虽然隐藏恶意软件的方式甚至可以欺骗传统的防病毒/反间谍软件产品,但大多数恶意软件程序已经在使用 rootkit 隐藏在您的Windows PC 上……而且它们变得越来越危险!DL3 rootkit 是最先进的 rootkit 之一。该rootkit很稳定,可以感染32位Windows操作系统;尽管需要管理员权限才能在系统中安装感染。但是TDL3现在已经更新,现在甚至可以感染 64 位版本的 Windows(even 64-bit versions Windows)!
什么是 Rootkit
Rootkit 病毒是一种隐形类型的恶意软件 ,旨在隐藏您计算机上某些进程或程序的存在,使其不被常规检测方法发现,从而允许它或其他恶意进程以特权访问您的计算机。
适用于 Windows(Rootkits for Windows)的 Rootkit 通常用于隐藏恶意软件,例如防病毒程序。它被病毒、蠕虫、后门和间谍软件用于恶意目的。与 rootkit 结合的病毒会产生所谓的完全隐形病毒。Rootkit 在间谍软件领域更为常见,而且它们现在也越来越多地被病毒作者使用。
它们现在是一种新兴的超级间谍软件(Super Spyware),可以有效隐藏并直接影响操作系统内核。它们用于隐藏计算机上存在的恶意对象,例如木马或键盘记录程序。如果威胁使用 rootkit 技术隐藏,则很难在您的 PC 上找到恶意软件。
Rootkit 本身并不危险。它们的唯一目的是隐藏软件和操作系统中留下的痕迹。这是普通软件还是恶意软件程序。
基本上存在三种不同类型的Rootkit。第一种,“ Kernel Rootkits ”,通常将自己的代码添加到部分操作系统核心中,而第二种,“ User-mode Rootkits ”,专门针对Windows,在系统启动过程中正常启动,或通过所谓的“滴管”注入系统。第三种是MBR Rootkits 或 Bootkits(MBR Rootkits or Bootkits)。
当您发现您的防病毒(AntiVirus)和防间谍软件(AntiSpyware)失败时,您可能需要借助一个好的 Anti-Rootkit 实用程序(good Anti-Rootkit Utility)(good Anti-Rootkit Utility)。Microsoft Sysinternals的(Microsoft Sysinternals)RootkitRevealer是一种高级 rootkit 检测实用程序。它的输出列出了可能表明存在用户模式或内核模式 rootkit 的注册表(Registry)和文件系统API差异。(API)
(Microsoft Malware Protection Center Threat Report)关于 Rootkit的(Rootkits)Microsoft 恶意软件保护中心威胁报告
Microsoft Malware Protection Center已提供下载其关于Rootkit的(Rootkits)威胁报告(Threat Report)。该报告研究了当今威胁组织和个人的一种更隐蔽的恶意软件类型——rootkit。该报告检查了攻击者如何使用 rootkit,以及 rootkit 如何在受影响的计算机上运行。以下是报告的要点,从什么是Rootkit(Rootkits)开始——面向初学者。
Rootkit是一组工具,攻击者或恶意软件创建者使用这些工具来控制任何暴露/不安全的系统,否则这些系统通常是为系统管理员保留的。近年来,术语“ROOTKIT”或“ROOTKIT FUNCTIONALITY”已被MALWARE(一种旨在对健康计算机产生不良影响的程序)所取代。恶意软件的主要功能是秘密地从用户的计算机中提取有价值的数据和其他资源并将其提供给攻击者,从而使他能够完全控制受感染的计算机。此外,它们很难被发现和移除,如果不被注意,它们可能会隐藏很长时间,甚至可能数年。
因此,很自然地,在结果证明是致命的之前,需要掩盖并考虑受感染计算机的症状。特别是,应该采取更严格的安全措施来发现攻击。但是,如前所述,一旦安装了这些 rootkit/恶意软件,它的隐身功能就很难删除它及其可能下载的组件。出于这个原因,微软(Microsoft)创建了一份关于ROOTKITS的报告。
这份 16 页的报告概述了攻击者如何使用 rootkit 以及这些 rootkit 如何在受影响的计算机上运行。
该报告的唯一目的是识别和仔细检查威胁许多组织,尤其是计算机用户的强大恶意软件。它还提到了一些流行的恶意软件系列,并揭示了攻击者出于自私目的在健康系统上安装这些 rootkit 的方法。在报告的其余部分,您会发现专家提出了一些建议,以帮助用户减轻来自 rootkit 的威胁。
Rootkit 的类型
恶意软件可以在许多地方将自身安装到操作系统中。因此,rootkit 的类型主要取决于它执行其执行路径的颠覆的位置。这包括:
- 用户模式 Rootkit
- 内核模式 Rootkit
- MBR Rootkits/bootkits
下面的屏幕截图说明了内核模式 rootkit 入侵的可能影响。
第三种,修改主引导记录(Master Boot Record)以获得对系统的控制并开始加载引导序列中最早可能点的过程3。它隐藏了文件、注册表修改、网络连接的证据以及其他可以指示其存在的可能指标。
使用Rootkit功能的著名恶意软件系列(Malware)
- Win32/Sinowal 13 – 一个多组件恶意软件系列,它试图窃取敏感数据,例如不同系统的用户名和密码。这包括试图窃取各种FTP、HTTP和电子邮件帐户的身份验证详细信息,以及用于在线银行和其他金融交易的凭据。
- Win32/Cutwail 15 – 下载和执行任意文件的木马(Trojan)。下载的文件可以从磁盘执行或直接注入其他进程。虽然下载文件的功能是可变的,但Cutwail通常会下载其他发送垃圾邮件的组件。它使用内核模式 rootkit 并安装多个设备驱动程序以向受影响的用户隐藏其组件。
- Win32/Rustock – 一个多组件的支持 Rootkit 的后门木马(Trojans)系列,最初开发用于帮助通过僵尸网络(botnet)分发“垃圾邮件”电子邮件。僵尸网络是一个由攻击者控制的大型受感染计算机网络。
防范 Rootkit
