Rootkits for Dummies

Rootkits for Dummies......Page 1
Table of Contents......Page 14
About This Book......Page 22
Things You Should Know......Page 23
How This Book Is Organized......Page 24
Part III: Giving Rootkits the Recognition They Deserve......Page 25
Icons Used in This Book......Page 26
Where to Go from Here......Page 27
Part I: Getting to the Root of Rootkits......Page 28
Some Common Questions (and Answers) about Malware......Page 30
Knowing the Types of Malware......Page 31
Trojans......Page 32
Backdoors......Page 33
Spyware (and malicious adware)......Page 34
The Many Aims of Malware......Page 37
A Bit of Rootkit Lore......Page 40
New Technologies, New Dangers......Page 42
Why do rootkits exist?......Page 43
The Three Rs of Survivable Systems......Page 46
Hackers may not be smarter than you......Page 47
Steps to a Better Security Posture......Page 48
Practicing Recognition......Page 51
Spotting signs of malware......Page 52
Planning for Recovery......Page 54
Part II: Resistance Is NOT Futile......Page 56
Before Doing Anything. . .......Page 58
Using System Restore......Page 59
Backing up your Registry......Page 63
Backing up your stuff with Windows Backup......Page 65
Cleaning Your Windows to Improve Security......Page 67
Everything and the kitchen sink: Loading only what you need at startup......Page 68
Removing unused programs......Page 71
Using the Windows Disk Cleanup Utility......Page 72
Defragmenting your hard drive......Page 74
Using Registry cleaners......Page 78
Disabling AutoRun......Page 79
Turning off AutoPlay on all external drives and devices......Page 80
Scanning boot sectors before using external media......Page 81
Good Practices Are a Good Start......Page 82
Choosing your contacts carefully......Page 83
Surfing safely......Page 84
Developing strong passwords......Page 90
Establishing limited-access user accounts......Page 91
Using a HOSTS file......Page 93
Saying no to Java, JavaScript, and ActiveX......Page 94
Adding sites to your Trusted zone......Page 97
Using the New Internet Explorer 7......Page 98
Surfing with Firefox instead......Page 101
Staying ahead of the game with SiteAdvisor......Page 102
Must-Have Protections Online......Page 103
Firewall first......Page 104
Scanners Next......Page 116
Patching and Updating Your System and Software......Page 122
Preventing Rootkits by Patching Your Clothes......Page 123
Patching, updating, and Service Packing......Page 124
Looking at why you need updates......Page 125
Taking advantage of Automatic Updates......Page 126
Guide to Windows Update and Microsoft Update......Page 127
Ways to patch or update your applications......Page 134
Patching and updating shared computers in heavy use......Page 135
Knowing When You Need a New Computer......Page 136
Blurring the Lines of Network Security......Page 138
A Checklist for Improving Security......Page 139
Learning to Love Auditing......Page 140
Enabling security auditing......Page 141
Editing policies and configuring security......Page 147
Testing your system against a security template......Page 148
Customizing a security template for a network......Page 156
Preventing Attacks by Limiting Access......Page 160
Using limited-access user accounts......Page 161
Limiting access on networks......Page 162
Making a business security plan......Page 164
Fooling Rootkits with Virtual Operating Systems......Page 165
Planning Your Defense Against Rootkits......Page 166
Establishing a baseline......Page 167
Preparing Recovery Discs......Page 168
Part III: Giving Rootkits the Recognition They Deserve......Page 170
Discovering How Rootkits Hide and Survive......Page 172
Keys to the Kingdom: Privileges......Page 174
Knowing the Types of Rootkits......Page 175
User-mode versus kernel-mode rootkits......Page 176
Hooking to Hide......Page 178
How hooking works......Page 179
Knowing the types of hooks......Page 180
DLLs and the rootkits that love them......Page 181
Privileged hooks......Page 187
Direct kernel-object manipulation......Page 192
Trojanized utilities......Page 195
Hiding processes by doctoring the PspCidTable......Page 196
Hooking the virtual memory manager......Page 197
Virtual-machine-based rootkits......Page 198
Watching Your Network for Signs of Rootkits......Page 200
Watching logs for clues......Page 201
Defending your ports......Page 204
Catching rootkits phoning home......Page 213
Examining the firewall......Page 214
Trusting Sniffers and Firewalls to See What Windows Can’t......Page 220
Using sniffers to catch hackers at their own game......Page 221
Testing to see whether your NIC is in promiscuous mode......Page 222
Sniffers you can use......Page 223
Accessing Event Viewer......Page 227
Making some necessary tweaks to streamline logging......Page 228
Inspecting event logs with Windows Event Viewer......Page 231
Upgrading to Event Log Explorer......Page 238
Trying MonitorWare......Page 240
Checking Your System Resources......Page 243
Matching activity and bandwidth......Page 244
Examining active processes......Page 245
Monitoring CPU cycles......Page 249
Dealing with a Lying, Cheating Operating System......Page 252
Rooting Out Rootkits......Page 253
Cleaning a network......Page 254
Scanning Your OS from an External Medium......Page 255
Microsoft WinPE......Page 256
Non-Microsoft bootable CDs......Page 257
File-System Comparison from Full Boot to Safe Mode......Page 259
Verifying files with FileAlyzer......Page 261
Verifying file integrity with other utilities......Page 264
Rootkit-Detection Tools......Page 265
Autoruns: Aiding and abetting rootkit detection......Page 267
Rootkit Revealer......Page 268
F-Secure BlackLight Beta......Page 272
IceSword......Page 274
UnHackMe......Page 281
Malicious Software Removal Tool......Page 282
AntiHookExec......Page 283
VICE......Page 290
System Virginity Verifier (SVV)......Page 291
Strider GhostBuster......Page 294
Rootkitty......Page 295
RAIDE......Page 296
DarkSpy......Page 297
GMER......Page 304
Types of keyloggers......Page 310
Detecting keyloggers with IceSword......Page 311
Detecting keyloggers with Process Explorer......Page 312
Tracking a RAT: Using Port Explorer to trace Netbus 1.60......Page 314
Part IV: Readying for Recovery......Page 322
Deciding What to Do if You’re Infected......Page 324
Knowing when to give up and start from scratch......Page 326
Do you want to track down the rootkit-er, or just recover?......Page 328
Taking measured action......Page 329
Saving evidence to reduce your liability......Page 331
Preparing for Recovery......Page 339
Cutting off network connection before cleaning out the rootkit......Page 340
Planning your first reboot after compromise......Page 341
Don’t Trust System Restore After Rootkit Compromise......Page 344
When a Simple Format and Reinstall Won’t Work......Page 346
Erasing Your Hard Drive and Installing the Operating System......Page 348
What you need before you begin this procedure......Page 349
Erasing, partitioning, and formatting......Page 350
Installing Windows XP......Page 352
After you install . . .......Page 354
Part V: The Part of Tens......Page 356
Ten (Plus One) Rootkits and Their Behaviors......Page 358
HackerDefender......Page 359
Elite Toolbar......Page 360
Apropos Rootkit......Page 361
FU — the Malware That’s Also an Insult......Page 362
MyFip......Page 363
FanBot......Page 364
Ten (Plus Two) Security Sites That Can Help You......Page 368
Bleeping Computer......Page 369
CastleCops Security Professionals......Page 370
Geeks to Go......Page 371
Malware Removal......Page 372
SpywareInfo......Page 373
Tech Support Guy Forum......Page 374
Tom Coyote Security Forum......Page 375
System Requirements......Page 376
Installing the DART CD applications......Page 377
What You’ll Find on the DART CD......Page 378
Anti-malware utilities and scanners......Page 379
Backup and imaging applications......Page 380
System-analysis programs......Page 381
Rootkit-detection-and-removal applications......Page 382
Downloading tools for compromised hard drives......Page 383
Index......Page 386
Bonus Chapter 1 - Ten (Plus Three) Malware Utilities and Scanners......Page 402
Bonus Chapter 2 - Ten (Plus Four) More Utilities......Page 414