Rootkit attack and defense under Windows Vista system

Source: Internet
Author: User
Tags modify version malware protection access

Rootkit is a special malware, its function is in the installation target hidden itself and designated files, processes and network links and other information, rootkit generally and Trojans, backdoor and other malicious programs in conjunction with the use. Rootkit by loading a special driver, modify the system kernel, and then achieve the purpose of hiding information.

Windows Vista's own malware protection is implemented primarily through driver digital signatures, user access control (UAC), and Windowsdefender, the first two of which are particularly important for the defense of Rootkit-class malware. Because Rootkit's hidden functionality needs to load the driver, let's talk about Vista driver load management: Vista driver installation and load management is significantly better than the original version of Windows, and in Microsoft's design, Vista does not allow drivers without digital signatures to be loaded, but on previous Windows2000, XP, 2003 systems, the system may be prompted to install unsigned or older drivers, but it can be loaded after installation.

For Microsoft's surprise, "a digitally signed driver can be loaded by Vista" is not a great defense against the Rootkit class. At last year's Blackhat meeting, a researcher had demonstrated that the VISTAX64BETA2 version of the disk was modified to load an unsigned driver, although the vulnerability was later replaced by Microsoft, However, it has been stated that it is not impossible to break through Vista driver-loading management by technical means. But a better way to break Vista-driven load management is to do Kung fu on the digital signature itself, which previous security researchers have mentioned is that the digital signature applications for Vista drivers are not strictly audited, requiring only legitimate application entities and paying a small fee for the application. In this way, by registering or borrowing the name of a company, rootkit authors are fully able to obtain legitimate driver digital signatures from Microsoft, that is, a "legitimate" rootkit program with Microsoft digital signatures is likely to appear. An attacker can also use a special loader to load unsigned programs, and security company Linchpinlabs recently released a gadget called Astiv, which implements the principle of using digitally signed system components to load unsigned drivers. Drivers that are loaded in this way do not appear in the list of normal drivers, but also enhance the concealment of loading target drivers.

User Access Control (UAC) is another means of Vista defense malware

On the UAC-enabled Vista system, the user's permissions are equivalent to restricted administrator privileges, and if the user program wants to make changes to the system disk and registry, it needs two confirmation of the user's interaction. If the user refuses or the target program is special (such as Trojans, backdoor, etc.) does not appear UAC prompts, because access to the system directory and the registry is rejected by Vista, in addition to the very individual not to write the system directory, most of the target program can not be installed successfully. Rootkit programs cannot be successfully installed in a UAC environment because of permission problems, but in many cases an attacker uses a social engineering approach to trick a user into trusting the program provided by an attacker and to choose to allow an action if the UAC prompts.

It can be concluded that, since the WindowsVista from the design of the importance of security, so the rootkit before it launched the defense level of malicious software has reached a new height, the attackers rely solely on technical means to attack the success rate than in the original windows2000/ The xp/2003 platform was greatly reduced. But we should also note that attackers are more likely to use social engineering, forge and exploit various trust relationships, and deceive users into installing malicious software.

How to protect rootkit class of malicious programs under vista? Users can refer to the following points:

1, keep Vista system patch version of the latest.

2, not in untrusted sources to obtain software, and in the installation of the use of attention to the system's various prompts, especially for digital signature tips.

3, notice the information of UAC, in time to intercept the dangerous operation to modify the system.

4, the use of anti-virus software and keep the virus library version of the latest, for the protection of malicious software to add a layer of protection.

5, regular use of Vista-enabled rootkit tools to scan the system.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.