|
| |
| | F-Secure Blacklight |
 | | Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. | | | Rootkits for the UNIX operating system were typically used to elevate the privileges of a user to the root level (=administrator). | | | Rootkits can make hidden backdoors or spam-relays in infected computers useful for a much longer time. |
|
http://www.f-secure.com/blacklight/rootkit.shtml
(524 words)
|
|
| |
| | rootkit - a Whatis.com definition |
| | A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. | | | A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing system tools to escape detection. | | | If a rootkit is detected, however, the only sure way to get rid of it is to completely erase the computer's hard drive and reinstall the operating system. |
|
http://searchsecurity.techtarget.com/gDefinition/0,294236,sid14_gci547279,00.html
(432 words)
|
|
| |
| | Windows Incident Response: Windows Rootkit Detection |
| | The AFX Rootkit 2003, for example, did nothing to hide its DLL files, which were visible in the file system, as well as in the output of listdlls.exe for the explorer.exe process. | | | The basic idea is that several methods of querying the "victim" system are used, in the hopes that one tool may use a different API to obtain it's information, and that one may not be masked by the rootkit. | | | Then, he could run a remote query for the contents of the same key from another system...a system not infected with the rootkit and therefore one without it's API calls (in the case of a DLL injection-type rootkit) being intercepted. |
|
http://windowsir.blogspot.com/2005/01/windows-rootkit-detection.html
(672 words)
|
|
| |
| | 2005 Sony CD copy protection controversy - Wikipedia, the free encyclopedia |
| | They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. | | | Sony BMG released a software utility [1] to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers, but this removal utility was soon analyzed by Russinovich again in his blog article More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home, and revealed as only exacerbating the privacy and security concerns. | | | In addition, this program was reported to install additional software that cannot be uninstalled. |
|
http://en.wikipedia.org/wiki/2005_Sony_CD_copy_protection_controversy
(1994 words)
|
|
| |
| | Rootkit: The Complete Documentation |
| | Rootkits are basically programs that help attackers keep their position as root. | | | This paper will not serve as a how-to guide to the t0rn rootkit; rather, it is designed to identify binaries and ports that t0rn uses. | | | The first part deal with the basis and describe a few methods to show how code injection and code interception are possible, while the rest of the paper covers the strategy that makes stealth possible in userland. |
|
http://www.l0t3k.org/security/docs/rootkit
(1791 words)
|
|
| |
| | Recognizing and Recovering from Rootkit Attacks |
| | However, Rootkit is really a collection of programs whose purpose is to allow an intruder to install and operate an Ethernet sniffer (a program that captures and decodes every packet on a network) on an unsuspecting SunOS 4.x or Solbourne host using /dev/nit or Linux host using the eth0 interface. | | | Installing Rootkit is one of the more popular activities of serious Internet intruders once they have obtained root privileges of a workstation running SunOS 4.x Unix or the Slackware Linux distribution. | | | Even though network sniffers have existed for some time in both hardware and software forms, their output is enormous and is not well formatted for obtaining userids and passwords. |
|
http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html
(3292 words)
|
|
| |
| | Windows rootkits come of age |
| | It is possible to write a universal rootkit that runs on all versions of the Windows server family such as NT, 2000, XP, 2003. | | | If an attacker writes a Windows rootkit, it can run on the majority of computers in use. | | | Also, homogeneous computer systems make writing rootkits and exploits a lot easier. |
|
http://www.securityfocus.com/columnists/358
(810 words)
|
|
| |
| | Rootkit battle: Rootkit Revealer vs. Hacker Defender |
| | NT Rootkit, the first known Windows rootkit, was published in 1999 by Greg Hoglund, founder of www.rootkit.com. | | | How it detects software that tries to hide itself is relatively straightforward: It compares the results of scanning the registry and file system at the highest level and the lowest level. | | | He has also co-authored two books on computer software and operating systems. |
|
http://searchwindowssecurity.techtarget.com/columnItem/0,294698,sid45_gci1112754,00.html
(850 words)
|
|
| |
| | Anti-Malware Engineering Team : Sony DRM Rootkit |
