Thursday, April 02, 2009

Rootkits

A rootkit is defined as "malware that consists of a program or combination of several programs, designed to hide or obscure the fact that a system has been compromised". They hide in your compromised system by replacing critical system files and obfuscate their presence through hidden processes. Antivirus engines are not designed to uncover rootkits.
Attended a talk yesterday by Dr. Eugene Schultz on this topic. He shared that though rootkits aim to be elusive... there are tell-tale signs or discrepancies that will expose them. One example he gave is that a rootkit may be able to disguise a hidden process triggered by it and thus not show when you run "netstat"... but you can detect that hidden process at the network layer by scanning the compromised system to discover the listening port opened by that said hidden process. Way cool!!!
He recommended GMER... a powerful rootkit detector. I did some research of my own and found a free rookit detector from Sophos and another for Linux/*BSD.

No comments: