Rootkits is a computer security threat that is designed to modify the core software components of the system, inserting code which attempts to hide the “infection” and provides some additional feature or service to the attacker. Some advanced trojan also has the capability to hide itself using rootkits techniques. One example is Bifrost which is able to unhook kernel mode hooks to allow bypassing more firewalls.

Nowadays many security suite software such as Kaspersky Internet Security and Norton Internet Security is able to detect and defend against rootkits. If you are like me who doesn’t like to install and use bloated security suites, you can try this very small and simple yet powerful hidden process detector. It claims to detect most of rootkits technologies!

DeepMonitor is an hidden process detector, for Windows XP SP2 only, defeating most of rootkits technologies. It can also detect some hidden injected modules techniques. Although it is very good in detecting hidden process, this tool can’t tell you if a normal running process that can be seen at Windows Task Manager is dangerous or not. Let’s take svch0st.exe for an example. By looking at the filename, it is obviously a virus or spyware because the letter O has been replaced by the number zero (0). If you run DeepMonitor, it will also show scvh0st.exe but it will not warn you because it is not a hidden process.

One technique that many trojan authors will use to defeat traditional security measures is to co-opt other applications to do their dirty work. For example, an application can take control of privileged applications, such as Internet Explorer or Firefox, to carry out all of its malicious activity. This will cause all of the attacks to come from Internet Explorer or Firefox, not the actual trojan.

One of the trojan that does this is Bifrost. This trojan injects code into the explorer.exe process, which then spawns a non visible Internet Explorer (iexplorer.exe) or Firefox (firefox.exe) process. The trojan then injects extra code into iexplore.exe (not as an extra dll, it just writes the malicious code directly into the memory space of iexplore.exe). This extra code then causes iexplore.exe to act as a backdoor into the computer from which an attacker has complete visibility of the file system and registry.

I tried infecting my own computer with Bifrost with DeepMonitor monitoring my system. DeepMonitor detects a hidden process and shows a warning through tray balloon notification.

Detected hidden process

When I launched DeepMonitor from Windows tray bar, it shows firefox.exe in red which is a hidden process. The blue ones are legitimate processes. I can double click on the process for more information or kill the process. When I check Windows Task Manager, firefox.exe also appears in the list but I wouldn’t know whether it has been tampered or not.

Download DeepMonitor

A lot of advance trojan such as Bifrost, Poison Ivy and sHark are already using this method to fool the computer user and also to bypass firewall protection. It is good to run DeepMonitor once a while to check your system for any rootkits or hidden processes. Remember, rootkits and hidden processes are “designed” to stay in your computer undetected. You never know if you have one in your system until you run DeepMonitor.

[ Download DeepMonitor ]

Technorati Tags: , , , ,