Thursday, August 9, 2007

What are rootkits?

Reply 1)

The word “rootkits” comes from the two words “root” and “kit”. Root refers to the user with maximum rights in UNIX systems (this can be UNIX, AIX, Linux, etc.). This person is called the “super-user”, the “administrator”, or one of a host of other names. Specifically, it represents the highest level of authority present within a given IT system. On the other hand, the “kit” is a group of tools, so a rootkits is therefore a group of tools with a root category.

A rootkits is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkits is designed to hide logins, processes, files, and logs, and may include software to intercept data from terminals, network connections, and the keyboard.

Reply 2)

Perfect. Is there any way to detect and remove rootkits?

Reply 3)


There are effective measures we can implement to minimize the risk of being afflicted by root kits or spyware. We can maintain below steps to minimize the risk of root kits.

• Maintain up-to-date antivirus and antispyware software.
• Deploy network and host-based firewalls.
• Stay current on patches for operating systems and applications.
• Harden the operating system.
• Use strong authentication.
• Never use software from sources you do not trust.

However, there are several tools to detect rootkit, including Vice, Patchfinder2 and klister.Many tools are written by the same people who created rootkits.

Microsoft's "GhostBuster" Can Detect Root Kits and Trojans.

This program will stop all other user programs. flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could auto start the system, writing out the results to a file on the hard drive.

This program CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Reply 4)

Perfect. Some more points that come to mind:

1) Rootkits are generally mistaken for ‘exploits’. They are not exploits, but a bunch of tools left behind on an exploited system by the hacker. The objective is to easily access the exploited system again
2) Generally, it is believed that Rootkits are associated with UNIX systems and Windows are safe from it. It is far from reality and rootkits exists for Windows systems as well. Some examples are Subseven and NetBus. They operate in the User mode of Windows and if the anti-virus signature files contain the right definitions, they can be detected.
3) Rootkits which operates from the Kernel mode are impossible to detect, since they are placed between the OS and the applications. Most anti-virus applications only scan the user mode.
4) One of the signs of the presence of a rootkit in the system is the incorrect display of disk space. For example, if the disk capacity is 200 GB and the files occupy about 150 GB. If the free space displayed is less than 50 GB, there is a possibility of a rootkit running on the system.

Reply 5)

I would like to add couple of things more here:

1. We can run utility called UnhackMe, which will detect Rootkit on the systems
2. We can run ProceXP to detect any malicious services running (usually service with no description or company name)
3. Check if FTP anonymous access is turned on.
4. Check MSConfig for any suspicious services/SW configured to run on StartUP
5. Check for FXSVC and scanner.ini files
6. Check for files with .DIC extensions
7. Check Java folder
8. Check …/system32/LogFiles for logs and any malicious activities or IPs connecting to server (exXXXX.log and httpXXXX.log)
9. Check Desktop folder for user used in attack and see if anything stored there which looks suspicious
10. run c:/>cmt /f to check for malicious software
11. go to and run free AV check (caution on Exchange servers)
12. run netstat to check malicious software
13. run nbtstat –a to check routing table
14. run rout print

We normally perform above steps whenever we found that any server is compromised. If anybody has any queries please let me know.

Reply 6)

There is one more tool provided by Microsoft called WOLF, but for this we need to call Microsoft and create a ticket then Microsoft Security Team will run this tool on your system and it will remove rootkit from your system.


Anonymous Anonymous said...

There is a rootkits detection tool, like VICE, Patchfinder2. Patchfinder2 is a Utility designed to detect system libraries and kernel compromises. Its primary use is to check if machine has been attacked with some modern rootkits,

For remove rootkits there are software packages such as Rootkits Revealer, but options are somewhat limited. Sometimes the only safe way to remove the Rootkits is to reformat your hard drive and reinstall Windows.

August 13, 2007 at 12:45 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home