Home page logo
/

basics logo Security Basics mailing list archives

RE: computer with rootkit?
From: Brian Rogalski <brogalski () bkrservices com>
Date: Thu, 29 Sep 2011 07:01:20 -0400

There are a few things that you could try...

Use tools like process hacker, what's running, capture bat and regshot ...
Process explorer and process monitor can tell you what path and device
files are being used. Also look at the

(HKLM\currentversion\microsoft\windows\software\run) key in the registry
... most malicious program want to stay resident after a reboot... You can
use a tool called autoruns at well.

It looks like you may have a Kernel mode root kit. There is only so far
that those tools will take you .. To complete your process you are going
to have to dump the executable to a unaffected machine and perform more
behavioral analysis follow by code and memory forensics.

Hope that helps

Brian

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]