0
vmsfreaky1

Root Kit Revealer

By vmsfreaky1, in The Bonfire

Recommended Posts

Cornholio    0

Cornholio
There was just a discussion about there here:

http://www.dslreports.com/forum/remark,12707653~mode=flat

that I spent about half the day reading yesterday. :|

From what I gather in my limited wisdom of root kits, is that the biggest problem with them is that they CAN'T be detected with software.

Someone on that thread explained it very good when he said that the OS runs at Ring 3... And the RootKit and hardware device drivers run at Ring 0 (being closest to the kernel) So in reality, the rootkit (if designed correctly) can intercept all hardware and software calls (including the rootkit detector) and lie to it and tell it "There is no rootkit here."

Which came first the chicken or the egg ? Rootkit says "There is no chicken...only eggs. " ;);)

Butthead: Whoa! Burritos for breakfast!
Beavis: Yeah! Yeah! Cool!
bellyflier on the dz.com hybrid record jump

Share this post

Link to post
Share on other sites

vmsfreaky1    0

vmsfreaky1
Interesting, This is taken from the help file of RootKit Revealer

Quote

It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.



Also, there is no known root kit that has reached a level of sophistication as to fool this program, however nothing is impossible.

It may prove helpful for some.

Share this post

Link to post
Share on other sites

Cornholio    0

Cornholio
That is good to know that they are acknowledging that.

I've never run accross a rootkit myself, so I'm unsure on how they work exactly. I just read and read more about them.

Butthead: Whoa! Burritos for breakfast!
Beavis: Yeah! Yeah! Cool!
bellyflier on the dz.com hybrid record jump

Share this post

Link to post
Share on other sites

beezyshaw    0

beezyshaw
I just got this email from my wife; this was distributed to her company by their IT mgr...

Quote

It has recently been discovered that Sony is including a technology called rootkits on its content / copy protected cds to enforce their DRM (Digital Rights Management). If you want the whole story go to the link below which is the blog written by the person that discovered the problem.

"A rootkit is a set of tools frequently used by an intruder after cracking a computer system. These tools are intended to conceal running processes and files or system data, which helps an intruder maintain access to a system for malicious purposes. Root kits are known to exist for a variety of operating systems such as Linux, Solaris and most versions of Microsoft Windows."

DRM or Digital Right Management is what keeps you from duplicating CDs or DVDs and it has become a popular topic of discussion since the days of Napster and the other file sharing systems like Kazaa and Limewire.

What Sony has done is put media player software on their CDs that you have to install to listen to the CD on a computer. Once you have installed that software the CD will play on your system, but it makes it virtually impossible to uninstall the software because it has rootkit technology built into it and it hides itself. What the rootkit technology does, in this case, is hide every file that starts with $sys$ and why that is extremely important is because now anyone can hide files on your system that begin with $sys$. Most security software, including firewalls, antivirus and and antispyware programs will not be able to detect these files because they don't exist according to the operating system. Sony is using the software to send information on how many times you have listened to the CD and which songs. It also means that if a hacker gets some $sys$ files on your system they could send any information they want anywhere they want. Sony's implementation of the technology has caused lots of problems for end users because if you try and remove the program it causes the operating system to stop working properly and you have to reload the system.

I think it is safe to say that you should never play a Sony Content / Copy Protected CD on your PC at work or home. You can play them on you home stereo system CD player or in your car because it doesn't require software, but avoid playing them on your PC.

If you have any questions please let me know if you have any questions.


The whole story is here - http://www.sysinternals.com/Blog/


More information on rootkits here - http://en.wikipedia.org/wiki/Rootkit

Share this post

Link to post
Share on other sites

Kris    0

Kris
Quote

I've got Spam Arrest and love it. It finds all kinds of stuff.



Rootkits are a completely different animal, Mar...

Think of them as kickass virii and trojans, wrapped up in a stealth shell.
Sky, Muff Bro, Rodriguez Bro, and
Bastion of Purity and Innocence!™

Share this post

Link to post
Share on other sites

Slappie    9

Slappie
Quote

Sony has since fessed up and provided a 'fix' to remove it.

http://news.yahoo.com/s/nf/20051103/tc_nf/39083



They've not offered a fix. They did fess up, but gave only a patch that reveals the files. Only after you've called the Sony help line and explained why you want to remove their virus program will they direct you to a new patch that actually removes the files. I don't think their removed because there is talk they rename and alter some Win.DLLs so once removed your CD/DVD players along with media players won't operate correctly if at all. This is extremely sneaky on Sony's part.

There is also reason to believe these rootkits once installed were talking to the Sony website revealing IP addresses and info about the systems they were installed on. Go figure... No wonder every hacking website on the net (I visit) is so interested in getting their hands on copies of the "old cds" in question. Sony has since stopped put the DRM on newer versions of those artists CDs.



"Find out just what any people will quietly submit to and you have found out the exact measure of injustice and wrong which will be imposed upon them."

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing