February 19, 2009

10+ things you should know about rootkits

  • Date: September 17th, 2008
  • Author: Michael Kassner

 

 

Malware-based rootkits fuel a multibillion dollar spyware industry by stealing individual or corporate financial information. If that weren’t bad enough, rootkit-based botnets generate untold amounts of spam. Here’s a look does female cialis work at what rootkits are and what to do about them.

Rootkits are complex and ever changing, which makes it difficult to understand exactly what you’re dealing with. Even so, I’d like to take a stab at explaining them, so that you’ll have a fighting chance if you’re confronted with one.

Note: This information is also available as a PDF download.

#1: What is a rootkit?

Breaking the term rootkit into the two component words, root and kit, is a useful way to define it. Root is a UNIX/Linux term that’s the equivalent of Administrator in Windows. The word kit denotes programs that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge.

#2: Why use a rootkit?

Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer’s configuration. Therefore, in the strictest sense, even versions of VNC are rootkits. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren’t malicious at all.

One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt to prevent copyright violations. Sony BMG didn’t tell anyone that it placed DRM software on home computers when certain CDs were played. On a scary note, the rootkit hiding technique Sony used was so good not one antivirus or anti-spyware application detected it.

#3: How do rootkits propagate?

Rootkits can’t propagate by themselves, and that fact has precipitated a great deal of confusion. In reality, rootkits are just one component of what is called a blended threat. Blended threats typically consist of three snippets of code: a dropper, loader, and rootkit.

The dropper is the code that gets the rootkit’s installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.

Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. Here are two examples of some current and successful exploits:

IM. One approach requires computers with IM installed (not that much of a stretch). If the appropriate blended threat gains a foothold on just one computer using IM, it takes over the IM client, sending out messages containing malicious links to everyone on the contact list. When the recipient clicks on the link (social engineering, as it’s from a friend), that computer becomes infected and has a rootkit on it as well.

Rich content. The newest approach is to insert the blended threat malware into rich-content files, such as PDF documents. Just opening a malicious PDF file will execute the dropper code, and it’s all over.

#4: User-mode rootkits

There are several types of rootkits, but we’ll start with the simplest one. User-mode rootkits run on a computer with administrative privileges. This allows user-mode rootkits to alter security and hide processes, files, system drivers, network ports, and even system services. User-mode rootkits remain installed on the infected computer by copying required files to the computer’s hard drive, automatically launching with every system boot.

Sadly, user-mode rootkits are the only type that antivirus or anti-spyware applications even have a chance of detecting. One example of a user-mode rootkit is Hacker Defender. It’s an old rootkit, but it has an illustrious history. If you read the link about Hacker Defender, you will learn about Mark Russinovich, his rootkit detection tool called Rootkit Revealer, and his cat-and-mouse struggle with the developer of Hacker Defender.

#5: Kernel-mode rootkit

Malware developers are a savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits, placing the rootkit on the same level as the operating system and rootkit detection software. Simply put, the OS can no longer be trusted. One kernel-mode rootkit that’s getting lots of attention is the Da IOS rootkit, developed by Sebastian Muniz and aimed at Cisco’s IOS operating system.

Instability is the one downfall of a kernel-mode rootkit. If you notice that your computer is blue-screening for other than the normal reasons, it just might be a kernel-mode rootkit.

#6: User-mode/kernel-mode hybrid rootkit

Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristics (stealthy). The hybrid approach is very successful and the most popular rootkit at this time.

#7: Firmware rootkits

Firmware rootkits are the next step in sophistication. This type of rootkit can be any of the other types with an added twist; the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business. John Heasman has a great paper called “Implementing and Detecting a PCI Rootkit” (PDF).

#8: Virtual rootkits

Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.

#9: Generic symptoms of rootkit infestation

Rootkits are frustrating. By design, it’s difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in operating efficiency. Sorry for being vague, but that’s the nature of the beast. Here’s a list of noteworthy symptoms:

  • If the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
  • Settings in Windows change without permission. Examples of this could be the screensaver changing or the taskbar hiding itself.
  • Web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.

If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.

#10: Polymorphism

I debated whether to include polymorphism as a topic, since it’s not specific to rootkits. But it’s amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.

#11: Detection and removal

You all know the drill, but it’s worth repeating. Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.

Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:

The problem with these tools is that you can’t be sure they’ve removed the rootkit. Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can’t obscure their tracks when they aren’t running. I’m afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like Encase to check for any additional code.

Final thoughts

Opinions vary when it comes to rootkit removal, as discussed in the NetworkWorld article “Experts divided over rootkit detection and removal.” Although the article is two years old, the information is still relevant. There’s some hope, though: Intel’s Trusted Platform Module (TPM) has been cited as a possible solution to malware infestation. The problem with TPM is that it’s somewhat controversial. Besides, it will take years before sufficient numbers of computers have processors with TPM.

If you’re looking for additional information, I recommend the book ROOTKITS: Subverting the Windows Kernel, by Gary Hoglund and James Butler, of HPGary.

Filed under security by al

Permalink • Print • Comment

Copy desktop themes to other Windows XP computers

  • Date: November 19th, 2008
  • Author: Greg Shultz

If you have created a favorite desktop theme and you work on more than one Microsoft Windows XP computer, you may have considered recreating that theme on your other computers. However, manually recreating the desktop theme can be a tricky and time-consuming operation. Here’s how you can easily copy your favorite desktop theme from one Windows XP computer to another.

This blog post is also available in PDF format in a TechRepublic download.

