What on earth is a rootkit?

October 18 | Peter Daley

Stop giggling! This blog has nothing to do with a kit to improve your sex life – in fact, it would probably have the opposite effect!

So what are rootkits? They are super stealth hacks that are hidden from most virus checkers and spyware detectors.

Trouble is, large numbers of computers using the Windows operating systems are being infected with rootkits. I do a lot of computer troubleshooting and repairs, and in the last few weeks I have been finding an increasing number of computers infected with them.

So you’ve been diligent, and kept your virus, spyware and firewall protections up to date, but one of the family has decided to use one of the music-sharing systems, or visited a site, and your computer has been hacked through your web browser.

Hidden inside your supposedly safe computer is a super stealth rootkit.

You can run your virus checker or spyware removal tools till the cows come home, but you won’t find anything.

You need to run this special tool called rootkitrevealer which can be found here.

Most of you are going to find the information on the rootkitrevealer page gobbledegook. Read it if you feel you will understand some, or just cut to the chase and go to the bottom of the page and download the Rootkitrevealer.zip file.

It is a compress zip file, so save it onto your computer and unpack it. Then run the Rootkitrevealer.exe file on you computer.

If you have no understanding of the last two lines in the above paragraph, you’re in over your head, and should immediately stop all internet banking on your home or work computers.

Change your banking password immediately and stick to phone banking or physically go to the bank. This type of basic security knowledge is essential to your banking and business security on the internet.

Most people’s faith in computer security is unfounded, and based on poor information.

So, you run Rootkitrevealer on you computer (by the way, there are more steps involved to run rootkitrevealer on Vista at present), and you get discrepancy results. What do they mean?

The best I can tell you, in brief, is to look to the end of discrepancy lines, and you may need to widen the column to see them – items like SAC, SAI are normal, as are entries that may refer to your virus checker name (eg Symantecs, which is Norton’s anitvir, or Nero, a CD burning program).

Most clean computers will only have a few normal discrepancies as described above. The more discrepancies, the more likely the breach to your computer security. Most people will not have a clue what are normal discrepancies and what are abnormal, but anything over about four or five is suspicious.

All I can say is take a deep breath, and read this free book on stress management.

If you find any rootkits, getting rid of them is another story. Have you got all afternoon?

I really feel that most of you out there should stop internet banking and use phone banking or go physically to the bank. I have been demonstrating the use of Rootkitrevealer to Sunshine Coast Computer Club members.

 

 

Share this

The Perfect Storm

October 16, 2007: The most powerful Internet weapon on the planet is hiding in plain sight, and no one can do anything about it. At least not yet, or not that anyone is talking about. The weapon in question is the Storm botnet. This is the largest botnet ever seen, and it is acting like something out of a science fiction story. The Storm network is now believed capable to shutting down any military or commercial site on the planet. Or, Storm could cripple hundreds of related sites temporarily. Or, Storm could do some major damage in ways that have not yet been experienced. There’s never been anything quite like Storm.

The Storm computer virus had been spreading since early in the year, grabbing control of PCs around the world. By now, Storm had infected nearly 5-10 million computers with a secret program that turned those PCs into unwilling slaves (or “zombies”) of those controlling this network (or botnet) of computers. Many of you may have noticed a lot of recent spam directing you to look at an online greeting card, or accompanied by pdf files. That was Storm, the largest single spam campaign ever. When you try to look at the PDF file, Storm secretly takes over your computer. But Storm tries very hard to hide itself. All it wants to do is use your Internet connection to send spam, or other types of malicious data.

What makes Storm the perfect Internet weapon is how it has been designed to survive. The Storm zombie does no damage to the PCs it infects, and simply sits there, waiting for an order. Those orders come via a peer-to-peer system (similar to things like Kazaa or Bittorrent). A small percent age of the zombies spend short periods of time trying to spread themselves, then turn off. This makes it more difficult to locate infected PCs. Commands from the Storm operators are sent through several layers of zombie PCs, again making it very difficult to identify where those commands come from. Moreover, Storm operates as a horde of clusters, each of two or three dozen zombie PCs. No existing methods can shut down Storm. In fact, all that will work to kill Storm is to find the people running it, arrest them, and seize their access data. The programmers who put Storm together know their stuff, and police in dozens of country would like to get their hands on them.

To avoid the police (especially the U.S. FBI), many botherders (those who operate botnets) are usually in countries without an extradition treaty with the United States (where nearly half the zombie PCs are). Criminal gangs are increasingly active in producing things like Storm, and, in the case of China, so are government Cyber War operations. It’s unclear who is controlling the millions of Storm zombies, but it’s becoming clear what Storm is up to. It has been launching attacks at web sites involved in stopping or investigating Storm. This involves transmitting huge quantities of bogus messages ,that shut down targeted web sites (this is a DDOS, or distributed denial or service attack). The Storm botherders are also advertising their botnet as available for the usual illegal activities (various types of spam). It’s believed that Storm is owned by a Russian criminal syndicate, but that’s only a guess based on what is known about Storm so far.

But the most alarming aspect of all this is the sheer size of the Storm botnet. It’s quite possible that it’s not all one, huge, multimillion PC botnet. There may be several owners, who simply used variations of the basic Storm virus (which showed up last February, using as a lure the promise of news about the huge Winter storms then lashing Europe, and thus got its name.)

Police and Cyber War organizations are certainly trying to track down who controls Storm, mainly in self-defense. A botnet that large could shut down major sites, or large chunks of the Internet itself. The Storm is the Internet equivalent of a nuclear weapon, and no one is sure who controls it, or for what purposes.