What is a rootkit?

What is a rootkit?

A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Grisoft which I have covered in another post.

Browser Cache Size and Using CCleaner

Browsers cache settings give your pc the ability to store
frequently visited web pages and also checks for newer web
pages when you navigate to those sites.

Most computers cache setting is left at the default
setting, which can be anything from 250MB to over 1024MB,
which generally speaking is far too high. You can safely
reduce this to as little as 10 - 20MB. You may find that
you frequently download large files, for example a file of
50MB, so you would need to adjust you cache size to 60MB so
that if the download is interrupted it will pick up from
where it left off using the cache memory rather than
starting over again.

To adjust the IE cache size:
Start Internet Explorer
Select Tools Internet Options General tab
Under Temporary Internet Files click the Settings button.
In the box for the amount of disk space to use, enter a
value between 25 and 50 megabytes.
Click OK to accept the changes.

To adjust the Netscape Navigator cache size:
Start Netscape Navigator
Select Edit Preferences Advanced Cache.
In the box for Disk Cache, enter a value between 5120 and
51200 kilobytes.
Click OK to accept the changes.

By making this simple adjustment, you will save lots of
hard drive space for better uses and it will improve the
overall performance of Internet Explorer.

If you want to have a large cache size, then I recommend
that you clean your cache out regularly. I do a lot of
browsing and clean mine several times a day, but rather
than go through Internet Properties and start clicking on
various buttons I use ccleaner available for free from
http://www.filehippo.com/download_ccleaner/

CCleaner is a freeware system optimization and privacy
tool. It removes unused files from your system - allowing
Windows to run faster and freeing up valuable hard disk
space by automatically cleaning the cache when run. It also
cleans traces of your online activities such as your
Internet history. It also only takes a few seconds to run
and remove these unwanted files from your pc.

There have been over 55 million downloads of this program

Internet Explorer
Temporary files, URL history, cookies, Autocomplete form
history, index.dat.

Firefox
Temporary files, URL history, cookies, download history.

Opera
Temporary files, URL history, cookies.

Windows
Recycle Bin, Recent Documents, Temporary files and Log
files.

Registry cleaner
Advanced features to remove unused and old entries,
including File Extensions, ActiveX Controls, ClassIDs,
ProgIDs, Uninstallers, Shared DLLs, Fonts, Help Files,
Application Paths, Icons, Invalid Shortcuts and more...
also comes with a comprehensive backup feature

Third-party applications
Removes temp files and recent file lists (MRUs) from many
apps including Media Player, eMule, Kazaa, Google Toolbar,
Netscape, MS Office, Nero, Adobe Acrobat, WinRAR, WinAce,
WinZip and many more...

This software does NOT contain any Spyware, Adware or
Viruses.

I set mine up as follows:
Click on the Cleaner Tab on the left and under Windows I
tick all boxes in Internet Explorer, Windows Explorer and
System. Under Advanced tick only the first 2 boxes. Then
click on the Applications tab and tick all.

Issues tab:
Unless you are competent at dealing with the registry then
leave this one alone and DO NOT run it.

Tools tab:
Here you will find a list of Uninstall options to remove
programs from your pc, use with caution. I prefer to use
the Add/Remove function or the programs own uninstaller.

Startup:
Lists all programs that are set to run when you boot up,
if you are unsure about deleting any of these then leave it
as it is.

Options tab:
Settings - Choose your language, untick Run CCleaner when
the computer starts, tick the next 3 boxes, then look at
the Secure Deletion, tick the radio button 'Secure file
deletion (Slower) and set it to NSA (7 passes)

Cookies - entirely up to the individual, but I don't save
any cookies.

Custom - You can drag and drop files or folders into the
window or browse for them and on the next run they will be
securely deleted.

Advanced - Untick boxes 1-3 tick all others.

Finally click on the Cleaner tab on the left and you have
the option to Analyze or Run Cleaner. When you are
comfortable using this program you won't use Analyze, but
initially do use it to see what can be deleted and the
approximate size of files to be deleted.

Important
This will remove any saved passwords and usernames that
you have, so make sure that you have a copy of them all
before proceeding to clean.

Open a text document, enter the URL, username and
password, save this to floppy, external drive or print it
off. Do NOT save this text file to your hard drive.

There is an excellent program for saving your passwords
etc available from http://www.roboform.com/
I will cover this in more detail another time.

As always, back-up your system or create a restore point
before making any changes.

To your safety and security online
cotojo

How many spyware items are infecting your computer?

I just had, by mistake, a plug-in called Intelligent Explorer attach
to my browser. What a nightmare! I have another article on this
topic, but this brings home a point. Spyware or adware items are
continually infecting computers. Most computers have no protection
from them. Most frightening is the frequency of them. From the
InfosecWriters web site, "According to a 2004 survey by America
Online and the National Cyber Security Alliance, 91% of users
questioned were familiar with the term spyware. Only 53% believed
their computers were infected, but a scan found that 80% of their PCs
had some type of spyware installed on them." It goes on to say,
"...The average number of spyware components per computer was 93 with
one computer having well over a thousand."

What is Spyware?

Butte College (www.bctv.butte.edu/support/spyware.html) offers this
definition:

“The term ‘spyware’ is broadly defined as any program that gets into
your computer without permission and hides in the background while it
makes unwanted changes to your user experience.

Spyware is generally not designed to damage your computer. The
damage it does is more a by-product of its main mission, which is to
serve you targeted advertisements or make your browser display
certain sites or search results.

At present, most spyware targets only the Windows operating system
(Internet Explorer).”

To be fair, spyware can be harmless, for example tracking cookies
don’t do much. While such things infringe on your privacy, they don't
really harm anything. Others, however, are extremely dangerous.

So what do you do about it?

No spyware program seems to do everything, but there are a lot of
goods solutions out there that can help. Here is a list of some of
the top Spyware tools to look at:

1) Try Ad-Aware 6.0 Professional from LavaSoft (there is also a free
version with less functionality)

2) Spybot Search & Destroy from PepiMK Software

3) Xoftspy form Pareto Logic

4) Spyware Guard from Javacool Software is a free program

5) Pest Patrol (now part of Computer Associates by acquisition)

6) McAfee Anti-Spyware

One thing is for certain: you do need to take spyware seriously.
For some reason, too many people out there think anti-virus solutions
are the end-all solution. They are not.

And, when all else fails?

Finally, as drastic as it seems, if your computer has been infected
with a large number of spyware programs, the only solution you may
have is backing up your data, and performing a complete reinstall of
the operating system.