rootkits - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

rootkits

684867684867 Posts: 110Member
Does anyone have any ideas about how to detect an NT rootkit without professional-level tools in the field? Assume,hypothetically that you have no net access, a CD and possibly infected machine.

What do you do?

****************************************
Excellence Breeds! Go Hard or Go Home.

Let Penguins rule the earth.
Break some windows today.

Comments

  • JonathanJonathan Posts: 2,914Member
    : Does anyone have any ideas about how to detect an NT rootkit without
    : professional-level tools in the field? Assume,hypothetically that you
    : have no net access, a CD and possibly infected machine.
    :
    : What do you do?
    :
    A rootkit checker will be a good start. There's a free one here, along with some possibly intresting links.
    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

    Jonathan

    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

  • 684867684867 Posts: 110Member
    (As usual, I query the community and find but one worthy of the challenge. That is admirable of the respondent but a tragedy for the community so lacking in interest in what is a serious security issue!)

    1.) Sysinternals does produce a strong product. Those guys give me the tools I need to do all sorts of things daily, from regmon and filemon to PSTools. However, root kits are nefarious beasts which can easily dupe rootkit revealer--as is shown in their documentation.

    2.) The challenge is to discover the rootkit with only a CD (presumably the Op/sys installation CD and no net access). Here lies the rub, what other tools (from these available resources would be necessary?

    3.) Remember, the Op/sys has been trojanized. The counter-hack requires stepping outside the box. File sizes and versions may be altered (but a good rootkit can conceal this if the trojanized op/sys files are hexedited to contain the malicious code without altering the file size or version. Time stamps can then be spoofed. Otherwise a batch file could be constructed to compare files. Ahh....

    4.) There lies the solution, perhaps! What if a batch file were to compare the op/sys files from a clean (CD) boot to known good files, identifying which files differ from the original? Could this reveal the root?

    5.) What if the op/sys alters some arbitrary file during operation. Then the known good and operational unknown file could not be compared to find the root. Only those files which do not change could be eliminated from the problem.

    [Note: This may be resolved by a collateral language project I am working on, which requires software components to authenticate themselves.]

    ****************************************
    Excellence Breeds! Go Hard or Go Home.

    Let Penguins rule the earth.
    Break some windows today.

Sign In or Register to comment.