home >> rootkits at home

Rootkits & Home-users

Technological power in the current world is not measurable by the number of people behind it, but for the number of systems behind it. Attackers do not depend on their own system power to attack their target. They rather build an army of victim hosts called zombies. So, who become zombies?

Bank accounts, credit card numbers, bill payments, Social Security Number (SSN), passwords, documents, etc. are some of the valuable data that home users store in their personal computers. Most home users do not patch their systems to prevent the latest vulnerabilities from being exploited. In fact, this does not apply only for latest vulnerabilities, but also for the ones that are couple of years old. This means that attackers could exploit the home-users by exploiting such un-patched vulnerabilities by using buffer-overflow, client-side exploits and so on. Once the attacker gains root/administrator access [which is the full system-access], they would install rootkits to the compromised hosts to get free multiple-entry lifetime access.

Gaining unlimited access to victim hosts would not only help the attackers to spy on them, but to also use these victims to build their zombie network to millions and then use it to their benefit. This means that rootkits not only provides backdoor access to the attackers, but also gives them the full control of their victims and worst of all, it misleads the victims from detecting the compromise.

While anti-rootkit tools are continuously researching and developing different ways to detect, prevent or eradicate rootkits, rootkit developers come up with different solutions to evade detection, auto-update their rootkits and also come up with rootkits that run on different layers where detection and prevention is almost impossible. This is the truth and nothing but truth, and this is not intended to scare the common people about the current situation. Rootkit development and defense is a never ending war between the bad and the good.

Home users spend money for anti-virus tools [OR] client-side firewalls, HIDS or HIPS [OR] some even have basic firewalls at home depending on who they are and what they do. Some do not have any of the above, since public awareness is not high enough for them to realize that these aren’t added layers of protection, but these are just the minimal requirements to protect themselves from the bad guys. Our intention here is to help home-users defend rootkits, for free.

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat4400
dwtf3516
KsiD3062
SHC2285

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets