A rootkit is a package of malware that an attacker plants on your machine and operates in user-land (ring 3) silently capturing passwords and keystrokes and other malfeasance.
Rootkits have been in the wild in UNIX/Linux for some time, because it's source for SVRX and Linux distros are freely available.
Windows source is of course closed and much of it undocumented, so rootkits have been somewhat less prevalent in the wild.
Enter in a Kernel rootkit. A kernel root kit operates at ring 0, and tells the Windows API to hide itself. Not only does it hide itself completely, it can manipulate TDI returns to SYMDNS.SYS thereby bypassing Anti-virus products and possibly strict firewall filters.
READ AGAIN : Kernel rootkits are designed to bypass all forms of detection.
--
2 solutions ...
[Solution 1 - not 100%] Our talented friends over at sysinternals just created this Rootkit revealer
[Solution2 - 99% sure-fire] Go to your suspected machine and fire up a cmd prompt and type : dir /s /a > text1.txt (this will output the whole 9 yards into a text file called text1.txt)
then use a copy of WinPE and boot to the CD (a clean XP boot) and do the same thing except : dir /s /a > text2.txt
Now ... use windiff to compare the two files and any discrepancy will reveal the existance of a rootkit.
--
If you have ever run a Keygen or installed a progam from Kazaa or P2P networks, you owe yourself to look into this.
For the extra bored, the supreme hackers over at Eeye have written up THIS
Kernel rootkits what?
RE: Kernel rootkits what?
That is good information... Arch and I have a friend at a university that was hit with this last year. He sent me a bunch of stuff that they did for scanning for compromised systems and cleaning them. Which is solution 2 since solution 1 wasn't available. Gotta love it with smart but evil people have too much free time.
Xor man, I really need you help. I have had a crappy connection for weeks now, I have dsl but now im running like if i had 56k dude 
I have reformated my pc 3 times already. I used Zonealarm for firewall and it helped for a bit but now its back to my 56k connection speed I have tried a lot of spy/adware scanners but no luck I currently got on touch with my isp and Im still waiting for them to tell me if its prob a prob on their side. But i ran the program from Option 1 and i got this, plz tell me how bad is it and how can i remove all that since nothing i have will pick that stuff up *if its virus or related* Thnx man 
http://img.photobucket.com/albums/v485/ ... /virus.jpg
I have reformated my pc 3 times already. I used Zonealarm for firewall and it helped for a bit but now its back to my 56k connection speed I have tried a lot of spy/adware scanners but no luck I currently got on touch with my isp and Im still waiting for them to tell me if its prob a prob on their side. But i ran the program from Option 1 and i got this, plz tell me how bad is it and how can i remove all that since nothing i have will pick that stuff up *if its virus or related* Thnx man http://img.photobucket.com/albums/v485/ ... /virus.jpg
It's hard to see the PATH on your output G1. drag the PATH field across to reveal the full list and what it is.
Keep in mind your OS hides things like C:\$MFT ; C:\$Logfile and so on.
--
Yours looks normal G1, the top entries are access denied registry entries from when you first installed the OS, the only curious ones are at the bottom, but like I said you can't see the full path. Just re-post the screen with the full path revealed and we'll take another look-see.
Keep in mind your OS hides things like C:\$MFT ; C:\$Logfile and so on.
--
Yours looks normal G1, the top entries are access denied registry entries from when you first installed the OS, the only curious ones are at the bottom, but like I said you can't see the full path. Just re-post the screen with the full path revealed and we'll take another look-see.
Hmmm, just letting you know that, there is another program, from F-Secure called BlackLight which is in beta, not sure if they have the full version yet, anyway, and hmm it's doing the same job... its a rootkit eliminator. gotta give it a try!
There's also this program called ADS Spy (ADS meaning "Alternate Data Streams", they are pieces of info hidden as metadata on files. They are
not visible in Explorer and the size they take up is not reported by Windows).
Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this.
Use ADS Spy to find and remove these streams. Note: this app also displays legitimate
ADS streams. Don't delete streams if you are not completely sure they are malicious!
So you might just to a scan, post your log and
some of us will help 
There's also this program called ADS Spy (ADS meaning "Alternate Data Streams", they are pieces of info hidden as metadata on files. They are
not visible in Explorer and the size they take up is not reported by Windows).
Recent browser hijackers started using ADS to hide their files, and very few anti-malware scanners detect this.
Use ADS Spy to find and remove these streams. Note: this app also displays legitimate
ADS streams. Don't delete streams if you are not completely sure they are malicious!
So you might just to a scan, post your log and
some of us will help -
Undead_Mercenary
- Posts: 2914
- Joined: Wed Aug 21, 2002 10:01 am
- Location: Barrie, Ontario
No, but capturing keystrokes is one of its features.
Take Hacker defender, the most popular rootkit for script kiddies.
Overview :
The main idea of this program is to rewrite few memory segments in all
running processes. Rewriting of some basic modules cause changes in processes
behaviour. Rewriting must not affect the stability of the system or running
processes.
Program must be absolutely hidden for all others. Now the user is able
to hide files, processes, system services, system drivers, registry keys and
values, open ports, cheat with free disk space. Program also masks its changes
in memory and hiddes handles of hidden processes. Program installs hidden
backdoors, register as hidden system service and installs hidden system driver.
The technology of backdoor allowed to do the implantation of redirector.
--
Rootkit revealer will find ALL instances of these, because of the Achilles heel of the fact of there MUST be a file present SOMEWHERE on the machine, just hidden.
Rootkit revealer uses a patent pending technology that first scans high, then low ... and notes any discrepancies. Wonderfully effective.
I predict newer versions of rootkits will take into consideration rootkit revealer, so the cat and mouse story lives on.
Take Hacker defender, the most popular rootkit for script kiddies.
Overview :
The main idea of this program is to rewrite few memory segments in all
running processes. Rewriting of some basic modules cause changes in processes
behaviour. Rewriting must not affect the stability of the system or running
processes.
Program must be absolutely hidden for all others. Now the user is able
to hide files, processes, system services, system drivers, registry keys and
values, open ports, cheat with free disk space. Program also masks its changes
in memory and hiddes handles of hidden processes. Program installs hidden
backdoors, register as hidden system service and installs hidden system driver.
The technology of backdoor allowed to do the implantation of redirector.
--
Rootkit revealer will find ALL instances of these, because of the Achilles heel of the fact of there MUST be a file present SOMEWHERE on the machine, just hidden.
Rootkit revealer uses a patent pending technology that first scans high, then low ... and notes any discrepancies. Wonderfully effective.
I predict newer versions of rootkits will take into consideration rootkit revealer, so the cat and mouse story lives on.
Açieeed! style by 