TermPaperWarehouse.com - Free Term Papers, Essays and Research Documents

The Research Paper Factory

Free Essay

Detecting Rootkits Using Gmer

In:

Submitted By garenx
Words 344
Pages 2
Next up, see here: http://www.spywareinfoforum.com/index.php?showtopic=124353&st=0 Patched ws2_32.dll, this didn't get around much so I don't have much on it, the helper managed to indentify the patched file via GMER.

C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

Basically malware is exploiting a system file again, it found a "writable" hole and that's how it got in.
=====

Next, a memory exploit

memory module \?\globalroot\device\lde\ldePort1\secxrxtc\secxrxtc\tdlwsp.dll file \?\globalroot\device\lde\ldePort1\secxrxtc\secxrxtc\tdlwsp.dll

This one was harder to kill, but I'll explain it best I can. This folder "secxrxtc" changed everytime on reboot, so tracking the file was harder than it looked, and this was how one of the first threads where the patched atapi.sys was seen.

Often when a rootkit is present, Combofix/Catchme will find this:

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP000001CF96E80FDA33D1F935 524288 bytes executable

scan completed successfully hidden files: 1

**************************************************************************

It's the backup file for the rootkit, which also had to be killed. Good thing is, it's in temp location, and as it's just a backup, it's not active, so TFC would quickly deal with it.

This is why GMER is one of our more useful tools, there are times when I've been so confused and GMER found the bad little bugger hiding.
=====

and last, a stronger version of TDSS.

http://www.GeekPolice.net/virus-spyware-malware-removal-f11/yet-another-packedmonder-virus-t15409.htm

Combofix failed, The Avenger failed.

I had to make the main driver 0kb by using Notepad, and then it died, but it was really stubborn.
=========

Any questions? you will need to know this for later on.

Similar Documents

Popular Essays

Elder Abuse Essay
Ethics in Kfc Essay
Hcr 220 Wk 1 Assignment Essay
Internship Report Essay
The Morality of Birth Control Essay
Role of Counter Trade in the World... Essay