A computer virus can be called a program that works secretly and harms the entire system or some particular part of it. Every second programmer faced this problem. There is not a single PC user left who does not know what
Types of computer viruses:
A rootkit is one or more programs that hide the presence of unwanted applications on a computer, helping attackers to operate invisibly. It contains absolutely the entire set of malware functions. Since this application is often located deep in the bowels of the system, it is extremely difficult to detect it using antivirus or other security tools. A rootkit is a set of software tools that can read saved passwords, scan various data, and disable PC protection. In addition, there is a backdoor function, which means that the program provides a hacker with the ability to connect to a computer from a distance.
In other words, a rootkit is an application that is responsible for intercepting system functions. For the Windows operating system, such popular rootkits can be distinguished: TDSS, Necurs, Phanta, Alureon, Stoned, ZeroAccess.
There are several variants of these virus programs. They can be divided into two categories: user-mode (custom) and kernel-mode (kernel-level rootkits). Utilities of the first category have the same capabilities as regular applications that can be run on the device. They can use the memory of already running programs. This is the most popular option. Rootkits of the second category are located deep in the system and have full access to the computer. If such a program is installed, then the hacker can do almost anything he wants with the attacked device. Rootkits of this level are much more difficult to create, which is why the first category is more popular. But a kernel-level virus program is not at all easy to find and remove, and protection against computer viruses is often completely powerless here.
There are other, rarer variants of rootkits. These programs are called bootkits. The essence of their work is that they gain control over the device long before the system starts. More recently, rootkits have been created that attack Android smartphones. Hacking technologies develop in the same way as licensed software - they keep up with the times.
A huge number of infected computers are located in the so-called zombie network and are used to send spam messages. At the same time, users of these PCs do not suspect anything about such “activity”. Until today, it was customary to think that only professional programmers can create the mentioned networks. But very soon everything can change dramatically. It is possible to find more and more tools for creating virus programs on the Internet. For example, using a kit called Pinch, you can easily create a rootkit. The basis for this malware will be the Pinch Builder Trojan, which can be extended with various functions. This application can easily read passwords in browsers, recognize the data entered and send it to scammers, as well as cleverly hide its functions.
Initially, rootkits are introduced into the system in the same way as other virus programs. If a plug-in or browser is vulnerable, it will not be difficult for the application to get on the computer. Flash drives are often used for this purpose. Sometimes hackers simply drop flash drives in crowded places where a person can take an infected device with them. This is how a rootkit gets onto the victim's computer. This leads to the fact that the application exploits the weaknesses of the system and easily gains a dominant position in it. The program then installs auxiliary components that are used to control the computer from a distance.
Quite often the system is infected by phishing. There is a high possibility that the code will get on the computer in the process of downloading unlicensed games and programs. Very often it is disguised as a file called Readme. You should never forget about the dangers of software and games downloaded from unverified sites. Most often, the user launches the rootkit on his own, after which the program immediately hides all signs of its activity, and it is very difficult to detect it later.
This program intercepts data from various applications. Sometimes the antivirus detects these actions immediately. But often, when the device has already been infected, the virus easily hides all information about the state of the computer, while traces of activity have already disappeared, and information about all harmful software has been deleted. Obviously, in such a situation, the antivirus has no way to find any signs of a rootkit and try to eliminate it. But, as practice shows, they are able to restrain such attacks. And companies that produce security software regularly update their products and add the necessary information about new vulnerabilities to it.
To search for these, you can use various utilities specially created for this purpose. Kaspersky Anti-Virus copes well with this task. You just need to check the device for all kinds of vulnerabilities and malware. Such a check is very important for protecting the system from viruses, including rootkits. The scan detects malicious code that Anti-Pan was unable to detect. In addition, search helps to find operating system vulnerabilities through which attackers can spread malware and objects. Are you looking for the right protection? You will be fine with Kaspersky. A rootkit can be detected by simply enabling periodic scans for these viruses on your system.
For a more detailed search for such applications, you need to configure the antivirus to check the operation of the most important system files at the lowest level. It is also very important to ensure a high level of self-protection of the antivirus, as a rootkit can easily disable it.
