Free PC Security: Rootkits, Malware and Registry Protection

/Home/Internet Security: Blogs/Internet Security: Free PC Security blog

September 8, 2009

A rootkit may consist of spyware and other programs that monitor traffic and keystrokes, compromising PC security and create a "backdoor" into the system for the hacker's use, alter log files, attack other machines on the network, and alter existing system tools to escape detection.

Rootkits are being more widely used by attackers who download them with Rogue Programs as a "backdoor" download which helps attackers to gain access to systems while avoiding detection.

A rootkit is essentially a small software program, or a combination of programs, which are designed to hide themselves so that users are unaware that their system has been compromised. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.

Once installed, a rootkit allows unauthorized users to maintain access as system administrators, allowing them to take and keep full control of the infected system.

Rootkits can be used to replace vital system executables, which are then be used to hide processes and files the attacker has installed, along with the presence of the rootkit.

Frequently, they are Trojans as well which fools users into believing they are safe to run on their systems and by using a simple antimalware program the Trojan will be removed. In most cases this is true, but the rootkit itself remains in place.

Many rootkits will hide files, processes, network connections or Windows Registry entries from other programs used by system administrators to detect specially privileged accesses to computer system resources and may also masquerade as or be intertwined with other files and programs with the intent of turning the users machine into a 'zombie computer' which becomes part of a 'bot network' to launch attacks and create Denial of Service (DoS) on other domains which make the abuse appear to originate from the compromised system or network instead of the attacker's.

Other tools used for abuse can be hidden using rootkits which apart from denial-of-service attack tools, include tools to relay chat sessions, e-mail spam distribution, screen capture and capture keystokes, which capture your personal information.

Rootkits are normally used in conjunction with other malicious programs as a way of keeping them undetectable from the eyes of the user and antivirus scans.

More recently, malicious rogue programs download rootkits along with trojans, the rootkits disable firewalls, security products such as antivirus and antimalware and create new processes.

Users should become accustomed to what processes are running using either the Task Manager or Process Explorer from sysinternals, which gives more detailed information. Learn about what is running on your system, regularly check Task Manager for unusual processes such as b.exe, temp.exe, load.exe, svchast.exe, (note the 'a' so as not to confuse with svchost.exe), servises.exe (misspelt) and processes consisting of strings of random numbers and letters.

A useful tool is RegProt from DiamondCS. Simply download and install it, resources are virtually zero, the program monitors the Registry and alerts users to possible changes. Whenever a key is added or changed a popup will give users the option to accept the change by clicking 'Yes' or deny it which will delete the key by clicking 'No'.

This is a realtime registry monitor which will adds another level to PC security and intrusion detection, as it detects many trojans which attempt to install themselves and modify user settings and it's free.

Also use WinPatrol 2009, which will monitor your system for program changes, new autostarts and more, allowing you to click 'No' to prevent the changes as well as removing recent additions.

Download RegProt Free here:
http://www.softpedia.com/progDownload/DiamondCS-RegProt-Download-26350.html
This apparently works on all Windows OS, although I have not tried it on Vista as of yet.

There are free tools available to remove Rootkits:
* Avast! Antivirus has a built in anti-rootkit and users need to open the user interface and from Settings select Schedule Boot-Time Scan.
* Sophos Anti-Rootkit
* F-secure Blacklight
* Radix
* GMER

Antirootkit.com has a selection of free rootkit removal tools but users need to scroll through and find those that apply to their Operating System.

Click here for a great list of other FREE Online Virus and Malware Scanners:
http://whatsonmypc.wordpress.com/2009/08/30/onlinescan/

Download Process Explorer here:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx