Archive for the ‘Rootkits’ Category

Kit of the root (RootKit)

July 3rd, 2008

There is something annoying about certain pieces of malware: they are shy and hide from you. :(

However, they do some real nasty stuff in the background, so much so that you may want to get rid of them.

I was analyzing some malware samples and found this fake Soundman.exe (the real one is a process from RealTek sound cards). I use Process Explorer (a better Taskmanager-like utility) to show me what running processes are on my PC, and see this SoundMan.exe process, right there, doing some bad stuff.

 

Process Explorer tells me that the file is located under c:\Windows, but I can’t find it!

 Reason is, this file is a rootkit, which means it has capability of hidding itself from Windows, as well as other processes. If Windows won’t show it to you, most likely your Anti Virus won’t either. You may want to use a rootkit scanner to find it out, there are several free tools available. Keep it mind though that not all rootkit scanners will detect AND let you remove the files.

Personally, I prefer to use a more “hands on” approach: I grab a Linux boot CD (here I use Ubuntu, one of Linux’s several distros) and reboot the PC under the Linux OS. Then I mount the Windows disk, search for the file and voila!

It is there indeed :) Now I feel free to delete it from the system, and can safely reboot. Bye, bye Rootkit :)

By the way, the file is effectively malware:

Jerome Segura

  • Posted in Rootkits
  • |
  • (0) comments
  • |
  • Add your comments




Location

You are currently browsing the archives for the Rootkits category.




Pages

  • About
  • Contact Us



Archives

  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008



Categories

  • Botnets (2)
  • Exploits (8)
  • Fake codecs (3)
  • IM threats (1)
  • Keyloggers (1)
  • Malware Trends (16)
  • Phishing (3)
  • Research (2)
  • Rogue software (18)
  • Rootkits (1)
  • Uncategorized (12)
  • Wireless Security (1)



 
 
 

© 2008 ParetoLogic Inc.