| | We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. | | | The security of my computer trumphs any developers right to put DRM rootkits on my computer. | | | Microsoft is not removing XCP DRM software -- Microsoft plans to remove only the "rootkit component of the XCP software" that hides the XCP software. |
|
http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx
(4476 words)
|
|
| |
| | [No title] |
| | Hackers are using a dangerous new tool, rootkits, to hide their activities on computers they have invaded. | | | A rootkit, when installed on a compromised Windows server or PC, allows installation of hidden files, hidden services and processes, hidden user accounts and more in the computer's operating system. | | | It does this by scanning the physical files that make up the registry and comparing what is found in the files with what is returned by Windows kernel calls. |
|
http://www.advances.com/software/rootkitshark.htm
(639 words)
|
|
| |
| | Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment |
| | Next “vulnerability” of a rootkit: objects are only hidden from the environment of the compromised machine and they can easily be seen from another computer. | | | The idea of a first enhanced rootkit for the Windows environment was born in due time. | | | There are plenty of rootkits in the Unix environment, and each new release is more “forward thinking” in terms of its functions. |
|
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
(4042 words)
|
|
| |
| | SANS Malware FAQ: What is t0rn rootkit? |
| | However, the main objective of this paper is to describe the rootkit and not to give deep details of the exploit used to gain root level access. | | | This rootkit doesn't work with Debian 2.2 (not libc5 based) and with the new RedHat systems (7.1 and 7.2). | | | One of the most known rootkits available for Linux platform is the t0rn rootkit, created by J0hnny7. |
|
http://www.sans.org/resources/malwarefaq/t0rn_rootkit.php
(6062 words)
|
|
| |
| | Sysinternals Freeware - RootkitRevealer |
| | A rootkit can mask its data by storing it as a REG_BINARY value, for example, and making the Windows API believe it to be a REG_SZ value; if it stores a 0 at the start of the data the Windows API will not be able to access subsequent data. | | | Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. | | | There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. |
|
http://www.sysinternals.com/Utilities/RootkitRevealer.html
(2064 words)
|
|
| |
| | rootkit.com |
| | This is the set of basic windows rootkits used for training purposes in the class 'Offensive Aspects of Rootkit Technology'. | | | NtIllusion is an userland rootkit for win 2000/XP systems. | | | A news back-end to implement RootKit news into your website is here or more advanced version here. |
|
http://www.rootkit.com
(2054 words)
|
|
| |
| | Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far |
| | Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). | | | They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows. | | | At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. |
|
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
(10013 words)
|
|
| |
| | NewsForge Is there a rootkit hunter in your arsenal? |
| | Boelen was motivated to create the rootkit hunter one day after he and a friend accidentally scanned a machine with a brand new installation of FreeBSD 5.0. | | | After finishing its check for rootkits, rkhunter continued checking my system for malware, promiscuous Ethernet adapters, hidden files, and configuration errors. | | | Browse your tmp, var and other filesystems every so often and look at the processes your server is running. |
|
http://software.newsforge.com/software/04/04/05/1929215.shtml?tid=78&tid=82
(1107 words)
|
|
| |
| | Robert Hensing's Secure Windows Initiative Blog : Rootkit Revealer vs. Hacker Defender - How the miscreants are ... |
| | What's needed is a threat model to identify all of the next moves in the game of chess and to plan the counter-moves accordingly. | | | The INI file has numerous sections in it that govern the behavior and operation of the rootkit / backdoor (just like a normal INI file would) and one of the sections that the miscreant can configure is entitled [Root Processes]. | | | The miscreants of course are all too familair with the operation of hxdef (I stand by my assertion that this is by far the most popular 'in the wild' rootkit with the biggest installed user base) and many seem to have added 'rootkitrevealer.exe' to the Root Processes section of the.INI file. |
|
http://blogs.technet.com/robert_hensing/archive/2005/03/10/392092.aspx
(3710 words)
|
|
| |
| | Linux/Rootkit |
