| 引用: |
【欧虫的贴子】
起初我自己是把kernel rootkits译成内核级rootkits.而application rootkits是应用级rootkits(不过后来查了一下,有人把它称为特洛伊)
还有,上面多处的kernel可以理解为系统内核
这里修改一个地方吧
such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows.这里上面的朋友刚才倒了过来,应该是:比如Linux中的可加载模块和Windows中的设备驱动程序.
........................... |
Thank you.
Now,I suppose some members might be interested in how to detect rootkits.And I'd like to offer a description of it.When it has been translated,you'll be told how to remove rootkits.
Detecting rootkitsThere are inherent limitations to any program that attempts to detect rootkits while those programs are running under the suspect system. Rootkits are suites of programs which modify many of the tools and libraries upon which all programs on the system depend. Some rootkits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers.
The best and most reliable method for rootkit detection is to shut down the computer suspected of infection and check its storage by booting from an alternative media (e.g. rescue CD-ROM, USB-stick). A non-running rootkit cannot hide its presence and most established antivirus programs will identify rootkits armed via standard OS calls (which are supposedly doctored by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference the presence of a rootkit infection can be assumed. Rootkits try to protect themselves by monitoring running processes and suspending their activity until the scanning has finished as non-stealthy malware will not be identified by rootkit scanners.
Security vendors envision a solution by integrating rootkit detection into traditional antivirus products. Should a rootkit decide to hide during the scan process, it will be identified by the stealth detector. If it decides to temporarily unload from the system, the traditional antivirus will find it using fingerprint detection. This combined defence may force attackers to implement counter-attack mechanisms (so called retro routines) in their rootkit code that will forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer viruses the detection and elimination of rootkits will be an ongoing struggle between the creators of the tools on both sides of this conflict.
There are several programs available to detect rootkits. On Unix based systems two of the most popular of these are chkrootkit and rkhunter. For the Windows platform a free for personal use stealth scanner, named Blacklight, is available in beta on F-Secure's website. Another Windows detector is Rootkit Revealer from Sysinternals. It will detect all current rootkits by comparing the results from the OS to the actual listing read from the disk itself. However, some rootkits started to add this particular program to a list of files it does not hide from. So in essence, removing the differences between the two listings, the detector doesn't report them. However, renaming the rootkitrevealer.exe filename to a random name defeats this. This features are also included in lastest Rkdetector release.
