 |
 |
 |
From the FRONT LINE
RootKit Prevention & Intrusion Detection
A RootKit is a set of software tools consisting of various Files and Coded Instructions working together to allow an intruder to first "Access" then become virtually "INVISIBLE" to all "conventional" detection methods then secretly taking "Total Control" of a System from its Core.
RootKits have the ability to hide from and deceive the very (O/S) Operating System itself.
This new "Cloaking Technology" as it is sometimes referred to renders the present "traditional" Anti-Virus/Worm/Trojan, and even Anti-Spyware removal security software products completely obsolete.
Because RootKits are "extremely" hard to detect and remove and can allow a Remote Hacker or others (such as Spyware Companies) complete access and control some experts recommend a Total Hard Disk Drive Format/Restore of the entire infected System as the only "sure" method of removal
The "Spyware Factor" has changed everything, It has changed the very nature of both the Remote Hacker and the Securities Programmer and the reason for this can be summed up in one word "Money".
In today's rapidly changing "Malware" environment one has to be extremely careful choosing "Malware Removal" products.
The First question is can you "Trust" them?
It is a well-documented fact that many so-called "Spyware Removal Products" not only give outrageous "False Positives" but also in some cases actually have a hand in creating the very Spyware they are charging you money to remove.
(FTC v. MaxTheater and FTC v Trustsoft)
The Second question is are they "Effective"?
On the Corporate Tech "Battle Field" it comes down to two things;
what works and what doesn't.
Put simply many of the Large (Dinosaur) Malware Removal Companies are like big 18 Wheeler Trucks pulling a Full Load in a two Block Drag-Race against a Vet.
With that said here are some Product Recommendations:
1. RootkitRevealer "is an advanced rootkit detection utility." Produced by Sysinternals (Freeware)
Developed by Mark Russinovich and Bryce Cogswell.
Mark Russinovich is one of the world's top Programmers and Windows API experts and is the Researcher who uncovered the Code leading to the now infamous "Sony Rootkit Controversy".
The uncovering of the "Sony Rootkit Bombshell" by Russinovich (using RootkitRevealer) is of ground breaking, Monumental, Historical and IT Industry altering significance and will no doubt significantly influence future Congressional Legislation with regards to Malware.
2. IceSword
A rootkit removal tool that is spoken of very highly on several very reputable Sites (See: "IceSword Author speaks out on Rootkits")
3. AntiHookExec
Referred to as "an ingenious tool" (by the excellent Tech Blog "Swatkat's rant" Feb. 21, 2006), which removes all "Hooks" (Hook: a programming "component" that may allow for the "Call" of an outside "Routine" or entry of a "Variable" allowing for additions or changes).
4. BlackLight
A rootkit detector and remover produced by "F-Secure" (possibly one of the only "Larger" Companies seriously in the "Fight") and is "presently" in "Beta" (meaning: Free "Experimental" Software for "Testers") -- use any "Beta" software with caution.
(Host) Intrusion Prevention Systems (HIPS)
An Ounce of Prevention is worth a Pound of Cure! -- (Benjamin Franklin)
Or put another way...
A Bullet Proof Vest beats a good Surgeon any day! -- (Henry L. Tillman)
(IPS & HIPS) White Papers & Information:
(Intrusion Prevention Systems (IPS) Author: NSS Group)
(The case for a host-based intrusion prevention layer) Author: Megan Golding
(Attacking Host Intrusion Prevention Systems) a (pdf)
Author: Eugene Tsyrklevich
First of all in spite of all the excitement and fanfare don't let anyone snow you, Intrusion Prevention Systems (IPS) are by no means, what one might call "fully developed Technologies" at least not at the present, especially in the area of (NIPS) -- "Network Intrusion Prevention Systems".
With that said many great strides are being made at the "very heart" of the battlefield, at the "last line of defense" in this "Cyber War" and that last line of defense is ... The Work Station (The Host).
At the critical "WorkStation" level the cutting edge and bloodiest "Hand to Hand" Cyber Combat is being waged by some of the world's most "elite" and brilliant programming minds.
Interestingly enough the "Very Best" Tools in the "fight against Malware" (on the WorkStation) have come from the very smallest of Companies, groups and/or even individual Programmers.
Tools like:
HijackThis, SpybotSD, AVG Anti-Virus, Ewido, Webroot (Anti-Spyware)
WinPatrol (since 1997)
(The first Windows based IDS -- Intrusion Detection Software/System) an old personal favorite of mine (although not for Rootkits) which monitors numerous critical changes and allow one to "Block" changes to crucial low-level system functions,
DeviceTree (See: Tech Blog "Swatkat's rant" Feb. 21, 2006),
PortExplorer (See: Processguard's site)
(Host) Intrusion Prevention Systems (HIPS) and/or Rootkit Removal Tools
1. Processguard
This Tool should be in both (the HIPS and the RootKit Detection & Deletion) categories and is a very strong contender for the No. 1 Spot on "both" lists with exceptionally high Reviews and Awards.
2. System Safety Monitor
"(SSM) allows you to track down Microsoft Windows operating system activity in real-time and to prevent undesirable actions from various malware and spyware programs. SSM's main goal is to discover and block malicious actions of any application."
3. ApiHookCheck
"API hooking is ... used by rootkits and other malicious code to modify the behavior of certain APIs to hide files, network ports, processes or services. This tool can help to detect the presence of system-wide API hooks that are implemented based on import/export table modifications and insertion of JMP instructions at the start of the real API."
4. UnHackMe
"...is specially designed to detect and remove Rootkits.
The intruder installs a rootkit on a computer using a user action or by exploiting a known vulnerability or cracking a password. The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes."
Conclusion:
We have entered into a Brave New World, a "Totally New Paradigm" has emerged and the "Emperor" has no clothes (the Emperor: Big Bloat-ware Securities Company).
The back and forth clash between "defense" and "offence" which only a short time ago took years now only takes months even weeks.
The good news is that out of this "new dilemma" has emerged small quick-thinking quick-moving groups of ingenious "Software Samurai" to counter the onslaught and using their cutting edge "Tools" make it possible to hold off at least a non-direct non-elite Hacker "Generalized Assault".
This site was produced by:
Henry L. Tillman (ITEC)
Information Technology Expert Consultant
Chicago Illinois
Website Network: www.HLTillman.com
Email: hltillman@hltillman.com
Phn: 773-243-6220
Fax: 773-224-7958
Henry L. Tillman (ITEC) makes no claims as to the "absolute correctness" of the above mentioned information. All information is provided for "Technical Research", Assistance and "Public Service" purposes.
All readers be they Companies or Individuals are advised and encouraged to do further "Research" of their own and are ultimately responsible for their own Technical Decisions.
Henry L. Tillman (ITEC) is "at this time" NOT in any Business or Financial relationship with ANY of the above mentioned Companies or Individuals and there are NO PAID ENDORSMENTS or "Affiliate" Arrangements or Agreements of any kind with any of the above Companies or Individuals at this time.
Henry L. Tillman (ITEC) reserves the right to (at any future time) enter into any Business, Financial, Affiliate or other Arrangements or Agreements with any Company or Individual as it deems fit pursuant to the adherence of any applicable laws.
