Phalanx Consulting Inc | Calgary Web Design - Web Hosting
Sat Jul 31 2010 :: Home arrow Articles arrow Quick Tips for Securing Windows XP, Part 4: Rootkit Scanners
Home
Articles
News / Portfolio
IT Related Links
Other Links
Site Login
Contact Us
Services
Web Design
Web Hosting
Graphic Design
IT Consulting / Support
LCD Display Advertising
Promotional Items
Latest News
Calgary Business Hall of Fame
Cemblend Systems Inc
Calgary Rental Properties
Reliant Homes
Evolution Homes
Majestic Homes
Deerfoot Rental - Volvo Rents
Genesis Builders Group
The-Garage.ca
AAAF Website Re-design
PDL Mobility
View All
Visual Candy a division of Phalanx Consulting Inc. | Digital Displays / Signage, Graphic Design & Media Services
Visual Candy a division of Phalanx Consulting Inc. | Digital Displays / Signage, Graphic Design & Media Services
Quick Tips for Securing Windows XP, Part 4: Rootkit Scanners PDF Print E-mail

This is the final part of our introductory section on securing stand-alone Windows machines for the small office and home office. Future sections will delve into more advanced topics, and in much greater detail. This section covers rootkits.

In the previous sections of this overview, w talked about various mission-critical parts of a security plan, including antivirus firewall and other tools. In order to completely secure a Windows XP machine, you must use all of these tools, as well as secure policies. We also discussed nontraditional tools such as anti-spy ware. Another such nontraditional tool is a dedicated rootkit scanner.

Rootkits have been around for quite awhile. In fact, other malware such as viruses have used rootkit technology for decades. A rootkit, basically, describes a tool or application or series of steps that allows a hacker, a process, or other malware to cover its tracks on a system. For example, one component of a rootkit might create an artificial Windows task manager. This fake task manager might make you think it is the real Windows task manager. However, in reality, it shows us a fake list with all the other running processes of Windows — with one notable exception: the suspect application itself. Thus, you would not know that the application or malware process itself was running, based on your visual inspection of the running processes in the Windows task manager. So the root kit has "faked you out."

There are an increasing number of dedicated rootkit scanners to help deal with this problem. For example, Bryce Cogswell and Mark Russinovich developed a program called Rootkit Revealer. You might remember Mark and Bryce from their famous programs, Filemon and Regmon. Mark and Bryce are wizards at understanding the internals of obscure Windows system architecture. Mark was the one who, using Rootkit Revealer, actually found that Sony’s DRM (or digital rights management technology) software was, in fact, a root kit — a notorious fact which, once brought to light, created quite a stir. You can try Rootkit Revealer for yourself here: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Filemon, Regmon and TCPView

Filemon, Regmon and TCPView are some of the most important utilities for reverse engineering software and understanding what third-party programs do to your system. We’ve mentioned these before in our reverse engineering sections. Along with Rootkit Revealer and many other useful tools, they can be found at http://www.microsoft.com/technet/sysinternals/fileanddiskutilities.mspx

Filemon works by monitoring the files and components which a third-party application accesses while it is running. It lets you monitor all of the file activity that is happening in real time. You can see exactly how processes use system DLLs. Whenever a process sends a call to open and read or write any other file, it will show up in real-time in the Filemon window. Powerful filters allow you to regulate and drill down to watch a single file or set of files.

Regmon, on the other hand, monitors registry access. When an application accesses the registry, it is recorded in real-time by Regmon. You can see which registry keys are being accessed as well as the values that are inserted or changed. You can also pause the application in order to create granular filters. That is the real power of Regmon.

More recently, Filemon and Regmon have been combined into a single utility called "process monitor." This new application is more powerful and even more attractive to use. And of course, it is free. It can be found at http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx

TCPview is another very important utility. It can be found at the same Sysinternals link above. This powerful application shows you what each running process does in terms of active connections. The is basically like a real-time version of netstat, the system utility that allows you to see which ports are open. In addition, TCPview maps the open ports to the application name and tells you where the application is located. Thus. at a glance you can easily see any open ports, which may be a sign of Trojans or other malware active on your system. You can easily track this down to the suspect application and investigate it more thoroughly.

Test It!

Now that you have established a complete security policy based on Parts 1-4 in this series, the next that this to test your system. Planned, methodical and repeated to testing is critical to help insure the stability and integrity of your data. There are many free and low-cost tools to help automate the process of testing and scanning your own network for vulnerabilities. A list of the top 100 network security tools can be found at http://sectools.org/. We will discuss some of these in the upcoming sections, where we delve into the tools and show advanced techniques for using them.

Written by Cyrus Peikari and Seth Fogie

 
 
Copyright © 2010 Phalanx Consulting Inc.
Calgary, Alberta Canada Web Development, Design & Hosting - Graphic Design & Visual / Digital Displays

Advertisement