For investigation I use Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
page also gives more technical explanation about rootkits
in Windows and how they work.
Toomas
----- Original Message -----
From: "David Gillett" <[log in to unmask]>
> On 24 Apr 2006 at 21:32, Ra wrote:
>
>> What is a rootkit and how would I investigate it?
>
>
> The name comes from the world of Unix and Linux, where the all-powerful
> account on a computer is named "root" rather than "Administrator". The
> original purpose of a rootkit was, as a piece of malware, to obtain this
> supreme level of user privilege, from which the attacker who installed the
> rootkit could then proceed to wreak whatever havoc was desired.
> Of course, not all attackers are just interested in causing immediate
> chaos; many see their infiltration of a machine as a stepping-stone to some
> further purpose. And so the term's meaning shifted to focus on techniques
> to try to prevent discovery that the system has been compromised.
>
> Indeed, the distinguishing characteristic of a modern rootkit is that it
> makes it so difficult for an ordinary mortal user to discover its presence.
>
> As such, there's not much useful advice to give. If you are having the
> sort of problems that usually indicate a virus or spyware infestation, but
> all of your usual tools for detecting and removing malware are coming up
> empty, then that *may* indicate the presence of a rootkit.
>
> (But not necessarily. I had been seeing such symptoms on one of my
> machines, and discovered today that I had missed updating its copy of
> Firefox from 1.0.x to 1.5.x; updating it appears to have corrected the
> problem.)
>
> David Gillett
>
> Do you want to signoff PCSOFT or just change to
> Digest mode - visit our web site:
> http://freepctech.com/pcsoft.shtml
>
The NOSPIN Group Promotions is now offering
our special coffee cups and mouse pads
with the PCSOFT logo... at a great price!!!
http://freepctech.com/goodies/promotions.shtml
|