For more information, links and resources go here and you can download a free revealer http://www.sysinternals.com/utilities/rootkitrevealer.html

A root kit is a Trojan horse program that sits silently on your computer and does pretty much whatever it wants. Recall that Trojan horses can be programs that launch Distributed Denial of Service (DDoS) attacks, such as the widespread Mydoom virus. Other Trojan horses might be keystroke loggers--programs that record every key you press, including passwords--and ship them over the Internet to a malicious user who seeks to steal your identity and assets. You can find Trojans running on your system in several places: They might show up as a service, as a running program in the Windows Task Manager list, or as an entry in your registry's Run keys. A run-of-the-mill antivirus program can find and eliminate such Trojans.

Root kits are dangerous because they can "stealth" themselves. They modify the basic, low-level parts of the OS, instructing Windows to keep them off its lists of running services and processes and to not display them in the registry. And a simple hard-disk scan won't detect the program files. Because antivirus and antispyware programs must rely on the OS to find running programs, they're powerless to find root kits, much less eliminate them.

Imagine how devastating the effects of a root kit attack could be. What if someone has already built a root kit that spreads quietly and calls no attention to itself--one that waits until some date, such as December 25, 2006, then activates and erases hard disks. How do you defend against this type of attack? You could, I suppose, run a network sniffer such as Ethereal or Microsoft Network Monitor and examine network traces for unexpected network activity, but the volume of traffic on a network segment would make that a Herculean task. No, the way to attack root kits is by exploiting the way that they modify the OS to hide themselves--or at least modify the copy on the hard disk.


The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.


updated link to revealer

The Cure - F-Secure BlackLight (Beta Release)

Download the beta good until July 2005 http://www.europe.f-secure.com/exclude/bla...ght/index.shtml


What is F-Secure BlackLight?

F-Secure BlackLight Rootkit Elimination Technology detects objects that are hidden from users and security tools and offers the user an option to remove them. The main purpose is to fight rootkits and all kinds of malware that use rootkits. The F-Secure BlackLight Rootkit Elimination Technology works by examining the system at a deep level. This enables BlackLight to detect objects that are hidden from the user and security software.

F-Secure BlackLight is able to correctly ignore non-malicious objects and alerts only on real rootkits, which makes it useful even for users without technical knowledge. F-Secure BlackLight is also able to deal correctly with files that have been modified during the scanning process. This makes it possible to use F-Secure BlackLight in the background without interrupting normal work.

What are the key benefits of F-Secure BlackLight Rootkit Elimination Technology?

F-Secure BlackLight can detect and eliminate active rootkits from the computer. Traditional antivirus scanners can't detect active rootkits.
F-Secure BlackLight does not confront the user with a long list of suspected objects. It only reports on objects that are very likely to be rootkits or files hidden by a rootkit. This makes F-Secure BlackLight useful even for non-technical users.
F-Secure BlackLight Rootkit Elimination Technology can be used in the background during normal system operation. Other available scanners require a reboot during scan or may produce false positives if the system is used during scanning.
For whom is F-Secure BlackLight intended?

F-Secure BlackLight is intended for all computer users who want additional security by checking their system for rootkits. F-Secure BlackLight is suitable for use in both home and business environments.

How can I try F-Secure BlackLight Rootkit Elimination Technology?

A free beta version of F-Secure BlackLight is available for download. The latest beta is fully featured and works until the 1st of July 2005.

F-Secure will announce products and solutions that use BlackLightTM Technology in 2005. This will further strengthen the company's existing host security offering which includes centrally managed anti-virus, firewall, intrusion detection and anti-spyware solutions.

I was wondering why I encounter some PC's that seem to have perpetual problems no matter what antivir/spy software I throw at them. Maybe this is something I need to check out. Thanks for the heads up!

Thanks msh11, very cool info! Running RootKitRevealer now.

this says i have a problem with a Minolta 1350W regkey. I'm not sure if that means anything.

Problematic registry key for the 1350W? Better send that printer in for service ASAP!!!

How do you know that this program isn't installing what it claims to get rid of???

You can further research this problem by using these links that are provided at the bottom of the page from the first link in the OP.

www.rootkit.com
This site contains sample code for a number of user-mode and kernel-mode rootkits as well as ongoing discussions on how to develop rootkits.

www.phrack.org
This site stores the archive of Phrack, a cracker-oriented magazine where developers discuss flaws in security-related products, rootkit techniques, and other malware tricks.

research.microsoft.com/rootkit/
This is the Microsoft Research rootkit home page where Microsoft publishes papers and information on its efforts to combat rootkits.

This is from research.microsoft.com/rootkit/:

Good to have a firewall too :-)

Funny, that was my very first thought as well.

For what it's worth, this app hosed my registry values for my CD/DVD drives. I would stay away....

I posted this as mainly an FYI...the f-secure program is a beta. I haven't run the f-secure, but did run the sysinternals to see what it exposed. It reports without altering anything.

This link isn't working now. I wonder what's going on.

Could be coincidence, but I think I've been having more computer problems since I ran it.

hmmm, maybe there are multiple definitions, but this is what I know of rootkits:

Rootkits are used to gain root access to a computer. Root access is full access, admin priveleges.

In my experience rootkits are almost always used to setup a server on the computer and store files on it. This is very common with fast connections (10mb, 100mb, etc). If you are familiar with IRC, there are many warez channels that 'root' machines all day with their rootkits. However if you have root access then you can do multiple other things.

Is it detectable? Yes, in one form or another. Usually your antivirus will detect one or more components the 'rooter' used to setup whatever they are setting up. however by this time they have most likely already got everything setup. The point is once it finds that one thing you can start looking for other things. The things you want to look for are extra services that were created. This gets more complicated, but if you are famliar with services it's not hard to see what went wrong.

How do the rootkits work? They scan your computer for open ports and vulnerabilities. So the best thing you can do is keep your Operating System and all of it's components up to date. It would help to have a software firewall (this closes ports) and even more helpful to have a hardware firewall (these are built in in routers).

If anyone needs more info about what I'm talking about, just ask. I could not read the article, but from what I read of what msh11 pasted I wasn't too impressed. It just did not seem accurate to me. It seemed like something trying to scare people.