[Dshield] Rootkits' tricks and countermeasure

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Mar 22 16:56:14 GMT 2005


The developers of a rootkit or spying program by the name ProAgent (info
at http://www.spyinstructors.com/show.php?name=Products&wiev=ProAgent)
from SIS-Team (at http://www.spyinstructors.com/) claim that their spy
program is able not to be detected by Sysinternals' RootkitRevealer (at
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml) and
F-Secure's F-Secure BlackLight Rootkit Elimination Technology (at
http://www.f-secure.com/blacklight/,
http://www.f-secure.com/blacklight/cure.shtml and
http://www.f-secure.com/blacklight/try.shtml).
 
The technique used is simple. As soon as the rootkit program finds out
that a revealer and or elimination program is in process, it no longer
hides (as long as the detection program is running). Hence, the
detection program does not detect the non-hiding program. As soon as the
detection process is over, the rootkit hides itself again.

One countermeasure is simple. Just rename the executable of the
detection process, and the rootkit does not detect the detection
process, keeps hiding and gets revealed and eliminated.

Wish you best of luck in the renaming conventions of these useful (and
free) utilities.

- Pete


     "It is better to understand little than to misunderstand a lot."
                 Anatole France (1844-1924); French writer.






More information about the list mailing list