Thread: What do I do when Windows XP ends?
View Single Post
Old 12-05-2014, 14:37   #19
Qtx
CF's Worst Nightmare
 
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
Qtx has a bronzed appealQtx has a bronzed appeal
Qtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appeal
Re: What do I do when Windows XP ends?
API monitor and Process Explorer (good old sysinternals, now MS) may allow you to spot some of the simple viri but usually rootkits send back false information to the API calls they use. Detecting a proper rootkit through looking at processes and memory is nigh on impossible, you have to rely on what is written to disk.

Programs that try to detect if you have a rootkit installed usually do things like use the windows API functions to get directory listings or on all folders (which often rootkits intercept and return a listing minus it's own files) or registry entries and then use raw disk reads to see if the results are the same. Many rootkits like TDSS look out for certain programs being run and will intercept many rootkit killer type programs but changing the executable name is enough to bypass that.

Obviously the best way to detect a rootkit is to boot from a cd, stopping the rootkit loading up and hiding itself which is what would happen with a normal boot. If you can't do this, I suggest using something like Combofix from the bleeping computer website which works very well.

Persistent BIOS rootkits have had a few proof of concepts and they are the ultimate really as there is no way to find those. At present there is no way to install these except by tricking a user in to doing it themselves, although I wouldn't put it past the three and four letter agencies to be able to it without user interaction.

As large corporations will continue to get XP support for some time, I expect someone will start releasing the patches they get to the general public.

---------- Post added at 13:37 ---------- Previous post was at 13:13 ----------

Quote:
Originally Posted by Ignitionnet View Post
Okay. When I have some time I'll rootkit a VM and see what that program spots then probably start another thread in the security section.
Keep in mind some rootkits are virtual machine aware and can break out to the main machine using vulnerabilities in the software. Most of the issues are patched in later versions but there is always the possibility of there being a new unknown vector for them to take advantage of.
Qtx is offline   Reply With Quote