Re: computer with rootkit?

[rogue5 <rogue5 () bluemarble net>]

Not really, because it's not just the rootkit.  Usually, once the 
rootkit is installed, the other stuff gets downloaded and installed, 
things to log keystrokes, spread the infection, redundancies to keep 
access to the machine.  The reason you nuke the site from orbit is 
because it's the only way to be sure you got it all.




On Thu, 29 Sep 2011 16:35:31 +0000, Jamie Ivanov wrote:
> Clearly you don't have any experience with rootkits. If one were to
> get loaded from boot (bootkit) to initialize a driver or hook a
> driver, once the kernel SSDT gets modified your process list becomes
> inaccurate. You cannot perform *ANY* rootkit removal on an active
> system or your changes will be nullified by monitoring hooks.
>
> You need an offline environment like the Hirens boot CD to load
> portable envoronment. Not only wipe the mbr but check loaded drivers
> at each runlevel then check local user and global registry startup
> points. Also a system file check to verify/replace modified system
> files. Then, and only then, you can even run your malware finders 
> such
> as combofix, malwarebytes antimalware, and spybot s&d.
>
> Repairing a rootkit infection is not that difficult. I've been
> reverse engineering them for years. Those who have suggested a
> reinstall should be ashamed.
> Jamie Ivanov / KC9LFD
> m.608.399.4252
> Blackberry: 32DD619E
> http://www.linkedin.com/in/jamieivanov
> -- -- -- -- -- -- -- -- -- -- -- --
> This transmission (including any attachments) may contain
> confidential information, privileged material (including material
> protected by the solicitor-client or other applicable privileges), or
> constitute non-public information. Any use of this information by
> anyone other than the intended recipient is prohibited. If you have
> received this transmission in error, please immediately reply to the
> sender and delete this information from your system. Use,
> dissemination, distribution, or reproduction of this transmission by
> unintended recipients is not authorized and may be unlawful.
>
> Sent from my BlackBerry
>
> -----Original Message-----
> From: Brian Rogalski <brogalski () bkrservices com>
> Sender: listbounce () securityfocus com
> Date: Thu, 29 Sep 2011 07:01:20
> To: security basics<security-basics () securityfocus com>
> Subject: RE: computer with rootkit?
>
> There are a few things that you could try...
>
> Use tools like process hacker, what's running, capture bat and 
> regshot ...
> Process explorer and process monitor can tell you what path and 
> device
> files are being used. Also look at the
>
> (HKLM\currentversion\microsoft\windows\software\run) key in the 
> registry
> ... most malicious program want to stay resident after a reboot... 
> You can
> use a tool called autoruns at well.
>
> It looks like you may have a Kernel mode root kit. There is only so 
> far
> that those tools will take you .. To complete your process you are 
> going
> to have to dump the executable to a unaffected machine and perform 
> more
> behavioral analysis follow by code and memory forensics.
>
> Hope that helps
>
> Brian
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate.  We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing 
> management
> of your encryption keys and digital certificates.
>
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------