原始连接:http://castlecops.com/article-6342-nested-0-0.html
No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it could possibly bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist - Part 31: Rootkit Revelations.
It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members, Host and Moderator consultants at CastleCops can help you, if you have questions about any of these techniques or featured applications
Rootkit Revelations
Rootkits are not malware but programs that provide a system or means to hide other programs, including malware. They do this by using smart stealthing techniques to modify the Windows operating platform in ways which prevent detection by normal methods. Windows programs, most scanners and even HijackThis will see nothing.
Rootkits install themselves in the Root Drive of computers. The Root is a foundation for all operating system functions. It's the great connector between all programs and applications. On Windows platforms the Root is the "" that follows "C:" thus "C:." The "" is the Root Drive. Rootkits are themselves a form of operating system, independent of Windows and other popular platforms, also hiding from them.
Rootkits were used mostly in the past by hackers hiding trojans and keyloggers on their victims machines. More recently, they are being used to spread viruses, spywares and worms. They are even being used to promote Digital Rights Management by large corporations. In both cases, users are unwittingly installing these nefarious programs on their computers and in greater numbers than ever before.
Detecting the presence of Rootkits and their payloads is a difficult task, even for the experts. Most anti-spyware and antivirus scanners are unable to find them, although a few have taken steps towards improving that. Both Symantec and Microsoft have removal tools for the Digital Rights Management Rootkit distibuted by Sony Corporation on their music CDs.
"We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component," wrote Jason Garms, a spokesperson from Microsoft.
You can download the Malicious Software Removal tool at Microsoft's Update site or from Automatic Updates for Windows XP.
Symantec has a removal tool for this same DRM Sony Rootkit: SecurityRisk.First4DRM
Like these specific Rootkit removal tools, you need special Rootkit detectors and removers for the rest. The easiest way to detect them is to compare the file system of an infected machine with a copy of its clean file list, but that rarely occurs in the real world. Detecting Rootkits is difficult from within an infected system, but by employing different techniques and applications, it can be done. You are strongly urged to obtain the guidance of a security expert before attempting to remove any Rootkit.
The first step is to discover the presence of a Rootkit with a Rootkit Detector (RKD). More than a dozen of these are available. Most are for Windows 2000 and later, but TrojanHunter will detect and remove Rootkits from all Windows platforms, including Windows 98.
Download and Install the 30-day trial: Direct Download of TrojanHunter TrojanHunter runs on Windows 95, 98, ME, NT, 2000 and XP.
With the trial version of TrojanHunter you need to manually update the rule files before you can start scanning. Manually Updating TrojanHunter Rule Files.
Open the TrojanHunter scanner and click on the Trojan icon on the left side, then do a search for "rootkit" and you will see the list of rootkits that it detects and removes.
The following Rootkit Detectors are freeware, requiring Administrator rights to run:
F-Secure Blacklight (Beta): For Windows 2000 and up. F-Secure provides little information on how this program works. It detects hidden processes, files and folders but not invisible registry keys. They have promised to allow it to continue as freeware until January, 2006. It's updated monthly. The Blacklight engine has been added to the F-Secure Internet Security 2006 suite. Blacklight is easy to use, requiring no installation and scans quickly.
Sysinternals: Rootkit Revealer runs on Windows NT 4 and up. It compares users mode information to kernel mode and reports differences that exist in the Windows Registry and file system. It requires no installation, just double click the .exe file and to begin a scan select File/Scan.
The program includes an option to scan NTFS alternate data streams for hidden code. This option is off by default since it can produce a lot of false positives. Experienced users may wish to "play" with this option?
RootkitRevealer does not remove rootkits. The authors suggest that users conduct a Google search on how to remove any detected malware or to re-format the drive and do a fresh install of Windows. We would suggest that you come to CastleCops. We can help you.
The usual practice for detecting and removing Rootkits is to first detect and identify them, then attempt removal, but with some Rootkits this can leave Windows unusuable. With those you can only be certain by doing a full re-format followed by a fresh install. For those where the Rootkit can be safely removed you need to then clean up all the malware which the Rootkit had been hiding.
CastleCops Malware Removal and Prevention procedure is ideal for this task. It's a new system devised by the CastleCops Team of Professionals to enable users to either partially, or fully clean their systems without the direct aid of an expert. If you still need help, there are more steps they can guide you on to get you cleaned up.
Best regards and always take care of your security.
