Sunday, June 6, 2010

Hands-On Project 2-1 (Page 70)



Objective ad verbatim:

“In this project, you download and install Microsoft’s RootkitRevealer tool to help detect the presence of a rootkit.” (Ciampa, 2009)

Process:

1. First, I started up Mozilla Firefox and pointed the URL to http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx (Well, actually the first thing I did was create a system restore point before doing anything else) and downloaded ‘RootkitRevealer’.


2. While the program was being downloaded, I took a read through the site information about rootkits. It is a pretty important read containing details like what a rootkit is, how it works and the difficulties to detecting it.


3. After the download completed, I opened the .zip file and took a look at its contents. One of the most important things to do when using system tools is to read the documentation.


4. I then extracted the files to a thumb drive and started up Windows XP in my VMWare Virtual Machine. I ran the executable from the thumb drive by disconnecting the USB Port to the host and connecting it to the Virtual Machine.


5. I then started the scan to detect possible rootkits. The scan works by comparing scans of the system at a high level to scans at a low level for discrepancies.


6. At the end of the scan, 2 discrepancies were found.



Reflection:

During the course of this project, I have learnt a substantial amount about rootkits. From the RootkitRevealer website, I have gleaned that there are four classifications of rootkits: Persistent, Memory-Based, User-Mode and Kernel-Mode Rootkits. The four classifications are dependent on persistency in memory and the mode of execution.

The RootkitRevealer is a simple program to start up and begin scanning. However, I find that the results displayed were rather confusing to the average computer user. It outputs very cryptic descriptions which an average computer user using the rootkit to scan his computer for the possibility of infection would not understand. “Key names contains embedded nulls (*)” does not really make any sense without technical knowledge of computer systems and so, it becomes hard to discern a remedy.

Sine Cera,
Jeremy Heng

"Quis custodiet ipsos custodes?"


Hands-On Project 2.1 Sources

No comments:

Post a Comment