cancel
Showing results for 
Search instead for 
Did you mean: 

Rootkit hidden from the O/S attacks

N/A

Rootkit hidden from the O/S attacks

A. A rootkit is a term used to describe mechanisms that allow malware such as viruses and spyware to hide their existence from tools that are designed to eradicate them. Rootkits commonly open back doors to systems so that malicious intruders can access the system with administrative credentials or intruders use them on the machine to maintain their access. See http://www.rootkit.com/ for more information about rootkits.

There are various types of root kits. There are persistent rootkits, which place commands in the registry or file system so that the rootkit executes at each machine startup, or memory-resident rootkits, which don't survive a reboot. Rootkits can run in either the user-mode or kernel-mode space. Most rootkits run in the user-mode space but with administrative permissions. The user-mode rootkit conceals itself by intercepting calls to API's that might list processes or query the file system, then it filters the returned results to remove any entry that would identify the existence of the rootkit. These rootkits can hide from any user-mode tool but not from a tool running in kernel mode. Kernel-mode rootkits run as part of the OS, which is difficult and will often crash the entire OS and is typically how they're detected. When a machine starts crashing frequently, it often has some kind of kernel-mode rootkit running. There's a great utility, called RootkitRevealer, which you can download at http://www.sysinternals.com/utilities/rootkitrevealer.html . The tool scans a system and highlights any abnormalities that might indicate the presence of a rootkit.


This is the kit that Sony were using with its cd/dvds

Rootkits are not picked up by AV or spyware and cant even be seen via the O/S
1 REPLY
pjemmanuel
Grafter
Posts: 349
Registered: 05-04-2007

Rootkit hidden from the O/S attacks

There is a very good article on rootkits, the different types, and methods for finding them in the January edition of Personal Computer World magazine.
The article also highlights another method of hiding malware on NTFS partitions - made interesting reading

Phil