Rootkits --- Again

Symantec and Kespersky Anti-virus software are found to be using rootkit
to make files invisible.

Symantec is cleaning up a feature in Norton SystemWorks that uses a
rootkit-like technique to hide a system folder from Windows. The
technology works similar to Sony BMG’s controversial rootkit DRM in the
way it masks files and makes them invisible to the operating system.
http://www.pcworld.com/news/article/0,aid,124365,00.asp

Symantec is shipping an update to eliminate the risk of attackers using
the feature to hide malicious files. According to the Symantec website,
it’s only in 2005 and 2006 versions, and can be eliminated by getting a
LiveUpdate.

Symantec denies it’s a rootkit, calling it instead a “hidden folder”. F-
Secure, whose software picked up the rootkit hidden folder, says that
the difference between what Symantec is doing and the Sony BMG rootkit
is “ideological”, and isn’t anywhere as malicious since it can be turned
off or uninstalled by the user. Symantec now says it’s working with some
trade bodies to try to develop a definition of rootkit.

However… here is the definition of a rootkit: A tool intended to conceal
running processes, files or system data. (that hooks into the OS in a
nonstandard way.)

Microsoft offers a free rootkit detection and removal tool and admits that
half of all pre-SP2 Windows XPs and a fifth of post-SP2 XPs are infected
with rootkits. http://www.emailbattles.com/archive/battles/security_aacciifeca_fi/

Exact location of the download:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Here is a free utility for rootkit detection program from System
Internals.

RootkitRevealer is an advanced patent-pending root kit detection
utility. http://www.sysinternals.com/Utilities/RootkitRevealer.html

Interesting reading on the methods to find hidden programs and files
and figure out what software they are related to:
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

The tool called Strider GhostBuster detects API-hiding rootkits by doing a
“cross-view diff” between “the truth” and “the lie”. It’s not based on a
known-bad signature, and it does not rely on a known-good state. It targets
the fundamental weakness of hiding rootkits, and turns the hiding behavior
into its own detection mechanism. http://research.microsoft.com/rootkit/

The more you know, the easier it is to protect your system.

Hi Bob3160,

What you write explains fully why to-day an AV & FW solution alone does not keep computers safe anymore. These are the days where one needs a layered protection even on a stand-alone machine on the Internet. That means a good Anti-Virus solution, a good hardware and/or software Firewall solution, good Anti Spyware/Adware/Scumware solution, Anti-Trojan solution, and System Monitoring and Integrity Checking Solutions. How to finetune this with Script Security Measures, In-Browser Security and Restore Capabilities is just a question of hardening your OS.
Don’t forget the weakest link, the biggest vulnerability the H-I-F (human interaction factor) that is sitting behind the keyboard, and you surf a lot safer.

polonus


I downloaded it from the Microsoft site and …

nothing was found! Woohoo! :smiley:


F-Secure’s Black light - detection & removal for the most common rootkits, still in beta.

http://www.europe.f-secure.com/exclude/blacklight/index.shtml

Expert tool for removing rootkits. Very hard to configure, but in the hand of an expert it’s a powerfull weapon. Never used it my self but experts are talking highly of it.

http://www.xfocus.net/tools/200509/IceSword_en1.12.rar