I am a hardware tech on the job, but I have learned to troubleshoot software and OS issues over the years. I am getting pretty good at removing spyware/malware thanks to sites like spyware warrior, spyware info, etc. I read a lot of the HiJackThis threads to learn how to remove "nasties" and such. Now I'm curious about Rootkits and how they work. Can anyone give me a "brief" summary as to how you would use Rootkit Revealer in a real-world situation? :confused:

root kits basically give an attacker admin rights to the system. they can do anything they want with that root kit. The kit gives them a back door if you will to the system. Most root kits are hidden and are not shown in the running processes list so a root kit revealer searches the system for any and removes them.

Thanks Coldone,

So would you consider this a part of your normal thing to run on a malware infected box? I usually run the anti-virus, anti-spyware, anti-trojan apps; should I add this to a basic clean scenario?

Rootkits have one goal: to hide the malware they are designed or configured to hide.

You install a rootkit, then your malware and nothing on that windows computer can see the malware. Thats the goal anyways. There are many good rootkit finding tools. Rootkit Revealer is a good one. I find rootkits on many boxes that look perfectly clean. So its always good to run them.

Rootkits have one goal: to hide the malware they are designed or configured to hide.

You install a rootkit, then your malware and nothing on that windows computer can see the malware. Thats the goal anyways. There are many good rootkit finding tools. Rootkit Revealer is a good one. I find rootkits on many boxes that look perfectly clean. So its always good to run them.

What Greg said.

There are some pretty good rootkit finders out there such as this one http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

AVG has a free one:
http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0

I probably shouldn't unload this one on a novice but this is about the most complete rootkit tool I have ever used. Be sure to read the documentation.

http://www.gmer.net/index.php

Couple more I had in the stash. Most times Rootkits tools are not simple click your way thru it deals. You have to know what you are doing or you will be reinstalling your OS. I can't stress enough to READ the documentation that comes with them.

http://www.rootkit.com/newsread.php?newsid=474

http://www.trendmicro.com/download/rbuster.asp

http://vil.nai.com/vil/stinger/rkstinger.aspx

I am a hardware tech on the job, but I have learned to troubleshoot software and OS issues over the years. I am getting pretty good at removing spyware/malware thanks to sites like spyware warrior, spyware info, etc. I read a lot of the HiJackThis threads to learn how to remove "nasties" and such. Now I'm curious about Rootkits and how they work. Can anyone give me a "brief" summary as to how you would use Rootkit Revealer in a real-world situation? :confused:

I know this is an old thread, but we have a customer who was actively being hacked and trying to obtain the SA password for the SQL database. Luckily, it doesn't look like they got to it. But somehow got around the hardware firewall in place. Anyways, this is a perfect example of a time to run Rootkit Revealer. Hacker already got in, so they possibly left something that normal Antivirus/Spyware/Malware is not going to pick up.

I'd wager it was end user error hat allowed them to get in, unless they running a public web server, or php/asp/javascript based sites, or any other public based servers?

No public web server, the only ports open on the firewall was RDP that was only to our office. I don't remember the exact model of firewall they are running, but it's a Zywall. Another company setup their network, and the Zywall was in place already. We secured the Zywall when we took over, so their must be an exploit of some sort that allowed the hacker in.