Rootkit detection
What is a rootkit?
A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that monitor traffic and keystrokes. Rootkits hide themselves and other software like keyloggers and remailers in order to intercept and redirect data from your computer, keyboard or network connections without your knowledge. Gaining access through vulnerabilities in your PC such as open ports or Windows security flaws, rootkits and the associated software can record sensitive information and send it to outside parties with the intent of stealing your identity or misusing your data.
Rootkits are hidden from conventional detection; they can’t be detected by looking in file listings or in the registry. Standard virus and spyware softwares can’t detect much less remove rootkits.
Rootkits in the news
This category of malware recently spurred public interest when Sony embedded a rootkit in their digital rights management processes, placing the rootkit on to Windows desktops during installation.
For more informations on rootkits please visit:
PCdefense and Rootkit Detection
PCdefense identifies rootkits by their behavior vs. their signatures. As with other detection methods, PCdefense may produce some false-positive results. Legitimate or illegitimate rootskits hide processes and data from you. The PCdefense rootkit detection allows you to take the right measures, and provides informational messages regarding the probable nature of the detection
If you detect a rootkit, you might see if Microsoft has a particular fix and removal tool for it. Please visit:
Many rootkits have no easy fix available. For these, the only safe, sure way to get rid of rootkits is to clean your PC by formatting your harddisk and make a clean install of the OS, all application and your data. PCdefense offers you a unique and easy way to recover your PC from rootkit infections.
The Disaster Recovery function in PCdefense allows you to create a full image of your applications, settings and data, even after a rootkit is detected, as the Disaster Recovery image will not include rootkits. As this process includes formatting drives and reinstalling you operating system, it is important to follow the steps outlined in the PCdefense User Guide carefully. See the Rootkit Detection section of the PCdefense User Guide for more information.
PCdefense rootkit messages
ZwConnectPort
The rootkit detector may report the following driver Interception found. ZwConnectPort(31) by No Process Name.
This interception is done when some of the Norton Security products are install and should not be considered a rootkit.
Process Explorer by Sysinternals
After running Process Explorer by Sysinternals, the rootkit scan will report a Hidden or Missing Driver found.
C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
This driver is a legitimate part of the Sysinternals’ Process Explorer product should not be considered a rootkit.
Sony’s digital rights protection
After installing an audio CD containing Sony’s digital rights protection. The rootkit scan will report a hidden process.
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
And a suspicious file
C:\WINDOWS\system32\drivers\$sys$cor.sys
These files are known issues they may cause problems on some user’s systems. You should contact Sony or your PC manufacturer on instructions on how to update or remove this software.
