Number 274 - March 2006

Rootkit Info
Submitted by Ray Mils
In the August 2005 issue of the TOGGLE we carried an article by Ira Wilsker, entitled "Another Silent Attack on Our Computers", in which he discussed a new threat to Internet users called a rootkit. In that article he referenced several sites covering the subject and some providing help in dealing with this new pest. An excerpt from that article follows:    "A rootkit is defined on the Sysinternals website as,"the mechanisms and techniques whereby malware, including viruses, spyware and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives a reboot and whether it executes in user mode or kernel mode." The security software company F-Secure expands the definition with, "Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MSDOS environment."    The rootkit parasite    A number of products now claim to fight rootkit infections, and they may be worth trying. More information about these and several others (including downloads) is available at www.rootkit.com.	BlackLight from F-Secure Corp.    This is free software that's updated monthly. F-Secure Corp.'s BlackLight examines the system at a deep level to detect objects that are hidden from the user and from security software. The product will detect hidden files, folders and processes but not hidden registry keys. BlackLight requires no installation and scans quickly. It offers to remove detected rootkits by renaming the files involved. www.f-secure.com/blacklight    RootkitRevealer from Sysinternals    This utility compares user-mode information to kernel mode and reports differences that exist in the Windows Registry and file system. RootkitRevealer will not remove rootkits. www.sysinternals.com/Utilities/RootkitRevealer.html    Malicious Software Removal Tool from Microsoft Corp.    This tool wasn't originally created as a dedicated rootkit detector; it was designed to find and remove several major virus and worm families. But a number of rootkits have been added to its vocabulary. The program is updated monthly and runs automatically once it's installed. www.microsoft.com/security/malwareremove/default.mspx
Number 274 - March 2006