| | Rootkits usually contain a mix of "ELF" binary files and Script files. | | | The Script files may initialise a routine to drop compromised package files onto the user system or replace already present binaries by the ones from the rootkit package. | | | This is usually hard to achieve initially, so Linux/Rootkits might abuse some vulnerabilities on unpatched systems. |
|
http://vil.nai.com/vil/content/v_99095.htm
(299 words)
|
|
| |
| | The basics |
| | A rootkit may (a) modify the interrupt handler to use a (rootkit-supplied) different syscall table, or (b) modify the entries in the syscall table to point to the rootkits replacement functions. | | | An interrupt is triggered, and execution continues at the interrupt handler defined for that interrupt. | | | The interrupt handler (named system_call() on Linux) looks up the address of the requested syscall in the syscall table, and executes a jump to the respective address. |
|
http://la-samhna.de/library/rootkits/basics.html
(610 words)
|
|
| |
| | NT RootKit |
| | The rootkit only becomes involved when the file is executed. | | | Keyboard sniffing actually works fine - except that it has caused a BSOD on one of my test machines and I didn't want to release it that way until the problem could be debugged. | | | A Methodology for Detecting New Binary Rootkit Exploits |
|
http://www.megasecurity.org/Tools/Nt_rootkit_all.html
(773 words)
|
|
| |
| | Spyware Danger Meets Rootkit Stealth |
| | Using a rootkit, an attacker can peruse a compromised machine's hard drive, set up or change user accounts, add, delete, or modify files, and communicate with other machines on a network or the Internet. | | | The new spyware variants are a sign of the increasing sophistication of malicious code authors, and of spyware makers, according to Roger Thompson, director of malicious content research at Computer Associates International Inc. | | | Spurred by profits from online identity theft and from "pay-per-install" software vendors, spyware authors are innovating rapidly, especially when it comes to avoiding detection during installation, and afterwards, when spyware programs often transmit data from the compromised system, Webroot's Moll said. |
|
http://www.eweek.com/article2/0,1759,1829744,00.asp
(1092 words)
|
|
| |
| | EFF: Sony BMG Litigation |
| | The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. | | | EFF also asked Sony BMG to pay all consumer costs associated with the damage caused by the XCP or SunnComm MediaMax technology and compensate people for the time, effort, and expense required to verify that their computer was or was not infected with the rootkit. | | | When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines. |
|
http://www.eff.org/IP/DRM/Sony-BMG
(716 words)
|
|
| |
| | freshmeat.net: Project details for Rootkit Hunter |
| | Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. | | | Recently i updated the e2fsprogs-1.38-0.FC3.1 rpm package and then, Rkhunter returns a MD5 error in /usr/bin/lsattr file, which is included in that package. | | | Solution: in solaris ~root does not make sense, so writing in the ~/.rkhunter.log file was impossible. |
|
http://freshmeat.net/projects/rkhunter
(1272 words)
|
|
| |
| | PC Pro: News: Sony DRM burrows into rootkit code |
| | In his investigation, Russinovich noticed that the rootkit's 'cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". | | | 'The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. | | | Sony has made available instructions on how to remove the code, but has yet to respond to our requests for comment. |
|
http://www.pcpro.co.uk/news/79450/sony-drm-burrows-into-rootkit-code.html
(729 words)
|
|
| |
| | Boing Boing: Sony Rootkit DRM Roundup Part III |
| | Suncomm vows to update its Mediamax uninstaller, which presently leaves your computer wide open to total take-over simply by looking at web-pages with malicious code on them. | | | Princeton researchers Ed Felten and Alex Halderman discover that the uninstaller provided by Suncomm leaves your computer open to complete takeover through simply looking at web-pages with malicious code in them. | | | Security researcher Ben Edelman suggests that Sony could reach all its infected users by pushing an update to the rootkit that warns them that they're compromised and gives instructions for uninstalling and getting replacement CDs. |
|
http://www.boingboing.net/2005/11/21/sony_rootkit_drm_rou.html
(856 words)
|
|
| |
| | The Strider GhostBuster Project |
| | Yi-Min Wang and Doug Beck, "How to \"Root\" a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner," Microsoft Research Technical Report MSR-TR-2005-21, February 11, 2005. | | | It detects hidden files and Registry entries by comparing an inside-the-box infected scan with an outside-the-box clean scan (of the same infected drive) from a WinPE CD boot. | | | It detects hidden Registry entries and processes by comparing a Win32 API scan with an INT 2E scan. |