Steps

  1. On the computer containing your favorite desktop theme, right-click the desktop and select Properties. On the Themes tab, with your theme selected, click the Save As button and save the file to the My Documents folder (or folder of your choice).
  2. Launch Windows Explorer and access the My Documents folder.
  3. Look for files with the .theme extension, locate your file, and copy it to a floppy disk or USB thumb drive.
  4. Go to the other computer on which you would like to have your favorite desktop theme and copy the .theme file to My Documents.
  5. Right-click the desktop and select Properties to open the Display Properties dialog box.
  6. On the Themes tab, click the Theme drop-down list and select Browse.
  7. In the Open Theme dialog box, access the My Documents folder, locate discount cialis your theme file, and double-click it.
  8. Click OK to load the new theme and close the Display Properties dialog box.
  9. While Windows XP loads the desktop theme, you’ll see a Please Wait message in the middle of the screen. Your current desktop colors will fade to gray while the new settings are applied.

There is one caveat to this approach — if part of your theme involves wallpaper you created or other graphical elements unique to that particular PC, those elements will have to be copied over along with the .theme file.

Note: This tip applies to both Windows XP Home and Windows XP Professional.

Filed under OS XP by al

Permalink • Print • Comment

How to insert a graphic in an Outlook signature

  • Date: November 17th, 2008
  • Author: Susan Harkins

Your e-mail signature says a lot about you. If text doesn’t get the job done, add a graphic, or an electronic business card. Fortunately, it’s easy to add a graphic daily dose cialis to your signature, even though the process isn’t exactly intuitive. To add a signature, complete the following steps:

  1. In E-mail view, choose Mail Message from the New button or press [Ctrl]+N to open a blank mail window.
  2. Enter your signature’s text. Try to limit your signature to essential information. A signature should be only a line or two.
  3. Position the cursor where you want to insert a graphic.
  4. Choose Picture from the Insert menu, locate and select the file, and then click Insert. In Outlook 2007, click the Insert tab and choose the appropriate command from the Illustrations group. The file must be one of the following formats: GIF, JPEG, or PNG. TIFF and BMP files are too large to include in the signature line.
  5. Press [Ctrl]+A to select the entire signature and the graphic.
  6. Press [Ctrl]+C to copy the signature to the Clipboard.
  7. Choose Options from the Tools menu on the main menu.
  8. Click the Mail Format tab.
  9. Click Signatures in the Signatures section.
  10. Click New.
  11. Name the signature and click Next. (Outlook 2007 groups the options together, so there’s no need to click Next.)
  12. Click inside the Edit Signature control and press [Ctrl]+V to paste the signature from the Clipboard. (If you’re using Outlook 2007, be sure to select the signature by name from the New Messages control.)
  13. Click OK twice. On the Mail Format tab, choose the signature from the Signature For New Messages drop-down list in the Signatures section.
  14. Click OK.

When creating a new message, Outlook will automatically include the signature, including the graphic you added.

november2008msofficeblog5fig1r.jpg

Filed under MS Outlook by al

Permalink • Print • Comment

Modify bullets and numbers to match the size of your PowerPoint slide text

  • Date: November 18th, 2008
  • Author: Mary Ann Richardson

Bullets and numbers that are out of proportion to your slide text can be distracting and ugly. This simple trick will ensure that those characters are sized just right.

Do your bullets and numbers overpower the text on your PowerPoint slides? Or are they so small you can hardly see them from the back of the room? You don’t have to settle for characters that distract from your message. For example, suppose too large numbers distract from the text as shown in Figure A.

Figure A

numbers

To daily cialis improve their appearance, just follow these steps:

  1. Select the numbered text.
  1. In PowerPoint 2002/2003, go to Format | Bullets And Numbering. In PowerPoint 2007, choose Bullets And Numbering from the Bullets And Numbering drop-down list on the Home tab.
  1. Click the Numbered tab.
  1. In the Size box, click the down arrow until 80 is displayed, as shown in Figure B, and then click OK.

Figure B

sizing

The numbers will now be 80% the size of the surrounding text, as shown in Figure C.

Figure C

smaller numbers

Filed under MS PowerPoint by al

Permalink • Print • Comment

Save a million keystrokes by turning Access text boxes into combo boxes

  • Date: November 18th, 2008
  • Author: Mary Ann Richardson

If you repeatedly type the same text in the same field, you’re working too hard. See how to set up a combo box that will speed data entry and spare you a TON of tedious typing.

Do you find yourself constantly typing the same data in the same field? For example, say you work with an Employee Data form, and you find that you’re typing the same three Zip codes repeatedly. Since most of your employees live near your company’s three offices, you seldom need to type any other codes. By converting the Zip code text box into a combo box, you’ll eliminate the retyping. Follow these steps:

  1. Open the form in Design view.
  1. Right-click the Zip/Postal Code text box.
  1. Move to Change To and click Combo Box (Figure A).

Figure A

combo

  1. Right-click the Zip/Postal Code combo box.
  1. Click Properties (Figure B).

Figure B

properties

  1. On the Data tab, click the Build button in the Row Source field (Figure C).

Figure C

build buttondaily cialis results button” width=”302″ height=”287″ />

  1. Add the Employees table.
  1. In the field list, double-click Zip/Postal Code.
  1. Click in the Criteria box under Zip/Postal Code and enter Is Not Null (Figure D).
  1. Close and save the query.

Figure D

criteria

Now you can simply select one of the three zip codes from the drop-down list in the combo box, as shown in Figure E.

Figure E

combo box

Filed under MS Access by al

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and a search engine optimized WordPress theme • Sky Gold skin by Denis de Bernardy