comp/net virus protection

mbpark · 02-04-2009, 07:56 PM

TW,

A rootkit is a type of virus/malware that uses "cloaking" techniques to hide itself from the OS and end user. If you've read what I've mentioned, the Windows API makes it really easy to create one.

And, yes I have seen them. Rootkits are the reason why I scan machines with a bootable CD that has the latest virus definitions and tools I can use to determine what loads when a machine boots up. The only effective way to get rid of a rootkit is to scan the machine with a known good alternate OS, not the OS itself. When you have a rootkit, the only way to be sure is to use an alternate OS.

Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer).

UNIX, Linux, and Windows have this issue, as does any other OS that runs on a Von Neumann architecture where the OS and program data are loaded into the same memory banks and intermingle.

The best way to rid yourself of a rootkit is the same on UNIX, Linux, Windows, or any other OS. Boot into an alternate OS and scan that way, because you cannot be sure that the OS that has been compromised has any integrity.

02-04-2009, 07:56 PM	#11
mbpark Lecturer Join Date: Jan 2001 Location: Carmel, Indiana Posts: 761	TW, A rootkit is a type of virus/malware that uses "cloaking" techniques to hide itself from the OS and end user. If you've read what I've mentioned, the Windows API makes it really easy to create one. And, yes I have seen them. Rootkits are the reason why I scan machines with a bootable CD that has the latest virus definitions and tools I can use to determine what loads when a machine boots up. The only effective way to get rid of a rootkit is to scan the machine with a known good alternate OS, not the OS itself. When you have a rootkit, the only way to be sure is to use an alternate OS. Anti-rootkit technology is nothing more than AV technology that scans for the API hooks that rootkits use to cloak themselves. It's effective a good portion of the time, but I've seen rootkits get past the Sysinternals tool (Rootkit Revealer). UNIX, Linux, and Windows have this issue, as does any other OS that runs on a Von Neumann architecture where the OS and program data are loaded into the same memory banks and intermingle. The best way to rid yourself of a rootkit is the same on UNIX, Linux, Windows, or any other OS. Boot into an alternate OS and scan that way, because you cannot be sure that the OS that has been compromised has any integrity.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)