Quake3World

Im trying to build a database of info for the people at work and for myself. I keep it on a forum and update it as i learn new things. I found something really interesting and i tried to pool all the knowledge i could about it and wrote a lil article/post whatever about it. Its tech related and if anyone is interested i would enjoy and value feedback and fact corrections as well.

Here it is.

Rootkits


Basicly a rootkit is a collection of tools and utilites that allow a user access to a PC and its resources beyond the administrative level. In the malicious context this can be installed on a PC and used to run anything it wants and hide its process. Basicly its like this....

The core OS or kernal is the foundation of the entire product known as windows or linux or whatever. At that core level its essentialy a server and client relationship. The applications your trying to run are in essence a client to the server thats the core OS. When you call upon IE to get you online it requests from the OS the resources it needs to accomplish the task.

Now that said, the rootkit tools that are being used in spyware now, will hide themselves in the core of the OS and lie to any process requesting tis status. For example when you run a spyware scanner its essentialy using the command "find first file" and "find next file", "find next file", etc, but what the rootkit from these spyware will do is trick the outside request, since the spyware scanner is operating as a client and the rootkit is basicly at the server level, the spyware will trick the scanner and just tell it to check the next file, basicly hiding itself from the scanner or anything else that would want to request its status.

So thats basicly the threat, here is whats going on to take care of it.


This is a link to a root kit revealer utility which if i understand correctly is very interesting. Its basicly as lil mini OS that goes in at the core OS level and examines it for any changes. The program goes in and checks the core OS for anything that shouldnt be there and more to the point anything that is lying about its status in the method i mentioned above or in other words running in a hidden or stealth mode. Cool web search which we are all familar with is already using " rootkit technology ." to hide itself in the operating system. A malicious piece of software like this would drive a bench tech nuts trying to remove cause itll keep rebuilding itself even though spyware programs say its cleaned it and nothing is listed in the task manager.

Here is the rootkit revealer link.

http://www.sysinternals.com/Utilities/R ... ealer.html




This is a link to a project that MS has started on thew basis of this technology to combat this new threat present in spyware. Its my undersanding that the current MS spyware utility include this anti rootkit technology.

http://research.microsoft.com/rootkit/


Really interesting stuff, have fun.

Iccy (temp) wrote:Rootkits


Essentially, a rootkit is a collection of tools and utilites that allow a user access to a PC and its resources beyond the administrative level. In a malicious context this can be installed on a PC and used to run anything the installer wants while hiding its processes.

The kernel is the lowest software layer of the operating system, that allows the OS to communicate with the hardware. Which, in short, means that any software used on the PC has to request resources from the kernel, which then allocates lower-level hardware resources for the application to use. Any application - even Windows Task Manager - requests all its information and resources from the kernel itself.


At that core level its essentialy a server and client relationship. The applications your trying to run are in essence a client to the server thats the core OS. When you call upon IE to get you online it requests from the OS the resources it needs to accomplish the task.

Now that said, the rootkit tools that are being used in spyware now, will hide themselves in the core of the OS and lie to any process requesting tis status. For example when you run a spyware scanner its essentialy using the command "find first file" and "find next file", "find next file", etc, but what the rootkit from these spyware will do is trick the outside request, since the spyware scanner is operating as a client and the rootkit is basicly at the server level, the spyware will trick the scanner and just tell it to check the next file, basicly hiding itself from the scanner or anything else that would want to request its status.

So thats basicly the threat, here is whats going on to take care of it.


This is a link to a root kit revealer utility which if i understand correctly is very interesting. Its basicly as lil mini OS that goes in at the core OS level and examines it for any changes. The program goes in and checks the core OS for anything that shouldnt be there and more to the point anything that is lying about its status in the method i mentioned above or in other words running in a hidden or stealth mode. Cool web search which we are all familar with is already using " rootkit technology ." to hide itself in the operating system. A malicious piece of software like this would drive a bench tech nuts trying to remove cause itll keep rebuilding itself even though spyware programs say its cleaned it and nothing is listed in the task manager.

