file-encryption malware) since the backup drive has to be continuously connected for an unattended backup routine, but I also backup those items daily using a script file to a flash drive that is connected only during my "copy" script file launch.

 

This way, in the event of a malware intrusion, HDD failure, or user error (myself, editing the Registry, etc), I can recover my PC in minutes by installing the cloned HDD and then retrieving those few items from my flash drive.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 22 February 2014 - 02:59 PM

Having a routine backup strategy is, in my opinion, the best way to maintain that "peace of mind" factor with your PC since there's no AV / anti-malware product that can provide 24/7 guaranteed protection against all malicious threats that are constantly being introduced into the cyberworld on a daily basis.

Yes and I can't emphasize that enough. Best Practice...backup....backup...backup.

Too many folks still fail to do that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 StevenGerrard

StevenGerrard

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:34 PM

Posted 24 February 2014 - 02:07 PM

Torjon are malicius program which is actions are not authorised on users computer like Deleting Data, Blocking Data, Modifying Data, copying data, disrupting the performance of computers or computer network and rootkit is also malicious program which attack on Administration programs


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:04 AM

Posted 24 February 2014 - 04:58 PM

:welcome: to Bleeping Computer.

As a new member be sure to read the New User Orientation section with various "How to" topics and the Welcome to Bleeping Computer! Guide.

When replying to topics, please read all comments previously posted before you submit your reply. The OP's question has already been answered by another member and with a link to a detailed glossary with defintions of all types of malware.

Best regards
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users