防止安装rootkit 是避免rootkit 感染的最有效方法。为此,有必要投资于防病毒和防火墙产品等保护技术。此类产品应通过使用传统的基于签名的检测、启发式检测、动态和响应式签名能力以及行为监控来采取全面的保护方法。
所有这些签名集都应使用自动更新机制保持最新。Microsoft防病毒解决方案包括许多专门用于缓解 Rootkit 的技术,包括实时内核行为监控,可检测并报告修改受影响系统内核的尝试,以及有助于识别和删除隐藏驱动程序的直接文件系统解析。
如果发现系统受到威胁,那么允许您启动到已知良好或受信任环境的附加工具可能会很有用,因为它可能会建议一些适当的补救措施。(If a system is found compromised then an additional tool that allows you to boot to a known good or trusted environment may prove useful as it may suggest some appropriate remediation measures.)
在这样的情况下,
- 独立系统清扫(Standalone System Sweeper)工具(Microsoft 诊断(Diagnostics)和恢复工具集(Recovery Toolset)( DaRT )的一部分)
- Windows Defender 脱机版(Defender Offline)可能很有用。
有关详细信息,您可以从Microsoft 下载中心下载(Microsoft Download Center.)PDF报告。
What is Rootkit? How do Rootkits work? Rootkits explained.
While it is possible to hidе malware in a way that will fool even the traditional antivirus/аntispyware products, most malware programs are already using rootkits to hidе deep on your Windows PС … and thеу are getting more dangerous! Thе DL3 rootkit is one of the most advanced rootkits ever seen in the wild. The rootkit waѕ stable and could infect 32 bit Windows operating systems; although administrator rights were needed to install the infection in the system. But TDL3 has now beеn updated and іs now аble to infect even 64-bit versions Windows!
What is Rootkit
A Rootkit virus is a stealth type of malware that is designed to hide the existence of certain processes or programs on your computer from regular detection methods, so as to allow it or another malicious process privileged access to your computer.
Rootkits for Windows are typically used to hide malicious software from, for example, an antivirus program. It is used for malicious purposes by viruses, worms, backdoors, and spyware. A virus combined with a rootkit produces what is known as full stealth viruses. Rootkits are more common in the spyware field, and they are now also becoming more commonly used by virus authors as well.
They are now an emerging type of Super Spyware that hides effectively & impacts the operating system kernel directly. They are used to hide the presence of malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide it is very hard to find the malware on your PC.
Rootkits in themselves are not dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether this is normal software or malware programs.
There are basically three different types of Rootkit. The first type, the “Kernel Rootkits” usually add their own code to parts of the operating system core, whereas the second kind, the “User-mode Rootkits” are specially targeted to Windows to startup up normally during the system start-up, or injected into the system by a so-called “Dropper”. The third type is MBR Rootkits or Bootkits.
