In kasta oo ay suurtagal tahay in la qariyo malware-ka hab lagu nacasyo xittaa alaabada antivirus/antispyware-ka caadiga ah, inta badan barnaamijyada malware-ka ayaa durba isticmaalaya rootkit-yada si ay ugu qariyaan Windows PC-gaaga… khatar badana way sii kordhaysaa! Rootkit - ka DL3 waa mid ka mid ah rootkit-yada ugu horumarsan ee abid lagu arko duurjoogta. Rootkit-ku wuxuu ahaa mid deggan oo wuxuu waxyeeleyn karaa 32-bit nidaamyada hawlgalka Windows ; in kasta oo xuquuqda maamulka loo baahnaa si loogu rakibo caabuqa nidaamka. Laakiin TDL3 hadda waa la cusboonaysiiyay oo hadda awood u leh inay qaadsiiso xitaa noocyada 64-bit ee Windows^{(even 64-bit versions  Windows)} !

Waa maxay Rootkit

Fayraska Rootkit waa nooc qarsoodi ah oo malware ah  kaas oo loogu talagalay in lagu qariyo jiritaanka hababka ama barnaamijyada kombiyuutarkaaga hababka ogaanshaha joogtada ah, si loogu oggolaado ama hab kale oo xaasidnimo leh oo mudnaanta leh gelitaanka kombiyuutarkaaga.

Rootkits for Windows waxaa sida caadiga ah loo adeegsadaa in laga qariyo software-ka xun, tusaale ahaan, barnaamijka ka hortagga. Waxaa loo isticmaalaa ujeedooyin xaasidnimo leh fayrasyada, Gooryaanka, dhabarka dambe, iyo spyware. Fayras lagu daray rootkit wuxuu soo saaraa waxa loo yaqaanno fayraska qarsoon ee buuxa. Rootkits-ka ayaa aad ugu badan goobta spyware-ka, waxayna hadda sidoo kale noqdeen kuwo aad u isticmaala qorayaasha fayraska sidoo kale.

Hadda waa nooc soo baxaya oo ah Super Spyware kaas oo si wax ku ool ah u qariya oo si toos ah u saameeya kernel-ka nidaamka qalliinka. Waxa loo isticmaalaa in lagu qariyo joogitaanka shay xaasidnimo ah sida trojans ama keyloggers kombayutarkaga. Haddii khatartu isticmaasho tignoolajiyada rootkit si ay u qariso way adagtahay in laga helo malware-ka kombayutarkaga.

Rootkits laftoodu khatar maaha. Ujeedada kaliya ee ay ka leeyihiin waa inay qariyaan software-ka iyo raadadka looga tagay nidaamka hawlgalka. Haddi kani yahay software-ka caadiga ah ama barnaamijyada malware-ka.

Waxaa jira asal ahaan saddex nooc oo kala duwan oo Rootkit ah . Nooca koowaad, " Kernel Rootkits " sida caadiga ah waxay ku daraan koodkooda qaybo ka mid ah nidaamka hawlgalka, halka nooca labaad, " User-mode Rootkits " si gaar ah loogu talagalay Windows si uu u bilaabo si caadi ah inta lagu jiro nidaamka bilowga. ama lagu duray nidaamka waxa loo yaqaan "Dropper". Nooca saddexaad waa MBR Rootkits ama Bootkits^{(MBR Rootkits or Bootkits)} .

Markaad hesho AntiVirus & AntiSpyware -kaaga oo fashilmay, waxa laga yaabaa inaad u baahato inaad caawimo ka qaadato Utility Anti-Rootkit oo wanaagsan^{(good Anti-Rootkit Utility)(good Anti-Rootkit Utility)} . RootkitRevealer ka Microsoft Sysinternals waa utility ogaanshaha rootkit horumarsan. Wax-soo-saarkeedu waxa uu taxayaa diiwaan- gelinta^(Registry) iyo nidaamka faylka API -ga kala duwanaanshiyaha kuwaas oo muujin kara joogitaanka hab- isticmaalaha ama rootkit-ka kernel-ka.

Warbixinta Hanjabaadda Xarunta Ilaalinta Malware Microsoft^{(Microsoft Malware Protection Center Threat Report)} ee  Rootkits

Xarunta Ilaalinta Malware ee Microsoft^{(Microsoft Malware Protection Center)} waxay diyaarisay si loo soo dejiyo Warbixinteeda Hanjabaada^{(Threat Report)} ee Rootkits . Warbixintu waxay eegtaa mid ka mid ah noocyada ugu khiyaano badan ee malware-ka handada ururada iyo shakhsiyaadka maanta - rootkit. Warbixintu waxay eegaysaa sida ay weerarradu u isticmaalaan rootkit-yada, iyo sida rootkits-ku ugu shaqeeyaan kombuyuutarrada ay saameeyeen. Halkan waxaa ah dulucda warbixinta, laga bilaabo waxa ay yihiin Rootkits - ee bilowga ah.

