On 24 Apr 2006 at 21:32, Ra wrote:

> What is a rootkit and how would I investigate it?


  The name comes from the world of Unix and Linux, where the all-powerful 
account on a computer is named "root" rather than "Administrator".  The 
original purpose of a rootkit was, as a piece of malware, to obtain this 
supreme level of user privilege, from which the attacker who installed the 
rootkit could then proceed to wreak whatever havoc was desired.
  Of course, not all attackers are just interested in causing immediate 
chaos; many see their infiltration of a machine as a stepping-stone to some 
further purpose.  And so the term's meaning shifted to focus on techniques 
to try to prevent discovery that the system has been compromised.

  Indeed, the distinguishing characteristic of a modern rootkit is that it 
makes it so difficult for an ordinary mortal user to discover its presence.

  As such, there's not much useful advice to give.  If you are having the 
sort of problems that usually indicate a virus or spyware infestation, but 
all of your usual tools for detecting and removing malware are coming up 
empty, then that *may* indicate the presence of a rootkit.

  (But not necessarily.  I had been seeing such symptoms on one of my 
machines, and discovered today that I had missed updating its copy of 
Firefox from 1.0.x to 1.5.x; updating it appears to have corrected the 
problem.)

David Gillett

             Do you want to signoff PCSOFT or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcsoft.shtml