In order to be sure that your computer is safe, you need to check all portable drives when you turn it on. Rootkits can easily get into your operating system through removable drives, flash drives. Kaspersky Anti-Virus monitors absolutely all removable devices when they are connected to the device. To do this, you just need to set up a drive scan and be sure to keep your antivirus updated.
There are many complexities in the fight against these malicious applications. The main problem is that they are quite successful in resisting detection by hiding registry keys and all their files in such a way that antivirus programs cannot find them. There are auxiliary programs for removing rootkits. These utilities were created to search for malware using various methods, including highly specialized ones. You can download a fairly effective Gmer program. It will help destroy most of the known rootkits. You can also recommend the AVZ program. It successfully detects almost any rootkit. How to remove dangerous software using this program? It's easy: set the necessary settings (the utility can either send infected files to quarantine or delete them on its own), then select the type of scan - full PC monitoring or partial. Then we run the test itself and wait for the results.
The special TDSSkiller program effectively fights the TDSS application. AVG Anti-Rootkit will help remove the remaining rootkits. After the work of such assistants, it is very important to check the system for infection using any antivirus. Kaspersky Internet Security will perfectly cope with this task. Moreover, this program is able to remove simpler rootkits through the disinfection function.
It must be remembered that when scanning for viruses with any security software, do not open any applications and files on the computer. Then the check will be more efficient. Naturally, you must not forget to regularly update your anti-virus software. The ideal option is a daily automatic (set in the settings) program update that occurs when you connect to the Network.
Detection. Unfortunately, most modern antiviruses will not react in any way to the appearance of a rootkit, because its main goal is to hide itself and everything connected with it. Rootkits are also almost all so-called copy protection tools, as well as programs that emulate CD and DVD drives. To detect and remove rootkits, you need to install special programs.
Sophos Anti-Rootkit Utility. This is a small rootkit finder and killer that works on all versions of Windows from XP onward. You can download the program from the official website. Working with the program is very simple, you need to select objects to scan and click on the button start scan. After scanning, highlight the found items and click Clean up checked items to delete them.
Rootkit Buster. This is another free rootkit killer. Installation of the program is not required, you need to unpack the archive and run the file rootkitbuster.exe. You can download from here. Press the button to start scanning. ScanNow. The utility will scan all files, registry branches, drivers and MBR. If rootkits are found, the program will display a list of them, select the objects and click Delete Selected Items.
Signs of infection. So, how do you know if your computer is infected with rootkits? Most of the symptoms are similar to those of a virus, i.e. sending data without your commands, freezing, unauthorized launching of something, etc. However, it is easier with viruses in this regard, unlike rootkits, viruses are detected by antiviruses. If there are symptoms of viruses, and the antivirus does not find anything, then there is a high probability of infection with a rootkit. Install a firewall (firewall), if it will notify you about an attempt to access any programs on the Internet (no one but a browser and antivirus has nothing to do there), block them.
So, let's continue to look at applications that can help us get rid of rootkits on our PCs. The previous part of the article is possible.
This is a fairly compact anti-rootkit application with a simple and intuitive interface (something that “professional” utilities lack). The utility scans the registry and critical, according to the developers, directories of the system, revealing hidden objects. Sophos Anti-Rootkit requires installation on the system. Unlike most other programs with similar functions, this application warns the user about the possibility of affecting the performance and health of the OS if a particular rootkit is removed.
When launched, the program will prompt us to choose what exactly will be scanned. Frankly, it's better to scan everything. The exclusion of even one item (the system registry, running processes and local drives) will leave a loophole for rootkits entrenched in the system. After scanning, from the objects detected by Sophos Anti-Rootkit (Symantec Antivirus, Kaspersky Antivirus modules, virtual CD-ROM drivers, etc. consistently get there), you need to select those that you decided to delete, agreeing that they are extremely suspicious.
To facilitate decision making, the program even gives descriptions of the found objects with a number of recommendations. In order to read it, you need to select the found object.
In addition, the application gives the full path to the object and a number of additional information in its description. You can study the found object, look up information about it on the Internet, and only then make an informed decision. After making a choice, it remains only to click on the "Clean up checked items" button.
