RootKits Tool And Defend Against RootKits

Rootkits Tool

RootKits Tool And Defend Against RootKits – Rootkits are software programs aimed to gain access to a computer without detection. These are malware that help the attackers to gain unauthorized access to a remote system.

RootKits Tool And Defend Against RootKits

RootKits Tool

HorsePill

Source: Horse Pill Tool

Horse Pill is a PoC of a ramdisk based containerizing root kit. it resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels.

It has three important moving parts:

  • klibc-horsepill.patch
    • This is a patch to klibc, which provides run-init, which on modern Ubuntu systems runs the real init, systemd. This patches in the rootkit functionality, making a malicious run-init. This binary has a new section called DNSCMDLINE, which provides the commond line options to dnscat, which is bundled within the patch.
  • Horsepill_setopt
    • This script takes in command line arguments and puts them into the section referred to above.
  • horsepill_infect
    • This will take the file to splat over run-init while assembling ramdisks as a command line argument. It then calls update-intrafs and splats over the run-init as the ramdisks is being assembled.

GreyFish Rootkit

Source: GreyFish Tool

GreyFish is a Windows kernel rootkit that runs inside the windows operating system and provides an effective mechanisms, hidden storage and malicious commond execution while remaining invisible. It injects its malicious code into the boot record which handles the launching of Windows at each step. It implements its own Virutual file System (VFS) to score the stolen data and its own auxiliary information. If we run rootkit driver on a machine and next scan it with various anti-rootkits, we will see on suspicious activity. This means that by default the rootkit sets no hooks on Windows kernel functions like other rootkits. The rootkits also does not register any callback functions.

GrayFish does’nt explore Windows kernel mode to monitor system’s activity or hiding files on disk. At the same time, it contains the code for patching Windows kernel functions. This codee can be activated later.

Like other rootkits, GrayFish contains code for code/data injection into processes with help of ZwOpenProcess/PsLookupProcessByProcessid/KeStackAttachProcess. While this rootkits works with user mode memory during injection, it calls interesting system function – MmSecureVirtualMemory. It receives all its instructions from user mode client.

RootKits Tool And Defend Against RootKits

Sirefef

Source : Sirefef Tool

The Sirefef malware (aka ZeroAccess) can take on many forms. It is considered to be a multi-component family of malware, which means that it can be implemented in a variety of different ways such as a rootkit, virus or a TrojanHorse.

It give attackers full access to your system while using stelth techniques in order to hide its presence from the affected device. it hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can’t detect it. it includes a sophisticated self-defense mecanisms which terminates any security- related processes that attempt to access it.

Sirefef is a severe malware that can cause damage to your computer in a variety of ways. Once installed, Sirefef can make lasting modifications to your computer’s security settings and can be difficult to remove.

After installation in the system, it has the capability to do the following tasks:

  • Stops Windows Firewall
  • Stops Windows Defender Service
  • Contacts Remote hosts
  • Changes Internet Browser Settings
  • Creates a folder to store other malware.

Necurs

Source : Necures Tool

Necurs is a kernel-mode driver component that can be used by an attacker to perform unauthorized actions to take control of an operating system, without alerting the system’s security mechanisms. Necurs contains backdoor functionality, allowing remote access and control of the infected computer. It monitors and filters network activity and has been observed to send spam and install rogue security software. it enables further compromise by providing the functionality to:

  • Download additional malware
  • Hide its components
  • Stop security applications from functioning

How To Defend Against Rootkits

A common feature of these rootkits is that the attacker requires administrator access to the target system. The initial attack that leads to this access is often noisy. Monitor the excess network traffic that arises in the face of a new exploit. It goes without saying that log analysis is a part and parcel of risk management. The attacker may have shell scipts or tools that can help him or her cover his or her tracks, but surely there will be other telltale signs that can lead to proactive countermeasures, not just reactive ones.

A reactive countermeasure is to back up all critical data exculding the binaries, and go for a fresh clean installation from a trusted source. One can do code check summing as a good defense against tool like rootkits. MD5sum.exe can fingerprint files and note integrity vilations when changes occur. To defend against rootkits, use integrity checking programs for critical system files.

A few techniques adopted to defend against rootkits are:

  • Reinstall OS/applications from a trusted source afer backing up the critical data
  • Well-documented automated instaallation procedures need to be kept.
  • Perform kernel memory dump analysis to determine the presence of rootkits.
  • Harden the workstation or serve against the attack
  • Educate staff not ot download any files/ program from untrusted sources.
  • Install network and host-based firewalls and check frequents updates.
  • Ensure the availability of trusted restoration media.
  • Update and patch operating systems and applications.

RootKits Tool And Defend Against RootKits

Anti-Rootkits

The following anti-rootkits can help you to remove various types of malware such as rootkits, viruses, Trojan and worms form your system. You can download or purchase anti-rootkit software from their home sites and install it on your PC to ge protection from malware especially from rootkits.

Stinger

Source : Stinger Tool

McAfee stinger is standalone utility used to detect and remove specific viruses. it helps administrators and users when dealing with and infected system. Stinger performs rootkits scanning, and scan performance optimizations. It detects and removes threats identified under the “Threat List” option uder advanced menu options in the Stinger application.

If you like this Blog please comment down For more hacking content click here

Related posts

Leave a Comment