Author Topic: detecting rootkits  (Read 2187 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33667
  • malware fighter
detecting rootkits
« on: November 01, 2005, 04:18:26 PM »
Dear forum members,

Polonus found the following text.

"Most rootkits will be in the Non Plug and Play devices and COM3 or the IPX/SPX protocol are two I have found more than once.

What that device driver does is to mask a string by intercepting all API calls to the O/S, thereby hiding the process, registry entries, and files containing that string. The string itself is configured by the author so, for example, if the string is BIG_BAD_FELLOW, any entry containing that string will be hidden.

Clobber the rootkit device driver and BIG_BAD_FELLOW will magically appear.

What is needed now is a central resource for verifying
the devices used and that, as far as I have been able to discover, is not existing.

Will some service  step up to the plate and provide one?

One newer variant installs itself as a font rather than a device, because the rootkit had left an installation log".

Comment  to above text please,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!