-
October 26th, 2005, 06:20 PM
#1
Registered User
RootKits
I have recently come across one of these and thought it might be of use to share some stuff I found.
I really dont know all that much about rootkits but information can be found.
http://www.techsupportalert.com/issu....htm#Section_0
For a basic informational read go here
http://ct.cnet-ssa.com.com/clicks?c=...-ssa&ds=5&fs=0
That being said I have found several programs to assist with detection and removal
F-Secure has one called blacklight found here
http://www.f-secure.com/blacklight/
Another is Ewido which can be found here
http://www.ewido.net/en/download/
Sysinternals also has one which can be found here
http://www.sysinternals.com/Utilitie...tRevealer.html
Here is some advise from a user on the cnet forums
Thanks to him for posting this
A way of seeing them yourself in XP or 2k also has come up which is below
First, some minor elaboration: Most rootkits install themselves as a device which, itself, can be seen.
In a Command window (Start -> Run -> CMD<enter>, type
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1<enter>, then
DEVMGMT.MSC<enter>
The device manager will appear; but, will also include every device ever installed on the system. Click VIEW -> Show Hidden Devices and you'll be set.
Most rootkits will be in the Non Plug and Play devices and COM3 or the IPX/SPX protocol are two I have found more than once.
What that device driver does is to mask a string by intercepting all API calls to the O/S, thereby hiding the process, registry entries, and files containing that string. The string itself is configured by the author so, for example, if the string is BIG_BAD_GUY, any entry containing that string will be hidden.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks