Windows rootkits 101

Windows rootkit 101

By Michael Mullins ccna, MCP
By Michael mulrentccna (Cisco Certified Networking Associate, Cisco Network certified engineer), MCP (Microsoft certified sionals, Microsoft certified expert)

Translation: endurer 1st-06-16

Keywords: Microsoft Windows | flaws | Security Threats | hacking
Keywords: Microsoft Windows | defects | Security Threats | hacking

Http://articles.techrepublic.com.com/5100-1009_11-6104304.html? Tag = NL. e030

Takeaway:
When administrators and Security configursionals hear the word rootkit, using think first of a UNIX-based system. but the fact is that Windows rootkits do exist, and you need to be able to detect them. get the details from Mike Mullins in this edition of security solutions.

Guidance:
When administrators and security experts hear the word "rootkit", some of them first think of UNIX-based systems, but the actual situation is that rootkits exists in Windows, you must be able to detect them. Get details from Mike Mullins's current security solution.

--------------------------------------------------------------------------------

When administrators and Security excepsionals hear the word rootkit, most think first of a UNIX-based system. unfortunately, this only leads to a false sense of security for Windows-based systems. the fact is that Windows rootkits do exist, and you need to be able to detect them.
When administrators and security experts hear the word "rootkit", most people first think of UNIX-based systems. Unfortunately, this. The actual situation is that rootkits exists in Windows (in the system). You need to be able to detect them. Get details from Mike Mullins's current security solution.

What is a rootkit?
What is rootkit?

To clarify, a rootkit is not an Exploit-it's the code or program an attacker leaves behind after a successful exploit. the Rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. to accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.
It should be clarified that rootkit is not a vulnerability exploitation-it is the code and program of the backdoor left by the attacker after the vulnerability is successfully exploited. Rootkit allows the hacker to hide his or her activities on the computer and allow access to the computer in the future. To achieve this goal, rootkit will modify the operating system's execution process or manipulate the data that the operating system depends on.

Endurer Note: rely on dependency, reliance; Trust

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional windows rootkits such as SubSeven and netbusoperate in user mode.
In Windows, programs or processes run in two different modes: user mode and kernel mode. Traditional windows rootkits, such as SubSeven and netbusoperate, work in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. they have the same level of system privileges as any other application running on the compromised machine. since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit's existence if they have a signature file.
Known Backdoor program or Trojan Horse program. The user mode rootkits runs independently or within an existing application. They have the same level of system permissions as other applications running on the affected computer. Because these rootkits work in user mode, applications such as anti-virus scanning programs can detect the existence of rootkit if there is a feature file.

On the other hand, a kernel-mode rootkit is remarkably different-and much more powerful and elusive. kernel-mode rootkits have total control over the operating system and can upload upt the entire system.
On the other hand, the kernel mode rootkit is significantly different-more powerful and evasive. The kernel mode rootkit has comprehensive control over the operating system and can tamper with the entire system.

By design, kernel-mode rootkits control the operating system's application program interface (API ). the Rootkit sits between the operating system and the user programs, choosing what those programs can see and do.
The kernel mode rootkits control specifically controls the application interface (API) of the operating system. The Rootkit is located between the operating system and the user program) the program can see and select the operation content.

Endurer Note: by design intentional

In addition, it uses this position to hide itself from detection. if an application such as an antivirus plugin tries to list the contents of a directory containing the rootkit's files, the rootkit will suppress the filename from the list. it can also hide or control any process on the rooted system.
In addition, it uses this position to hide itself in detection. If an application, such as an anti-virus scanner, tries to list the contents of a directory containing the rootkit file, rootkit will hide its own file name in the list. It can also hide or control some processes in the booted system.

Endurer note: In addition another

Rootkit Detection
Rootkit Detection

Methods To detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.
There are two methods for detecting rootkits: feature value-based and heuristic/behavior-based detection.
Endurer Note: fall into splitting (into, start)

Signature-baseddetection: as its name implies, this method scans the file system for a sequence of bytes that comprise a "fingerprint" that's unique to a particle rootkit. however, the rootkit's tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Feature-value-based detection: This method scans the file system and searches for the byte sequence containing the unique features of the fingerprint, that is, the specific rootkit. However, the tendency/trend of rootkit to detect the execution path of software through interruption/interference can limit the success of feature value-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. for example, this method cocould detect a rootkit by determining that a system with 200-gb hard drive that reports 160 GB of files has only 15 GB of free space available.
Heuristic/behavior-based detection: This method works by operating system type or Behavior Identification deviation. For example, this method can detect rootkit by confirming that it has a GB hard drive and reporting a GB file system, with only 15 GB free space available.

Rootkits are hard to detect. but there are programs-some free and from reputable companies such as F-Secure and sysinternals-to help you detect their presence on your systems. microsoft has even stepped up to the plate with its malicious software removal tool, designed to detect and remove windows rootkits.
Rootkits is difficult to detect. But there are apps-some free and well-received companies
For example, F-Secure and sysinternals -- can help you detect the existence of rootkit in your system. Microsoft has even added the Software Removal Tool for malware designed to detect and remove windows rootkits to the (Windows) platform.
Endurer Note: Step up to (rising to, approaching)
 

Final Thoughts
If you discover someone has compromised your machine, it's vital that you take the necessary steps to find out if the attacker has installed a rootkit-and then eliminate the threat. applying vulnerability patches after someone has installed a rootkit on your machine won't close the security holes that already exist on your network.

Conclusion
If you find that the rootkit has damaged your computer, it is critical that if the attacker has installed the rootkit, take the necessary steps to identify it and then eliminate the threat. After a computer is installed with Rootkit, the security black hole that already exists in the network cannot be closed by using the defective patch.