Deeply Hidden, and Heavily Protected, Malware

Some malware, besides making it impossible for you to interrupt its processes, will make it impossible for you to even locate on your computer. This is called rootkit protection.

Any program that lists (“enumerates”) objects on your computer, for instance,

each of these programs depends upon system functions to tell it what is on your computer. None of these programs gets its list straight from system inventories, they ask system functions for a copy of those lists. Why is this relevant? Because, like any copy, things can be omitted when copying.

If your computer is infected by malware that’s using rootkit protection, the system functions that enumerate processes and services, or those that enumerate files and folders, may have been customised. When Process Explorer asks for a list of processes, or Windows Explorer asks for a list of folders in storage, the list returned by the system may be filtered by the rootkit function.

Knowing what folders and processes are related to the protected malware, the rootkit function will simply not list those items. If “C:\Malware” contains the program library for the malware that has infected your computer, “C:\Malware” simply won’t be listed by Windows Explorer. You can’t delete what you can’t see.

That’s the bad news. Now the good news.

Any file, folder, process, or service, that isn’t enumerated by a system function, is quite likely malware. There are several special programs, distributed by security experts, that enumerate system objects by bypassing the rootkit functions. They compare the results with a normal enumeration, calling the standard (and possibly rootkitted) system functions. If there are objects in the former list, that are not in the latter list, those objects are quite possibly rootkit protected malware.

Two of these special programs are

That’s the good news. Now for the bad news, again. Many experts believe, that if Blacklight, RootkitRevealer, or a similar program, identify unknown system objects, your computer is probably compromised beyond reliablity. In this case, the only option is to nuke and pave.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: