Rootkits?

fightingfi

fightingfi

2[H]4U
Joined
Oct 9, 2008
Messages
3,231
Are rootkits still used and or abused and thrown onto peoples pc still? I work with this guy who claims every pc he works on is infected with rootkits and 100's of them at a time. He stalls and lies to our customer i feel because he doesnt know wtf he doing and lazy and not picking up his end of the work and blames other people thats why he works slow is all the rootkits story, I thought anti virus software nowadays takes care of that stuff.
 
While they are common, they aren't THAT common, also, there are usually never 100's of them. The most I have seen is maybe 2 or 3 at the same time on the same machine. This guy sounds like he just doesn't know WTF he's talking about.
 
Funny enough, rootkits were a non-issue for me until recently. I worked on 3 PCs last week that were infected with rootkits, and the normal gamut of Malwarebytes + SuperAntiSpyware wasn't enough to clean them up. I had to download dedicated rootkit scanners/detectors which sure enough did find the nasties and clean them up.

In summary, ThinkPoint is a SOB. If the rootkits weren't part of ThinkPoint, all of this is highly coincidental as all of the PCs that SAS/MWB failed to clean were infected with ThinkPoint.
 
Thinkpoint is usually easy. Boot into a linux environment, delete c:\users\*useraccount*\appdata\roaming\hotfix.exe then reboot into safemode & run though mbam & combofix. Look in task scheduler for any randomly generated filenames too to prevent reinfection.

Now that Combofix works on x64 systems, my life is a lot easier :) That, and with TDSSkiller, nearly all rootkits are busted.
 
AV software works against malware that installs itself within the OS. A rootkit operates on a whole different level, by swallowing the OS whole and manipulating the OS to hide itself. Detecting and removing rootkits is beyond the purview of a standard AV, because anti-rootkit methods are best done from outside of the compromised OS.

Rootkits probably aren't common on Windows because it's difficult to write a good rootkit, and it's easy to make normal malware that gets tons of victims. Why do it the hard way when the easy way will get you more victims than you know what to do with?
 
eh, the way rootkits work if there are more than a few it may cause impossible conflicts. dude may be stupid and think that rootkits and other types of trojans are the same thing.
 
evilsofa said:
AV software works against malware that installs itself within the OS. A rootkit operates on a whole different level, by swallowing the OS whole and manipulating the OS to hide itself. Detecting and removing rootkits is beyond the purview of a standard AV, because anti-rootkit methods are best done from outside of the compromised OS.

Rootkits probably aren't common on Windows because it's difficult to write a good rootkit, and it's easy to make normal malware that gets tons of victims. Why do it the hard way when the easy way will get you more victims than you know what to do with?
Click to expand...

wtf are you talking about...

Theres are tons of rootkits that hide perfectly in memory in windows.
 
I wouldn't say 100's of them at a time, but for spyware/malware/virus computers that come into my office, we do Combofix and MBAM. Roughly 1/2 contain a single rootkit, which combofix cleans up, and then MBAM cleans the other BS.

So yes they are common. The newest (i think?) is the TLD4 rootkit which has found way on 64 bit machines.
 
Do you fix home PCs or small office PCs?

You need to start looking at a malware that steals track 2 data and other cool shit if you want to see some nice rootkits or targeted malware.
 
I actually run into quite a few rootkits at work. The ones the mess with the mbr are a real pain.
 
It's definitely out there...

If all your doing is running malwarebytes/combofix maybe you should start spending some time learning about how to analyze malware and actually understand how the box got popped.
 
fightingfi said:
Are rootkits still used and or abused and thrown onto peoples pc still? I work with this guy who claims every pc he works on is infected with rootkits and 100's of them at a time.
Click to expand...

Most of the rogues/fake alerts now are rootkits, for the past couple of years they've turned to this technology (TDSS) to infect systems, and it's gotten VERY widespread over the past year. They're getting to be a pain to clean, especially the MBR ones.

We clean a LOT of infected systems, I'd say over 3/4 of the systems that come in with a rogue infection are infected with a rootkit. However...I've never seen a system with 100's of rootkits on them...I don't believe I've seen a system with more than 5 rootkits on it..ever. Usually it's 1 to 3 rootkits.
 
100's of rootkits sounds like the guy is full of it or does not know thw difference between a rootkit and a virus.
The rootkits are out there and still a pain in the butt to deal with.
 
There are a lot of rootkits that you can identify by remotely looking at the active processes on the machine. I wrote this to help me identify rogue processes and stuff remotely on other machines. This is an example of what the output file looks like.
 
You must log in or register to reply here.
Back
Top