For some reason, this application is rarely used and described. In the meantime, RootRepeal is a very good and efficient tool to detect many variants of rootkits.
This program is portable, although not as visual as Sophos Anti-Rootkit, but with minimal effort on the part of the user, it can be a huge help in detecting malware. However, it does not automatically indicate to the user that this is where the rootkit sits, but provides information (running processes, files in use, hidden processes, hooks, information about the system kernel, etc.), which the user will have to analyze and evaluate himself.
After analyzing and detecting suspicious processes, you can find their descriptions on the Internet and, if necessary, use the RootRepeal toolkit to erase files, terminate processes, or edit registry keys.
The last thing I left was the well-known AVZ utility - Zaitsev's antivirus. It is a tool with a huge number of features, which, among other things, can help in the fight against rootkits. AVZ does not require installation (portable). It is updated quite regularly.
To perform a scan and detect rootkits lurking in the bowels of the system, you need to select the desired disk or directories in the "Search Area". AVZ perfectly recognizes rootkits, which can be removed automatically, or can make a decision on a case-by-case basis. (editor's note: you can set options for AVZ actions in certain cases in the program settings).
The search for rootkits occurs in AVZ based on the study of basic system libraries to intercept their functions, that is, without the use of signatures. What is valuable in this application is that it can correctly block the operation of a number of possible countermeasures from rootkits. Therefore, the utility scanner can detect cloaked processes and registry keys.
Of course, false positives are also possible. So watch carefully what you erase with AVZ. With the help of AVZ, it is also possible to restore a number of system functions after an attack by viruses and rootkits. It's also quite helpful.
We reviewed a number of programs that will help detect rootkits on computers and laptops. It should be noted that most commercial and free antiviruses have already acquired quite powerful blocks for detecting and removing rootkits. Moreover, in the near future, I predict a significant decrease in the interest of ordinary users in anti-rootkit solutions, as the corresponding modules of anti-virus solutions will improve, and the average user has no interest at all to delve into processes, drivers and files. He is interested in a quick and preferably effortless result. While traditional anti-virus programs are far from being the benchmark in finding rootkits, for such users I would recommend Sophos Anti-Rootkit. But for complex cases, you still have to use GMER or AVZ and improve your skills. These instruments are not going to completely disappear from the scene anytime soon.
Aggressive development rootkits still remains unpunished and continues just as actively, without encountering any significant resistance from security technologies, most of which work well only in words and catch public rootkits taken from rootkits.com or similar resources. Tailor-made rootkits are found much worse, if at all. Moreover, even such advanced detection technologies as
remote port scan, turn out to be powerless in the face of the latest versions of rootkits, which really fire only with their hands, tail and head.
The mouse constantly keeps a VMware-based honeypot running, sucking in a bunch of malware. Its analysis indicates a steady increase in the number of rootkits that live exclusively in memory and do not write themselves to disk, as a result of which they no longer need to hide files and registry branches that are directly or indirectly responsible for autoloading. They do not create new processes, preferring to intrude into the address space of existing ones. They do not open new ports by intercepting incoming traffic using raw sockets or injecting themselves into network drivers (such as TCPIP.SYS or NDIS.SYS).
As a result, neither the registry nor the file system changes, which means there is nothing to hide! Naturally, a reboot kills these types of rootkits on the spot, which is why many administrators assume that there is no danger. It's not that hard to reboot a server if you suspect it's been compromised. However, it
establishment of the fact of compromise is the primary and most difficult task in front of the administrator. If the server was indeed compromised, then you need to find out exactly how it was compromised! Otherwise, repeated attacks will not keep you waiting, not to mention the fact that after removal
required as
at least change the passwords for all resources, otherwise the hacker will be able to do without a rootkit, using previously intercepted passes.