Rootkit waa qalabyo ay adeegsadaan qofka wax weeraray ama abuuraha malware-ku si uu u xakameeyo nidaam kasta oo qarsoon/aan sugnayn kaas oo sida caadiga ah loogu talagalay maamulaha nidaamka. Sannadihii u dambeeyay ereyga 'ROOTKIT' ama 'ROOTKIT FUNCTIONALITY' waxaa beddelay MALWARE - oo ah barnaamij loogu talagalay inuu saameyn aan loo baahnayn ku yeesho kombuyuutar caafimaad qaba. Shaqada ugu weyn ee Malware waa in ay xogta qiimaha leh iyo agabka kale kala baxdo kumbiyuutarka isticmaalaha si qarsoodi ah oo ay siiso qofka weerarka geystay, si ay si buuxda u maamusho kombayutarka la dhibay. Waxaa intaa dheer, way adagtahay in la ogaado lagana saaro waxayna sii qarsoonaan karaan muddo dheer, suurtogal ah sanado, haddii aan la dareemin.

Markaa si dabiici ah, calamadaha kumbiyuutarka la jabsaday waxay u baahan yihiin in la qariyo oo la tixgeliyo ka hor inta aanay natiijadu caddaynin dhimasho. Gaar ahaan, waa in la qaado tillaabooyin amni oo adag si loo daah furo weerarka. Laakin, sidaan soo sheegnay, marka rootkits/malware-ka la rakibo, awoodeeda qarsoodiga ah ayaa adkeynaysa in laga saaro iyo qaybaha uu ka soo dejisan karo. Sababtan awgeed, Microsoft waxay abuurtay warbixin ku saabsan ROOTKITS .

Warbixinta oo ka kooban 16 bog ayaa qeexaysa sida uu weeraryahanku u isticmaalo rootkit-yada iyo sida rootkit-yadaan ay ugu shaqeeyaan kombayutarada ay saameysay.

Ujeedada kaliya ee warbixintu waa in la aqoonsado oo si dhow loo baaro malware-ka awooda leh ee khatarta ku ah ururo badan, gaar ahaan isticmaalayaasha kombuyuutarrada. Waxa kale oo ay sheegaysaa qaar ka mid ah qoysaska malware-ka baahsan oo keenaya iftiinka habka ay weeraryahanadu u adeegsadaan inay ku rakibaan rootkits-kan ujeedooyinkooda gaarka ah ee hababka caafimaadka leh. Inta ka hartay warbixinta, waxaad ka heli doontaa khabiiro soo jeedinaya qaar ka mid ah talooyinka si ay uga caawiyaan isticmaalayaasha inay yareeyaan khatarta rootkits.

Noocyada Rootkits

Waxaa jira meelo badan oo malware-ku isku rakibi karo nidaamka hawlgalka. Sidaa darteed, inta badan nooca rootkit-ka waxaa lagu go'aamiyaa meesha uu ku yaal halkaasoo uu ku fulinayo burburintiisa waddada fulinta. Tan waxaa ka mid ah:

1. Habka Isticmaalaha Rootkits
2. Qaabka Kernel Rootkits
3. MBR Rootkits/bootkits

Saamaynta suurtogalka ah ee habka kernel-ka-ahaanshaha rootkit-ka waxaa lagu muujiyey sawirka-shaashadda hoose.

Nooca saddexaad, wax ka beddel Diiwaanka Bootka Master^{(Master Boot Record)} -ka si aad u heshid kantaroolka nidaamka oo aad bilowdo habka rarida meesha ugu horreysa ee suurtogalka ah ee taxanaha boot3. Waxay qarisaa faylasha, wax ka beddelka diiwaangelinta, caddaynta isku xirka shabakada iyo sidoo kale tilmaamayaasha kale ee suurtogalka ah ee muujin kara jiritaankeeda.

