Results 1 to 3 of 3

Thread: Some Observations on Rootkits

  1. #1
    leofelix is offline Member
    Join Date
    Oct 2008
    Location
    Italy
    Posts
    1,668

    Default Some Observations on Rootkits

    Microsoft Malware Protection team blogged their observation rootkits:

    • How big is the rootkit problem? Of all infections reported from client machines, low-level rootkits represent about 7% of infections.
    • Worst of the worst In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports.
    • Rootkits in their natual habitat
      Here are the most popular locations we see hidden rootkit binaries living on the hard disk: Rank Location Example
      1 %system%\drivers c:\windows\system32\drivers
      2 user temp c:\Users\username\AppData\Local\Temp
      3 %system% c:\windows\system32
      4 system drive root c:\
      5 windows temp c:\windows\temp
      6 %windows% c:\windows
      7 install folder location installer was run from
    • Hidden file types
      In terms of the type of file being hidden on user's computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising. Type % of rootkit threats
      SYS 59%
      EXE 40%
      DLL 1%
    • Kernel-health screening
      Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel. That's about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide.
    • An unspoiled landscape
    • Parting thoughts
      Keep real-time protection enabled
      Run 64-bit Windows

    Complete details in Microsoft Malware Protection Center : Some Observations on Rootkits
    Via: Microsoft Malware Protection Blog: Some Observations on Rootkits - Donna's SecurityFlash

    Last edited by leofelix; 10th January 2010 at 07:39.

  2. #2
    ORKAN's Avatar
    ORKAN is offline Beginner
    Join Date
    Jan 2010
    Posts
    37

    Default

    Rootkits is not easy to determine.
    Few years ago, there were Lab Tests for most of the popular Rootkits detected softwares & none of them reach the standard of detecting.

  3. #3
    whs's Avatar
    whs
    whs is offline Gold Member
    Join Date
    Oct 2008
    Posts
    1,421

    Default

    I think the best defense is imaging. Trying to dig out the rootkit is not easy and even then it may leave damage behind. If you image your system frequently (best to an external disk that you switch off after the image was taken), then you can always set the system back. And keep as many images as possible, because it may take you a while before you discover the rootkit (or any other malware). Then you want to have choices for restoring the system.
    Another good practice is to run your browser sandboxed. that is so easy and really does not cost any. Here are a couple of posts that discuss both subjects:

    http://forum.thewindowsclub.com/wind...very-easy.html
    http://forum.thewindowsclub.com/wind...e-macrium.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22