|
http://research.microsoft.com/rootkit
(594 words)
|
|
| |
| | The Hacker Defender Project - Board |
| | sysfreak: i consider this to be a bug not rootkit | | | rently used by rootkit detection software such as | | | Cryptic: that's possible but not all rootkits inje |
|
http://hxdef.czweb.org
(3025 words)
|
|
| |
| | Rootkit |
| | Rootkits have been created for Unix variants, Linux variants, Microsoft Windows, and are also available for most other major operating systems. | | | A collection of software tools that helps enable someone to gain unauthorized access to a computer or other network device and often hide the tracks of the user accessing the computer or other network device. | | | Were you able to locate the answer to your questions? |
|
http://www.computerhope.com/jargon/r/rootkit.htm
(66 words)
|
|
| |
| | Freedom to Tinker » Blog Archive » SonyBMG and First4Internet Release Mysterious Software Update |
| | You insert your CD into your Windows PC, click “agree” in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. | | | […] SonyBMG releases a software update to remove its DRM rootkit but the cure turns out to be worse than the disease (Felten). | | | Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers’ computers. |
|
http://www.freedom-to-tinker.com/?p=921
(6938 words)
|
|
| |
| | Slashdot Rootkit Packaged for Debian |
| | The rootkit will make use of debian mechanisms such as diversions to divert the original /bin/ls commands and replace them cleanly by the modified versions. | | | It looks like so, searching for rootkit yields this, No responses to your query. | | | Erich writes "Debian Developer Simon Richter announced in this posting to debian-devel that he Intends to Package (ITP) a R00tk1t for Debian Linux. |
|
http://slashdot.org/developers/02/04/01/162223.shtml?tid=90
(2281 words)
|
|
| |
| | rkdet - rootkit detector for Linux |
| | A prebuilt package of programs to do this is known as a "rootkit". | | | It is recommended that users rebuild rkdet from source after customizing the messages etc. The binary here sends mail to "root" (you do forward root to a human, don't you ??); it is suggested that at least the binary be renamed (and init.d/rkdet renamed/edited) | | | chkrootkit is a tool for detecting a rootkit after the fact (it does not need to be run first, like rkdet or tripwire) and will detect many common rootkits. |
|
http://vancouver-webpages.com/rkdet
(709 words)
|
|
| |
| | PCWorld.com - Rootkit Web Sites Fall to DDoS Attack |
| | Despite the reputation of rootkits as hacker tools, many of those who frequent the site are professional security experts and students who study computer security and use the rootkit source code available on the site to figure out ways to defend against rootkit programs, Hoglund says. | | | Two prominent Web sites that specialize in remote access software known as rootkits have been taken offline by a large distributed denial of service attack (DDoS). | | | Other rootkits discussed on Rootkit.com are open source, and authors typically post links to their source code on the site, Hoglund says. |
|
http://www.pcworld.com/resource/article/0,aid,120392,pg,1,RSS,RSS,00.asp
(672 words)
|
|
| |
| | World of Warcraft hackers using Sony BMG rootkit |
| | Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible. | | | World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. | | | Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. |
|
http://www.securityfocus.com/brief/34
(1324 words)
|
|
| |
| | PCWorld.com - Rootkits: Invisible Assault on Windows |
| | Rootkit detectors and antivirus programs will continue to look for ways to outhack the hackers. | | | Like detecting viruses and worms, trapping rootkits is a cat-and-mouse game. | | | But unlike standard Trojan horses, rootkits infiltrate the operating system at a deeper level, using security privileges to better hide themselves. |
|
http://www.pcworld.com/news/article/0,aid,120658,00.asp
(400 words)
|
|
| |
| | Resplendence Software - Welcome to Resplendence |
| | RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. | | | Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on. | | | We though it'd be a good idea to develop a useful tool for finding what rootkit hooks are actually installed on a system. |
|
http://www.resplendence.com
(336 words)
|
|
| |
| | Macintosh Underground :: View topic - OS X Rootkit - initial public release |
