Rootkits - Have You Been Rooted?

Post Your tips here
Post Reply
User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Rootkits - Have You Been Rooted?

Post by Foggyone » Mon Apr 16, 2007 4:37 am

You may have heard the term in conjunction with some of the smarter viruses etc.

What is a Rootkit?

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits

A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits

Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

More at http://www.microsoft.com/technet/sysint ... ealer.mspx

Sony BMG's Rootkit.

This rootkit is installed, apparently with the users consent (but who reads every word in EULA's, or understands what they do read?) as part of Sony BMG's Digital Rights Management. This is the one that brought this practice to light. Certain CD's had this, and it installed in your computer if an [infected] cd was played. This was designed to prevent a CD from being copied more than three times, and phoned home via the internet every time it was played! This rootkit was meant only to be used in the US, but reasearch shows it is spread throughout the world. The problem with this rootkit is it's masking behaviour. Anyone could use file prefix $sys$ to hide anything (read virus, malware).

You can check whether this rootkit is installed on your computer, and therefore whether you are at risk of the exploits that use this rootkit.

Do this.

* Create a small text file with notepad. Store it on your desktop with a name such as test
*Right click and rename it $sys$test.txt (just add $sys$ to the front of the name).
* If it vanishes, you have this rootkit installed!
(I would be interested in anyone finding this installed. Please advise).

To uninstall go to cp.sonybmg.com/xcp/english/updates.html and download the uninstaller.

Other Rootkits

To check for other rootkits use sysinternals tool that checks this. See sysinternals.com/utilities/rootkitrevealer.html . Sysinternals is part of Microsoft. The download button is right at the bottom of the page.

If you find a rootkit then you will need to search the internet for removal tools. (Once again, I would be interested. PM me).

This is not meant to be a definitive work on rootkits, just enough to get you going.
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

The Fallout

Post by Foggyone » Thu Jul 12, 2007 6:24 pm

The posting above mentions the Sony rootkit.

This story this morning is a followup about who is blaming who for the fiasco.

It's never the fault of the people who are at fault!
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
digidog
Site Admin
Posts: 15014
Joined: Wed May 05, 2004 2:25 am
First Name: Alfie
Location: Otago
Contact:

Post by digidog » Tue Apr 01, 2008 8:59 pm

Sony BMG - the people who brought you the insidious rootkit have been
pinging using pirated software.

arstechnica story...

angry
Members
Posts: 550
Joined: Fri Aug 06, 2004 5:56 pm
Location: auckland

link change

Post by angry » Thu Dec 24, 2009 4:10 pm

http://technet.microsoft.com/en-gb/sysi ... 97445.aspx

seems to be the new home for the rootkit deal

User avatar
Foggyone
Site Admin
Posts: 9880
Joined: Sat May 22, 2004 8:16 pm
First Name: Peter
Location: Lower Hutt
Contact:

Re: Rootkits - Have You Been Rooted?

Post by Foggyone » Tue Nov 02, 2010 12:01 am

Sony BMG rootkit scandal: 5 years later.

And here is a story about Microsofts' fight with a mutating rootkit. (Click to forgo the flash ad!!).

This is the most interesting part of the article:
Almost two-thirds (65%) of the PCs infected with Alureon this month were running Windows XP Service Pack 3 (SP3), with the No. 2 spot taken by Windows XP SP2 (14%). Only 3.5% of the rootkit-infected PCs were running Windows 7, said Microsoft.
I thought W 7 was the greatest, most secure windows ever. Looks like we wait on for a secure Windows!
Google, the answer to so many questions!
-----------------------------------------------------

User avatar
dobby
Members
Posts: 3336
Joined: Wed Apr 05, 2006 7:48 am
First Name: Dobby
Location: Wellington

Re: Rootkits - Have You Been Rooted?

Post by dobby » Thu Nov 04, 2010 8:31 am

Foggyone wrote:Looks like we wait on for a secure Windows!
That's an oxymoron. :-P
Idealism increases in direct proportion to your distance from the problem.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests