Rootkit ramblings

c: | f: /

Given the media furore these days, you’d think that aside from porn there was nothing but phishing, scams, viruses, trojans, worms and malware on the Interweb. Actually, there’s something far worse than these amateurish exploits.

As most people probably know by now, I don’t run any sort of virus scanner, malware detection or personal firewall on any of my machines at home. I prefer to have my processor power do something I want and leave the inbound firewall to filter out most of the crap. Anything else is my own fault.

That said, it doesn’t mean I don’t have tools at hand to deal with the odd intrusion if it ever comes to it. Stock tools in my USB stick arsenal include MalwareBytes Anti-Malware (for running an ad-hoc sweep maybe once a year), a BHO viewer, various tiny killer scripts from fabulously talented folk out there in case something is more persistent than I can manage with regedit / service manager, and of course some staple rootkit detectors.


Next to Ninjas, rootkits are the hardest things on the planet to detect. Unlike viruses and trojans, they often don’t manifest themselves very plainly and work behind the scenes at the lowest levels of OS/hardware interaction. Completely below the radar of most virus software. If you’re lucky and/or on the ball you’ll spot your machine doing something odd; perhaps just enough that causes you to look deeper. The sad thing is that if you don’t spot it or it’s a very low latency keylogger, you can be damn sure your virus scanner won’t, which is another reason I don’t use them: they offer little real protection, just a false sense of security.

For geekoids like myself with significant propellers on their heads, rootkits are fabulous study material. A couple of deep analysis documents from PrevX show the cleverness of people who write rootkits. I’m not saying I love them for it, but I have a healthy admiration for someone who goes to such lengths to subvert the system instead of resorting to the boring virus/worm/trojan writers who are all shout and no flair.

Infection detection eradication

So yesterday I noticed that my Google search results didn’t always go where I expected. Say I’d search for something and click a StackOverflow link: instead, I’d be silently redirected to a portal site with links to spyware removers or pharma products. Close the tab, click the link again and I’d get the desired StackOverflow document.

The first time it happened my spider sense said Trojan and I knew it had to be that site I accidentally visited with a hasty, misplaced click earlier that had fired up the browser’s JVS; so-called because of the shitty security layer it has. Within seconds — I hoped before it had fully loaded — I had Task Manager up and had killed off the javaw (etc) processes but I guess something must have slipped in.

So I dusted off MalwareBytes: nothing. Guess it wasn’t a trojan or virus after all. I ran RootkitRevealer: nothing. Very strange. Maybe I’d imagined it? But then it did it again. Definite foul play.

I Googled and found I wasn’t alone, although very few had spotted it, which is maybe testament to the number of people who are desensitized to popups and spurious / slow activity on their machines. From there I found the TDSS articles above and downloaded TDSSKiller.exe & PrevX, both of which confirmed a rootkit at the deepest hardware layer, lurking right on \Device\Harddisk0. Clever boys.

In combination they killed off the kit at next reboot. Consequently I have added both those tools to my USB toolbelt (although I’ve uninstalled PrevX because I don’t want live protection: I’ll run it when/if I need it). And the JVS is history.

Guess my point is that even the most diligent of us can fall foul of the cyber scythe; the difference is that I used my instinct and heightened awareness of what’s normal in the machine to spot it and then used the right tools to stamp out the nastiness instead of relying on flawed software to rape my CPU, regularly bombard me with false negatives and, ultimately, miss the signs when the real bad boys come knocking.

Type your face off


(required, never made visible)

(optional, linked with rel="nofollow")