When you find your AntiVirus & AntiSpyware failing, you may need to take the help of a good Anti-Rootkit Utility. RootkitRevealer from Microsoft Sysinternals is an advanced rootkit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
Microsoft Malware Protection Center Threat Report on Rootkits
Microsoft Malware Protection Center has made available for download its Threat Report on Rootkits. The report examines one of the more insidious types of malware threatening organizations and individuals today — the rootkit. The report examines how attackers use rootkits, and how rootkits function on affected computers. Here is a gist of the report, starting with what are Rootkits – for the beginner.
Rootkit is a set of tools that an attacker or a malware creator uses to gain control over any exposed/unsecured system which otherwise is normally reserved for a system administrator. In recent years the term ‘ROOTKIT’ or ‘ROOTKIT FUNCTIONALITY’ has been replaced by MALWARE – a program designed to have undesirable effects on a healthy computer. Malware’s prime function is to withdraw valuable data and other resources from a user’s computer secretly and provide it to the attacker, thereby giving him complete control over the compromised computer. Moreover, they are difficult to detect and remove and can remain hidden for extended periods, possibly years, if gone unnoticed.
So naturally, the symptoms of a compromised computer need to be masked and taken into consideration before the outcome proves fatal. Particularly, more stringent security measures should be taken to uncover the attack. But, as mentioned, once these rootkits/malware are installed, its stealth capabilities make it difficult to remove it and its components that it might download. For this reason, Microsoft has created a report on ROOTKITS.
The 16-page report outlines how an attacker uses rootkits and how these rootkits function on affected computers.
The sole purpose of the report is to identify and closely examine potent malware threatening many organizations, computer users in particular. It also mentions some of the prevalent malware families and brings into the light the method the attackers use to install these rootkits for their own selfish purposes on healthy systems. In the remainder of the report, you will find experts making some recommendations to help users mitigate the threat from rootkits.
Types of Rootkits
There are many places where malware can install itself into an operating system. So, mostly the type of rootkit is determined by its location where it performs its subversion of the execution path. This includes:
- User Mode Rootkits
- Kernel Mode Rootkits
- MBR Rootkits/bootkits
The possible effect of a kernel-mode rootkit compromise is illustrated via a screen-shot below.
The third type, modify the Master Boot Record to gain control of the system and start process of loading the earliest possible point in the boot sequence3. It hides files, registry modifications, evidence of network connections as well as other possible indicators that can indicate its presence.
Notable Malware families that use Rootkit functionality
- Win32/Sinowal13 – A multi-component family of malware that tries to steal sensitive data such as user names and passwords for different systems. This includes attempting to steal authentication details for a variety of FTP, HTTP, and email accounts, as well as credentials used for online banking and other financial transactions.
- Win32/Cutwail15 – A Trojan that downloads and executes arbitrary files. The downloaded files may be executed from disk or injected directly into other processes. While the functionality of the downloaded files is variable, Cutwail usually downloads other components that send spam. It uses a kernel-mode rootkit and installs several device drivers to hide its components from affected users.
- Win32/Rustock – A multi-component family of rootkit-enabled backdoor Trojans initially developed to aid in the distribution of “spam” email through a botnet. A botnet is a large attacker-controlled network of compromised computers.
Protection against rootkits
Preventing the installation of rootkits is the most effective method to avoid infection by rootkits. For this, it is necessary to invest in protective technologies such as anti-virus and firewall products. Such products should take a comprehensive approach to protection by using traditional signature-based detection, heuristic detection, dynamic and responsive signature capability and behavior monitoring.
All these signature sets should be kept up to date using an automated update mechanism. Microsoft antivirus solutions include a number of technologies designed specifically to mitigate rootkits, including live kernel behavior monitoring that detects and reports on attempts to modify an affected system’s kernel, and direct file system parsing that facilitates the identification and removal of hidden drivers.
If a system is found compromised then an additional tool that allows you to boot to a known good or trusted environment may prove useful as it may suggest some appropriate remediation measures.
Under such circumstances,
- The Standalone System Sweeper tool (part of the Microsoft Diagnostics and Recovery Toolset (DaRT)
- Windows Defender Offline may be useful.
For more information, you can download the PDF report from Microsoft Download Center.
