Rootkits Notes

From CyberSecurity
Revision as of 21:25, 19 November 2005 by Jalsalam (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Common Rootkits

  • Hacker Defender
  • FU rootkit (?)
  • Winlogonhijack (?)


Other Rootkits:

  • HE4Hook – from rootkit.com
  • Shadow Walker – in development?
  • BootRootKit (eEye) – in development?
  • Clandestine File System Driver

Rootkit Detection/Removal Tools

  • Rootkit Revealer - Sysinternals
  • Malicious Software Removal Tool - Microsoft
  • Symantec? MacAfee?
  • HijackThis
  • Kilister – simple set of tools for windows 2000, mentioned on rootkit.com
  • VICE – detects “hooks” which are a common tool of rootkits, but also used by other legitimate programs, so hooks are not really a reliable way to identify rootkits.

Uses a WinPE – windows pre-installation environment and the internal environment to run a cross-view differential investigation – so it uses two points of view to examine the computer resources, hopefully one containing the “lie” and one containing the “truth”

  • Contrast Tripwire, Strider Troubleshooter, which are cross-time differential, a more general solution for detecting malware, but ends up with a lot of false positives stemming from legitimate changes. (almost quoted from MS research paper)

Rootkit Related Books/Websites/Resources

  • www.rootkit.com

Many forums and threads related to the development, identification, and removal of rootkits. Hard to tell if the authors are white hats or black hats, certainly seems like plenty of black hats use their site for communication.

  • Hoglund, Greg and Jamie Butler. “Rootkits: Subverting the Windows Kernel”. Authors started the rootkit.com page.


More Definitions –

Stealth Malware - The term “stealth malware” refers to a large class of software programs that try to hide their presence from operating system (OS) utilities commonly used by computer users and malware detection software such as anti-virus and anti-spyware programs. (ms rsch)

“ghostware”, which hide files, configuration settings, processes, and loaded modules from the operating system’s query and enumeration Application Programming Interfaces (APIs).

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Rootkits_Notes&oldid=2851"