| | This type of rootkit should be easy to defend against if you really care about your computer. | | | This is the initial Public Release of the OS X RootKit. | | | Its purpose is after the fact, and it is designed to provide to the intruder the maximum benefit of of the use of the compromised machine by maintaining the intruder's anauthorized access and allowing the intruder to act without being detected." |
|
http://freaky.staticusers.net/ugboard/viewtopic.php?t=13891
(837 words)
|
|
| |
| | Technorati Tag: rootkit |
| | Virtual Machine rootkits March 11th, 2006 Print this article E-mail this article Here’s a new threat that might start to plague users soon - virtual... | | | One particular malware that is frighteningly powerful is Haxdoor which is a backdoor pharming rootkit that... | | | a rootkit is a collection of one or more programs that aid in gaining and/or regaining (sometimes expressed as maintaining) root/administrative access... |
|
http://technorati.com/tag/rootkit
(428 words)
|
|
| |
| | [jdev] IMPORTANT: JSF/JabberStudio Service Update |
| | Based on the evidence of the initial investigation by the admin team for this machine, the rootkit was not used to view or modify any files. | | | Furthermore, we have found no evidence of instrusion into the other machines that are part of the jabber.org infrastructure (e.g., the production jabber server or the mailing list server). | | | The machine (hades.jabber.org) was cracked approximately one year ago by means of an automated rootkit. |
|
http://mail.jabber.org/pipermail/jdev/2005-January/020062.html
(297 words)
|
|
| |
| | Boing Boing: Sony rootkit roundup, part II |
| | Three days after being notified that its rootkit DRM uninstaller leaves computers in a dangerously insecure state, Sony finally stops advising its customers to use it. | | | Companies, educational institutions, and government agencies are banning the use of Sony CDs on workplace computers, due to the security risks that arise from the rootkit DRM. | | | Sony issues a statement promising not to use technology that locks videogames to consoles. |
|
http://www.boingboing.net/2005/11/17/sony_rootkit_roundup.html
(776 words)
|
|
| |
| | Haciendo el rootkit Hack Defender INDETECTABLE (Varios Tutoriales y Textos) |
| | * rkdscan is able to remotely detect Comprimised computers with the rootkit | | | Now, in order to compile, you extract the Winsock 2.2 API you downloaded to the _same_ directory that contains your hxdef source code, and also you need to copy all files from the "units" directory (found in src.zip from hxdef release) to your source code directory. | | | This compiles our new.exe which is now hidden from all AV, but we need to hide the driver also (to read up on how rootkits actually work hit http://www.rootkit.com). |
|
http://foro.elhacker.net/index.php/topic,39760.0.html
(2480 words)
|
|
| |
| | Linux rootkit hacker suspect arrested in UK |
| | Officers from Scotland Yard's Computer Crime Unit arrested the man for alleged offences under Computer Misuse Act 1990 earlier this week, as part of a joint FBI/Scotland Yard investigation into the creation of the T0rn rootkit. | | | A search warrant was served and computer equipment seized from his house. | | | The T0rn rootkit has been a hazard for system admins since its creation two years ago, most particularly when the rootkit was bundled as the backdoor component of the Lion worm, released in the middle of last year. |
|
http://www.securityfocus.com/news/703
(175 words)
|
|
| |
| | Daniele Muscetta's Corporate Blog : Rootkit Detectors |
| | MS Research has published some papers about Rootkit technologies and especially RootKit detection: | | | Some other comments I spotted about these papers can be found at: | | | Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days...) |
|
http://blogs.msdn.com/dmuscett/archive/2005/02/22/378395.aspx
(275 words)
|
|
| |
| | New RootKit |
| | Rootkits are programs (device drivers) that can be used with potentially any malware to hide its characterstics like network activities and running processes. | | | If a sample is detected as New Rootkit then it is likely that the system is currently infected and has virus or trojan processes running, but is easier to clean now, as the rootkit component is detected. | | | This is a heuristic detection, which detects unknown rootkits. |
|
http://vil.nai.com/vil/content/v_135153.htm
(182 words)
|
|
| |
| | Mac OS X rootkit surfaces The Register |
| | The Mac OS X malware, dubbed Opener, is a rootkit for Mac OS X machines that contains a variety of destructive functionality including a keylogger and backdoor components. | | | One of the first pieces of malicious code targeting Apple's Mac OS X operating system has been discovered. | | | Opener (AKA Renepo-A) is a shell script that can't be installed without admin privileges. |
|
http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener
(297 words)
|
|
|
