rootkit and keylogging defense

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

How can I defend or discover if a "rootkit" has been installed on a Windows
x64 system?

Is there any software that can validate the startup and core operating
system files in general? The online update process does not appear to do
enough system analysis, even if one is willing to wait a few hours while a
system check is being run. I am looking for an answer other than following a
system backup policy.

Are there any suggestions for how to monitor "keylogging" software. The
Wall Street Journal reported this kind of software is becoming common in
South America. How can one produce a minimum-sized evidence trail to record
such network intrusions?

Thanks.
 
I believe the correct answer is that, for Windows or any other OS,
your desired solution is not attainable. It is the nature of rootkit use
that it masks "true" views of the system and shows only what it wants.
If someone could answer you today, then tomorrow there may be
a variant of a rootkit that invalidates today's answer. If you use
method A to review reg keys, or files on disk, or memory stuctures,
or processes, etc. then method A must not be using methods that
are vulnerable to alteration by the rootkit masked code. About the
only guaranteed way to get past this impasse is an offline, static
analysis of the filesystem and reg, etc. that persists in the shutdown
state, since the running state, or rather ones view of it, is at least
potentially tainted.
 
SeaFire said:
How can I defend or discover if a "rootkit" has been installed on a Windows
x64 system?

Is there any software that can validate the startup and core operating
system files in general? The online update process does not appear to do
enough system analysis, even if one is willing to wait a few hours while a
system check is being run. I am looking for an answer other than following a
system backup policy.
Click to expand...

You can't *reliably* detect such a compromise without some up
front work. You basically have to fingerprint the system and
then compare the fingerprint at intervals using a trusted
procedure.

Microsoft offers a tool that offers some of this capability in
a raw way:
http://support.microsoft.com/kb/841290/

For more sophisticated solutions, do a google search on
"file integrity"+security+windows

Of course, there are lots of anti-virus, anti-rootkit, anti-spyware,
anti-trojan, adnauseam software out there that can detect some
stuff, particularly if run against an offline disk. And you might
get lucky by inspecting running processes.

Then again, you might not. :)
Are there any suggestions for how to monitor "keylogging" software. The
Wall Street Journal reported this kind of software is becoming common in
South America. How can one produce a minimum-sized evidence trail to record
such network intrusions?
Click to expand...


Same answer as above.

In both cases, operating the computer using a non-administrator
account will prevent a root-kit and *most* other malware from
installing and hiding itself assuming it doesn't also exploit
a privilege escalation defect.
 
Back
Top