Rootkits - potential dangers
Have you ever heard of rootkits somewhere? You do not really understand what is a rootkit? Is rootkit a worm, virus or trojan? Is rootkit really dangerous? ...
Have you ever heard of rootkits somewhere? You do not really understand what is a rootkit? Is rootkit a worm, virus or trojan? Are rootkits really dangerous? . In this article, we will answer questions about rootkits, and introduce some free software to help you " quickly defeat the " rootkit. .
Rootkit concept
The rootkit concept is used to describe mechanisms and techniques used by malware (malware is software that falsifies application program functions including viruses, spyware, and trojans .) trying to hide. , avoid being detected by programs that protect against spyware, viruses and system utilities. In fact, rootkits themselves are not malicious, but when they are used with "destructive" programs such as viruses, worms, spyware, trojans . it is much more dangerous. a lot of.
How dangerous are rootkits?
Rootkits don't really cause any bad effects. The only purpose of rootkits is to hide, and avoid being detected. However, the rootkit used to hide malicious code is dangerous. Some worms, viruses, trojans and spyware are still able to remain active and undetected when using rootkits. Malware will not be detected even when the system is protected by the best antivirus programs. Therefore, Rootkit is really a very serious threat.
In fact, there are currently only a few spyware and viruses that use rootkits to hide. One of the typical examples of using a rootkit to infiltrate the system is the theft of the famous game source Half-Life 2.
Rootkits are more commonly used in spyware than viruses. One thing is for sure, that rootkits are still technically still in development, not much in fact, so the current threat of rootkits is not very large compared to the potential dangers of this technique.
Rootkit classification
Rootkits are categorized based on maintenance after restarting or operating in user mode (user mode) or in system level mode (kernel mode).
Persistent Rootkits (Persistent Rootkits)
Persistent root kit is a type of rootkit that combines with other malware to function every time the system boots. Because malware containing malicious code will be executed automatically every time the system starts or when the user logs into the system. They need to store code executing programs in the Registry, system files and methods that allow silently running code that users don't know about.
Rootkit on memory (Memory-Based Rootkits)
This type of rootkit is that malware does not have "persistent" code - stored in memory only, so this type of rootkit does not exist after rebooting.
Rootkit user mode (User-mode Rootkits)
User-based rootkits use various methods to hide undetected. For example, user-mode rootkit will block all functions that call the API (Application Programming Interface) system like: FindFirstFile / FindNextFile. These functions are called by Windows file manager programs such as Explorer and the command prompt, to list all system file directories. When an executable application lists directories and files that may contain rootkits, these rootkits will block these functions and change the output data results to remove rootkit files from the list. listed.
Windows system APIs provide interfaces between user mode and system service. More complex user-mode rootkits block system files, Registry, and functions that list processes from system APIs. Therefore, any detection by file scanning programs that get results from Windows API listing functions is changed. Therefore, most anti-virus and spyware programs cannot detect rootkits.
Rootkit mode (Kernel-mode Rootkits)
The kernel mode rootkit is more dangerous than the above, they not only block system APIs but also manipulate data structures directly in kernel mode. A common technique for hiding malware processes is to remove these processes from the list of processes in kernel mode. Because the API functions that manage processes must depend on the content in these data structures, so when the rootkit changes the content of the system data structure, the tools like Task Manager or Process Explorer detectable.
What malware uses rootkit technology?
Some Rootkits have the same meaning and properties of rootkits known as Hacker Defender and FU. Some spyware and advertising using rootkit: EliteToolbar, ProAgent, and Probot SE. Trojans like: Berbew / Padodor and Feutel / Hupigon and some worms like: Myfip.h and Maslan worm also use rootkits.
Predictions about rootkits
Rootkits have actually become popular among spyware and they will also gradually become popular in viruses and worms. Virus writers are now more professional and also operate for business purposes. Therefore, they fully have the skills and qualifications to install very complex rootkits into viruses and worms.
Rootkits can hide Trojans and spam longer on infected machines. This is also a cause of future rootkit boom.
Why do antivirus programs not detect rootkits before they can hide?
This is true but only in some cases. Because rootkits are often spread by open source, this means hackers can quickly change rootkit code so that anti-virus programs cannot be detected. Some new anti-virus software that can detect rootkits such as F-Secure Internet Security 2005 feature Manipulation Control. This feature has a mechanism to block malicious "manipulative" processes from affecting other processes. However, F-Secure Internet Security 2005 only blocks a few rootkits.
Rootkit removal software
Rootkit when combined with malware becomes much more dangerous. So is there any software that can detect rootkits that are hiding in the system?
Here are some software that can detect and destroy rootkits:
RootkitRevealer is a very effective and completely free rootkit search and destroyer, with a capacity of only 190KB. The program has a simple interface, just press the Scan button and RootkitRevealer will do its job. For more information and how to use the program effectively. You can read more information in the tutorial or visit the Website: http://www.sysinternals.com/utilities/rootkitrevealer.html
BlackLight is F-Secure's rootkit removal software. Currently, the beta version of BlackLight is free, download it at: http://www.europe.f-secure.com/exclude/blacklight/index.shtml
Minh Phuc
- McAfee: Rootkits are more and more unique
- Sony accepts to compensate customers for buying CDs containing rootkits
- Help children browse safely
- Atrium and potential dangers
- Promoting human potential to reveal many mysteries
- 7 dark scenarios when humans go to Mars
- 4 dangers of death equal to smoking that we have never paid attention to
- Manifestations of hypotension, cause and treatment
- Potential dangers in spice few expect
- Crow can recognize human voices
What is the Snapdragon SiP chip? How to create a yellow circle around the mouse cursor on Windows Edit the Boot.ini file in Windows XP 3 ways to restart the remote computer via the Internet Vietnam computer market: Looking back a year How to restore deleted applications on Android How to increase the capacity of C drive on Windows 10, 8, 7 ... 8 security features of Windows operating system