Wirehead Studios

http://www.foxnews.com/story/0,2933,178282,00.html (http://www.foxnews.com/story/0,2933,178282,00.html)

If you don't know what a rootkit (http://en.wikipedia.org/wiki/Rootkit) is, you should.  Imagine someone in your home, spying on you, possibly telling someone else everything you do, doing whatever they want, yet that person is completely invisible to you.  You cannot see, hear, touch, or smell them.  That's the equivalent of how a rootkit behaves on your computer.  A rootkit is the mechanism by which some spyware, viruses, etc, can hide on your system without you being able to see them at all.  They do this by sitting between the operating system and the user, telling the OS not to show certain files, processes, or system hooks to the user.  They hide from anti-spyware applications in the same way.  If you have them, you will NOT know they are there unless they exhibit some kind of behavior (like popping windows up).  The nasty kind sit there in the background and silently lift passwords, bank account numbers, etc, for transmission to foreign servers (part of the reason Phoenix will never, ever use online banking services).  It used to be that hackers, phishers, and other cyber-thieves were the primary users of rootkits.  Now adware spammers are using them with increasing frequency.  Even Sony/BMG got busted using a rootkit in a music CD copy protection scheme that actually resulted in several computers getting hacked since their wonderful, unannounced, poorly written, self-installing rootkit made the systems extremely vulnerable to the hackers.  They got sued for it too.

So what can you do to avoid getting a rootkit?  The "obvious" stuff, but my definition of obvious differs from some people's so here's my tips:

1)  Ditch Internet Explorer.  Use Mozilla or Firefox.  Think of Internet Explorer as the "Windows Update Interface" and only use it for that.

2)  Install the "Adblock" and "Noscript" plugins for Firefox.  Set up some good filters for Adblock, and 99% of the internet's annoyances go away.  Noscript kicks ass, it prevents javascript from running on pages unless you allow them, and it has a lot of control so you can enable it on sites you want.  No java script, no flash, no infection.  Very easy to use.  Phoenix loves it because Phoenix distrusts javascript.

3)  Don't open or forward "chainletter" emails.

4)  Don't open suspicious emails.  This includes from people you know and trust.  They may not have an infection, but someone they've emailed might, and the virus/worm can be sending out emails with forged headers from this third party to any email address on the person's machine.  It'll look like it came from someone you know, but the actual origin was someone you've never ever emailed.  I've seen this happen a lot.  I actually got several this week from Planetquake that got scrubbed on the way in. -_-

5)  For God's sake, don't accept ANY "free" stuff tacked onto an email, especially if "Person you know recommends item whatever".  Most of the crap I've cleaned off computers is from people downloading their "free smileys" and other stuff of that nature.  You want free stuff?  Watch where you go and what you get.  The more enticing it looks, the more likely it's spiked with spyware/adware.

6)  Use a GOOD antivirus program, like Symantec Corporate.  Avoid McAfee and watch the freeware ones.  I don't care what anyone else says, I've been using Norton's antivirus products for a long time, and to date I have had zero active virus infections on any of my PC's.  I've seen what viruses have done to people using other stuff, including an active trojan infection that McAfee just sat there like a dumbass and wouldn't do anything about since it couldn't pick it up.  Uninstalling McAfee and installing Norton resulted in an instant detection and removal.  Symantec's program is just better.  Trust the bird on this one, his record is flawless.

7)  Filesharing:  Bad idea.  Public access FTP on your computer:  Bad idea.  Lots of infections result from this sort of thing.  Don't share files with people you don't know, and scan any files you get immediately, even if you know the person.  They might not be as cautious as you are.

8)  Cracks/Warez:  To be avoided.  Besides being illegal, you know a lot of it is spiked with trojans.  If you don't, well, you do now.  I always advocate purchasing products legally whenever possible. :)

9)  Porn.  No moral high-horse here, I look at bird porn and enjoy it as much as you humans enjoy porn of your own nature.  Porn sites are also a nasty source of (digital) infections.  They're a dime a dozen, often set up by some dolt who wants a quick buck and knows nothing about security, so guess where Joe Script Kiddie is going to try out his happy hacker skills and upload a trojan?  Do what you want, but watch where you go on the net.

10)  Got broadband?  Use a router.  Hardware firewall > all.  Even if you're the only PC on your net connection, it's worth it.  Sure, your ISP offers antivirus and anti-spyware protection, etc, but that cannot stop a port scan.  A friend of mine tried setting up Windows 2000 on a machine without a router, and got the Code Red worm before she could even run a Windows Update to patch against it.  A good router blocks damned near everything.  I'm using a D-Link DI-604.  I absolutely love it.  It has all the control a power user wants, yet is simple enough out of the box that if you just want to "plug it in and go on the net" you can and still be secure.  I'm not too thrilled with LinkSys since Cisco bought them.  Their port forwarding doesn't work right on their BEFSR41v3 model, yet it worked right on the v2's.  They're OK for just web surfing, but if you want to run a Quake server behind one and have it public or do anything else complicated, forget it.  Go with the D-Link and learn how to program the ports if you need to run a server.

As for how to get rid of a rootkit, that's trickier.  You need a program that is specifically designed to remove them.  I've not really had to deal with active rootkit infections, but I do use a tool called Rootkit Revealer (http://www.sysinternals.com/Utilities/RootkitRevealer.html) to look for them.  You have to know your way around the system to really use something like this, so if you're not into "techie" stuff the best defense is to avoid getting one in the first place.  Being aware that they exist, what they can do, and how they get on your machine is the first step to that.  Hope this information comes in handy.

Also try www.symantec.com they have a few tools to remove the rootkit from your PC.

Has anyone in th UK had a Rootkit infection ?

In response to 9) - I suggest you get DVDRips if you can't do without. Not only is that the way to get at least somewhat classy stuff (as opposed to denigrating and mindless crap), it also removes the 'need' for installing all sorts of dialers and 'tools'.

In addition to Pho's recommendation to not use IE, which I hasten to agree with, let me say that it is a bad idea ™ to use Outlook (Express), too. No matter what kind of protection MS hopes to cook up, the software will be an exploit waiting to happen. Try using Eudora, TheBat! or Mozilla's email software, which are all safer and much less of a target in the first place.

I agree Symantec Client Security is the best, its far better than their norton product versions.

I use firefox and opera, i assume opera is just as safe too though

Use two anti spywares, ad-aware and spybot search and destroy if you want to be even further cautious.

I've been using Norton SystemWorks 2004 since August of that year, and I love everything it comes with to this day. I'm happy I listened to Phoenix on that one.

The only thing I'm curious about -- if someone were to have a rootkit on their system, where might they find information on how to get rid of it? Or would they be better off taking it somewhere and having a "professional" do the job?

You don't need a professional to do a complete reinstallation of your system, so that's always a decent way out ;]

Bah, I never reinstall unless a system is fragged beyond repair.  You can remove rootkits.  The easiest way is to slave the affected drive to a clean drive, run the rootkit removal tool, and kill all the rootkit files off the system.  Then (with the system un-networked from the internet) boot off the affected drive into safe mode.  Run the tool again and clean up the registry and anything else it finds.  Run your spyware and antivirus tools at that point and sweep up anything that might have been masked from these utilities when the rootkit was operational.

What I really wish they would do is write these blasted utilities to work on an offline system registry.  It's so much easier to fix things if you don't have to run them on the drive you're booted on that's causing the problem in the first place.

As well as all the above, I also use EWIDO.

This little prog picked up spyware that nothing else did for me.

anybody else who uses it let me know what you think.

later.... can you suggest a simple anti-rootkit tool Pho? or is rootkit revealer the best?

(I also use winpatrol)

am I paranoid? who cares. do I look bovvered?

What is this please Pho?

revealer says its on my system!

Embedded nulls are registry keys that are visible and readable to the OS kernel, but partially hidden from the user.  Tools like Regedit (and just about every off the shelf registry tool) can't properly read nor modify them.  They can be put there either by rootkits or "trial" programs that have cleverly hidden settings with them in order to prevent users circumventing the trial period, etc.  They can also be caused by a botched program uninstall, or even be the result of a bad write to the registry or a damaged registry file, in which case the read string will contain garbage when interpreted by the system which can cause the system to halt or error if it tries to read from the key.

Embedded nulls are a pain because you can't delete them using the normal methods.  This makes them very difficult to get rid of.  There is, however, a utility to remove them. (http://www.sysinternals.com/Utilities/RegDelNull.html)  It should tell you what the null says, and let you remove it.  You'll have to know which part of the hive it's in, so look at the readout from Rootkit Revealer.  Here's the hive key abreviations:

HKEY_CLASSES_ROOT - hccr
HKEY_LOCAL_MACHINE - hklm
HKEY_CURRENT_USER - hkcu
HKEY_USERS - hku
HKEY_CURRENT_CONFIG - hkcc

Unzip the utility to a folder.  I'll call it "registry_fix" for demonstration purposes.
Click "Start", then "Run", then type "cmd".

Assuming you unzipped to c:/registry_fix, type the following.  Press "enter" after each line.

c:
cd /registry_fix
regdelnull hklm -s

Replace the "/" key with the "backslash" in the above.  For some reason the forums remove backslashes so I had to substitute it.  Follow the prompts after typing the above.  Type "exit" when you're done.  Run Rootkit Revealer again.  The embedded null key should be gone.

another thing to do is click start menu, goto run and type msconfig(xp only?) and then goto startup and see if anything looks suspicious there or if its some silly things like instant messenger you can disable them from loading at startup anyways, and check your services but click box to hide all ms services.

Thanks, I'll tyr this when I get home.

This looks intresting too.

http://www.pcsupportadvisor.com/rootkits.htm (http://www.pcsupportadvisor.com/rootkits.htm)

http://www.sysinternals.com/SecurityUtilities.html (http://www.sysinternals.com/SecurityUtilities.html)
sysinternals > *

Well I tried regdelnul but all I got was a black 'dos' window that opened for around 1/10 of a second, then disappeared. tried it a few times with the same result. then I tried compatability mode, and got the same.

XP pro, gig of ram, ati 9800 pro, Q1, Q3,UT,UT2004, Q4, HL1.

That's because you did not follow my instructions.  It is a command-line program, you can't double-click it and use it like a Windows ap.  You have to open a command window and type in what I said, otherwise Windows will do exactly what you said - open a command window, run the program for a fraction of a second (which will do nothing because it needs arguments to know what to do) and immediately close the window once the program is finished executing.  Follow my instructions and it will work, trust me.

And if you're trying to be clever and use a batch file to script my instructions, you need to put a "pause" statement at the end to keep windows from immediately terminating the command window on completion.

Here`s a batch file if anyone`s having trouble. Put it in the same dir as Regdenull.exe.

My mistake was to exspect the 'start' you mentioned to be in the right-click menu! with 'open', 'run as' etc.

Anyway, alls well that ends well.

thanks lads.