Strictly speaking, with all the differences between NT and Linux/BSD, the technique for searching for rootkits is the same. First of all, we need to get a core dump or run a nuclear debugger. Theoretically, rootkits can intercept any operation, including an attempt to save a dump. In NT, all they need to do is intercept the KeBugCheckEx NativeAPI function and clean up all traces of their stay in RAM before returning control to it. Technically, this is easy to implement. It will take no more than a couple of hundred lines of assembly code, but ... I do not know of any rootkit that actually does this. You can also outwit the nuclear debugger. We set the attribute to all hacked pages only on
execution (if the CPU supports the NX / XD bit) or set the page to NO_ACCESS, and if an exception occurs, we look to see if they are trying to read or execute us. And if they read us, then this is clearly a debugger, to deceive which we temporarily remove the interception. But this is just a theory. In practice, it has not yet been implemented by anyone, and when it will be implemented is unknown.
Alas, there are no absolutely reliable ways to detect rootkits, and every measure has its own countermeasure. But let's not theorize, let's get back to real-life rootkits, or rather, to getting a memory dump. In NT, in "System Properties" (
killing the rootkit that we are trying to find, so this operation should be carried out in advance.
Incidentally, the sequence
In cases where CrashOnCtrlScroll is not configured, and reloading is not acceptable, you can take any driver from NTDDK and insert some illegal operation at the beginning of the DriverEntry: division by zero, accessing memory by a null pointer, etc. Then, when loading the driver, a blue screen will immediately flash, and a complete kernel memory dump with all the malware it contains will be dumped onto the disk.
On Linux, manual dump dump performed by pressing
On xBSD systems combination
The resulting core dump can be analyzed with any handy utility, since there is no shortage of them. For example, in NT, it is usually used for this purpose
windbg, but the mouse prefers to explore the system live with SoftICE, whose closest analogue in the Linux world is
LinICE.
So we press
At the beginning of normal, uncaught functions, there should be a standard prologue like "PUSH EBP/MOV EBP, ESP" or something like that. If JMP or CALL is stuck there, then with a probability close to one, this function has been intercepted by someone. But by whom is the question. In addition to rootkits, antiviruses, firewalls and other programs intercept, therefore, before you go looking for malware, you need to thoroughly study the features of your system with all installed applications.
Advanced rootkits inject JMP/CALL not at the beginning of the function, but in its middle, so as not to arouse suspicion. In fact, after analyzing the code of a hacked function, it is easy to verify that it is somehow abnormal. The left JMP/CALL just doesn't fit into the algorithm! However, in order to come to such a conclusion, it is necessary not only to know assembler, but also to have experience in disassembly. Fortunately, advanced rootkits are quite rare, and the vast majority of them are introduced from the very beginning.
After reviewing all the functions and making sure that there are no traces of explicit interception, we proceed to study the table of system functions, which is called under SoftICE by the NTCALL command, and under Lin-Ice by the D sys_call_table command. Since the functions listed in the table are not exported by the NT kernel, in the absence of symbol information (which can be retrieved from the Microsoft server using NuMega's SymbolRetriver utility), SoftICE displays the name of the nearest exported function plus an offset. Therefore, we cannot quickly tell whether this function is intercepted or not, and we will have to type the command “u function_address” to see what is there: a normal, uncaught prologue or JMP / CALL. IN
niks information about symbols is present by default and there are no such problems.
Naturally, in addition to those described, there are other interception techniques used by rootkits, but they are quite difficult to understand and require preliminary preparation, and therefore are not considered here.
A rootkit is a malicious program designed to gain superuser rights on a device without the knowledge of the victim.
There are many ways for rootkits to penetrate a user's computer, including downloading through an infected third-party program or plug-in. Rootkits are not self-propagating, but tend to be part of more complex, mixed threats.
Detecting a rootkit in a system is not a trivial task at all. When searching for objects in system memory, check all the rights of running processes while monitoring requests for imported libraries (from DLLs), which, in turn, may be rejected or redirected to other functions. If you want to be sure that there are no rootkits on your PC, use the system scanner built into modern antivirus solutions (eg Avast free antivirus).
The antivirus program is able to detect the presence of rootkits in the system. While scanning for rootkits, most programs will stop the execution of the rootkit, but the removal of the rootkit must be done manually.
Using a modern anti-virus solution with an anti-spam module is the most effective way to prevent, detect and remove a rootkit from your computer. The most effective antivirus solution is Avast.
nanbaby.ru - Health and beauty. Fashion. Children and parents. Leisure. Gen. House