Rootkit Guide: Learn for yourself in simple terms.





Foreword:

Rootkits can be extremely dangerous, the reason is that they cloak or hide malware.You must understand if your machine is infected and you cannot remove it that the best course of action is to wipe or format your hard drive and start fresh.

They are known for their "cloaking" technology, in essence they hide the malicious processes and registry entries from Windows Explorer and Task Manager.

This type of modern malware can cloak or hide:

1.Processes (Programs)

2.Services

3.TCP/IP Ports (Internet)

4.Files (Usually the malicious kind)

5.Registry Keys (Core Windows Component)

6.User Accounts

Whoa!! I preach this regularly but I will do it again, the best way to remain clean is to have Real Time Anti-Virus Protection! You have to stop this stuff before it gets in the door, or else like some family members, its hard to get 'em to leave!

I use AVG Anti-Virus 2011

Once the malware is installed and cloaking malware, scanning for it later and removing it becomes much, much harder.

GMER is a free and small rootkit removal tool that you may find useful Download GMER

An example of how it cloaks is as follows:

When the Taskmanager calls up a list of tasks, the rootkit is "hooked" to the Ntdll.dll file like a parasite, what that means is it gets to filter what the Taskmanager see's without being seen itself!

Legitimate processes- ie "explorer.exe" can also be infected. This makes them VERY hard to detect.

Positive Note:

They have holes or uncloak temporarily while they act upon something.That can usually provide some clues to find them.

This is referred to as an anomaly, and many Anti-Virus solutions use anomaly detection to find this type of malware.

Be aware, this usually means if you scan 10 times you may not find anything. You may find 1 or 2. Scanning often greatly increases your chances of detecting anomalies.

There is a tool available from Windows Sysinternals called RootkitRevealer

This tool basically can detect the "kernel mode" variety by making comparisons of what this malware tells the Windows API to say and what the Raw Files System/Raw Registry Hive says. Rootkit Revealer is an excellent anomaly detector, it scans for a loooongggg time.

Its important not to get too cozy, malware evolves in all its forms. We nearly always learn removal techniques after many infections have occurred.

Lastly:

The best way to mitigate exposure and damage on your machine is to NOT run the computer as the administrator.In the Windows Control Panel you can add user account for your employees, kids, spouses.Do Not Run the Computer as Administrator all the time! I promise you,that will open the door wide for malware.

Thankfully Microsoft has implemented User Account Controls in Windows Vista and Windows 7 that greatly reduce this problem verses Windows XP.

Read the Step by Step User Accounts Guide