Here is the rootkit revealer link.

http://www.sysinternals.com/Utilities/R ... ealer.html




This is a link to a project that MS has started on thew basis of this technology to combat this new threat present in spyware. Its my undersanding that the current MS spyware utility include this anti rootkit technology.

http://research.microsoft.com/rootkit/


Really interesting stuff, have fun.

Sorry man, I got that far through it and just gave up.

You really should work on your grammar.

totally

Yea i fixed the spelling on the final post, sorry doing my best.

You think it was a fairly accurate representation of the topic though?

It would probably be easier to just say something like

"A root kit essentially modifies the core of your operating system, which tells the OS to spawn a separate operating system running parallel to the one you are using.

Since it is running parallel, and they do not share resources, you will not be able to see any of the programs or processes that the rootkit runs. The rootkit also allocates its own hardware resources, so even though those resources do not appear to be in use by your OS, any attempts to use them will fail. For instance, Win2000's task manager may show your CPU as idle at 2% usage, while the parallel operating system is running applications that have the CPU pegged at 99%. Your machine will run very slowly, but there will be no apparent way to find out what is using its resources.

The only way to detect such a rootkit is to boot to a different disk/operating system, and scan the drive for any such tools or software.

fags worry about syntax

really

hate wrote:fags worry about syntax

really

It's more important than you think. I can't tell you the number of times I read emails from smart people that sound like they were written by idiots...

i think if you dont speak well, its more important to you

Dave wrote:

hate wrote:fags worry about syntax

really

It's more important than you think. I can't tell you the number of times I read emails from smart people that sound like they were written by idiots...

I completely agree. Guess i got some work to do, thnx for pointing it out. Seriously.

*preach mode on*

If you're building up a random information repository, deploy some form of wiki software.

3-fold benefit compared to forums:
1. Vastly simpler to structure and reference articles.
2. Improved navigation for clients compared to a forum
3. User-feedback kept distinct yet linked to the primary information via the use of associated 'talk' pages.

As for the text, what you're creating is almost literally what wikipedia already has on its own article, here:
http://en.wikipedia.org/wiki/Rootkits

Why reinvent the wheel? Wikipedias texts are GNU licensed so you can copy it out and dumb in down/rework it to your hearts content for your audience.

Rootkit apps are great but they also reveal a bunch of false-positives. The scan results are definately a lot harder to read than the stuff hijackthis spits out for instance, esp. for begginers.

well not if you know what to look for. I have already found a plethera of information on what can be hiding before i even ran the revealer on myself. Its actualy amazing how many things are operating at that deep a level, norton, firefox ( had many instances ), you would think they wouldnt fuck with the OS that deep. Thats basicly like giving a user account admin rights to the AD server.

Foo wrote:*preach mode on*

If you're building up a random information repository, deploy some form of wiki software.

3-fold benefit compared to forums:
1. Vastly simpler to structure and reference articles.
2. Improved navigation for clients compared to a forum
3. User-feedback kept distinct yet linked to the primary information via the use of associated 'talk' pages.

As for the text, what you're creating is almost literally what wikipedia already has on its own article, here:
http://en.wikipedia.org/wiki/Rootkits

Why reinvent the wheel? Wikipedias texts are GNU licensed so you can copy it out and dumb in down/rework it to your hearts content for your audience.

Well in this case the reinvention of the wheel helps me better understand it while sharing the knowledge, so its benficial for me to work it out and then present my conclusion. Its like, i dont grasp something till i suck it all on and change it and make my own analogies, then it sinks in real good.

But i love that link. Im adding it to the post. Thank you.

Iccy (temp) wrote:well not if you know what to look for. I have already found a plethera of information on what can be hiding before i even ran the revealer on myself. Its actualy amazing how many things are operating at that deep a level, norton, firefox ( had many instances ), you would think they wouldnt fuck with the OS that deep. Thats basicly like giving a user account admin rights to the AD server.

Yes, but are you going to start removing registry entries for norton and others? Norton is safe, so if you remove stuff it's probably going to spit out errors in the app somehow.