|
-
August 6th, 2004, 02:58 AM
#1
Rootkits and windows
I occasionally boot my linux systems from a Knoppix CD and run chkrootkit over my hard drive to look for rootkits. Is there a similar product for windows systems?
-
August 6th, 2004, 06:13 AM
#2
I would think good AntiVirus software would the same thing. Maybe PestPatrol (http://www.pestpatrol.com/) would be good, but I've never used it.
-
August 6th, 2004, 06:54 AM
#3
hi
yes there are many softwares which will help u to do the thing u want
u can use norton, McAffee, etc. to do such jobs
i use it too
akshaya
-
August 6th, 2004, 07:25 AM
#4
Sorry if I impose linux upon you, buy unless you are a heavy windows gamer, It is the best choice to run for anything. You don't have to worry about rootkits unless you have a server or something important on your PC. Or a newbe hacker happens to find you randomly. (Which is extremely rare, even more rare if you use any linux with a firewall)
I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey
-
August 6th, 2004, 10:46 AM
#5
A clever Windows rootkit obviously won't show up on antivirus, as it will hide its presence, and there won't be a signature for it anyway.
There is really nothing you can do against rootkits in the general case, except don't get your box rooted in the first place.
Rootkits are not viruses or worms, hence generally have a very small distribution, so it's unlikely that AV companies are aware of most of them.
Someone can only apply a rootkit if they already obtain root (i.e. Administrator) access. Therefore your best defence is to not allow them to do so.
Slarty
-
August 6th, 2004, 11:09 AM
#6
The following is a good article for the defence against rootkits, infact the hole page is pretty informative.
An ingenious hacker will be smart enough to hide his track forever. He will use all available means to outwit his victim and often has a big chance of reaching that goal. However system administrators are not defenseless against malicious attacks. There are many known techniques and procedures to detect any suspected installation within systems. At a first glance a rootkit seems to be a powerful tool and undoubtedly it is. Luckily, rootkits are a double-edged sword with their design. As I already mentioned, a kernel-based rootkit monitors calls for objects (files, directories, registers or processes) the names of which begin with a string
Luckily many crackers are careless and portions of their rootkit can be detected. The trojaned files above often have configuration files that list which programs to hide and which to display. Often they forget to hide the configuration files themselves. Since /dev is the default location for many of these configuration files, looking in there for anything that is a normal file is often a good idea.
A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager
The above is a sample, the full article is here:
http://www.windowsecurity.com/articl...vironment.html
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
August 6th, 2004, 11:47 AM
#7
You don't have to worry about rootkits unless you have a server or something important on your PC.
Just because someone is using linux, they don't have to worry about rootkits? Care to explain that one away? Just because there is nothing important(?) on your computer you should just let it go? Have you noticed what happens when someones box has become infected and infects someone else an so on and so forth? If you don't give a crap about the safety/security of your computer, should you be allowed to connect to the net?
Back on topic
jonathans_daddy, you might want to look here
http://www.rootkit.com/
-
August 6th, 2004, 12:29 PM
#8
Jinxy: broken link.
A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager
That is total TOSH.
A rootkit can affect all processes on the system regardless fo their name. Perhaps there is a specific one which does not, but that is not generally true.
Basically a rootkit is a specialised kind of backdoor which is very sneaky. Even if you have discovered and eliminated a single rootkit, there is no reason why there need not be others that you haven't spotted.
If an attacker gains root, YOU MUST REFORMAT. There is ABSOLUTELY NO WAY to guarantee that your system is no longer compromised, you must reformat it.
So if you detect a rootkit, first pull the ethernet cable, then check your backups. And follow the instructions on countless other posts on disaster recovery.
Slarty
-
August 6th, 2004, 12:32 PM
#9
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
August 6th, 2004, 12:33 PM
#10
Jinxy, there's a br tag showing up in the link.
This needs to go to Oops! A Bug for mnstrlgrl to fix.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