Qoysaska caanka ah ee Malware ee isticmaala shaqada Rootkit

• Win32/Sinowal 13 – Qayb ka kooban qaybo badan oo malware ah oo isku dayaya inay xadaan xogta xasaasiga ah sida magacyada isticmaalayaasha iyo furayaasha sirta ah ee nidaamyada kala duwan. Tan waxaa ka mid ah isku dayga lagu xado tafaasiisha aqoonsiga ee kala duwan ee FTP , HTTP , iyo xisaabaadka iimaylka, iyo sidoo kale aqoonsiga loo isticmaalo bangiyada online-ka ah iyo macaamil ganacsiyada kale ee maaliyadeed.
• Win32/Cutwail 15 – Trojan oo soo dejisa oo fuliya faylal aan sabab lahayn. Faylasha la soo dejiyey waxaa laga yaabaa in lagu fuliyo saxanka ama waxaa si toos ah loogu duraa habab kale. Iyadoo shaqada faylalka la soo dejiyey ay kala duwan yihiin, Cutwail wuxuu^(Cutwail) inta badan soo dejiyaa qaybaha kale ee soo dira spamka. Waxay isticmaashaa rootkit-qaabka kernel-ka waxayna ku rakibtaa dhawr qalab si ay uga qariso qaybaheeda isticmaalayaasha ay saamaysay.
• Win32/Rustock  - Qaybo badan oo ka mid ah qoyska rootkit-awood dhabarka dambe ee Trojans ayaa markii hore loo sameeyay si ay u caawiyaan qaybinta "spam" emaylka iyada oo loo marayo botnet . Botnet-ku waa shabakad weyn oo kombuyuutarrada la xakameeyey ay gacanta ku hayaan weeraryahannada.

Ka-hortagga rootkits

Ka hortagga rakibidda rootkits waa habka ugu waxtarka badan ee looga fogaado infekshinka rootkits. Taas awgeed, waxaa lagama maarmaan ah in la maalgeliyo tignoolajiyada ka hortagga sida fayraska ka hortagga iyo alaabada dabka. Alaabooyinka noocan oo kale ah waa inay qaataan hab dhammaystiran oo lagu ilaalinayo iyadoo la adeegsanayo ogaanshaha ku salaysan saxeexa dhaqameed, ogaanshaha heuristic, awood saxeexa firfircoon iyo ka jawaab celinta iyo la socodka dhaqanka.

Dhammaan xirmooyinkan saxeexa waa in la cusboonaysiiyaa iyadoo la adeegsanayo hab casriyeyn oo toos ah. Xalalka ka hortagga fayraska Microsoft^(Microsoft) waxa ku jira tiro teknooloji ah oo si gaar ah loogu habeeyey si loo yareeyo rootkits-ka, oo ay ku jiraan la socodka habdhaqanka kernel-ka nool ee ogaanshaha iyo ka warbixinada isku dayga lagu doonayo in wax lagaga beddelo kernel-ka nidaamka la saameeyey, iyo nidaamka faylalka tooska ah ee falanqaynta taasoo sahlaysa aqoonsiga iyo saarista darawallada qarsoon.

Haddii nidaamka la helo in la jabiyay markaas qalab dheeraad ah oo kuu ogolaanaya inaad u kabto deegaan wanaagsan ama la aamini karo ayaa laga yaabaa inay faa'iido u yeelato sababtoo ah waxay soo jeedin kartaa qaar ka mid ah tallaabooyinka hagaajinta ee habboon.^{(If a system is found compromised then an additional tool that allows you to boot to a known good or trusted environment may prove useful as it may suggest some appropriate remediation measures.)}

Xaaladahan oo kale,

1. Qalabka xaaqida ee Standalone System^{(Standalone System Sweeper)} (qayb ka mid ah Qalabka Baarista^{(Diagnostics)} iyo Soo-kabashada ^{(Recovery Toolset)}Microsoft ( DaRT )
2. Khadka Tooska ah ee Difaaca^{(Defender Offline)} Windows ayaa laga yaabaa inay faa'iido leedahay.

Wixii macluumaad dheeraad ah, waxaad kala soo bixi kartaa warbixinta PDF ka Microsoft Download Center.

What is Rootkit? How do Rootkits work? Rootkits explained.

Whilе it is possiblе to hide malware in a waу that will fоol even the traditional antivirus/antispyware products, mоst malware programs are already using rootkits to hide deep on yoυr Wіndowѕ PC … and they arе getting more dangerous! The DL3 rootkit is one of the most advanced rootkits ever ѕeen in the wild. The rootkіt was stable and could infect 32 bit Windows operating systems; although administrator rights wеre needed to install the infeсtion in the system. But TDL3 has now been updated and is now able to infect even 64-bit versions  Windows!

What is Rootkit

A Rootkit virus is a stealth type of malware that is designed to hide the existence of certain processes or programs on your computer from regular detection methods, so as to allow it or another malicious process privileged access to your computer.

Rootkits for Windows are typically used to hide malicious software from, for example, an antivirus program. It is used for malicious purposes by viruses, worms, backdoors, and spyware. A virus combined with a rootkit produces what is known as full stealth viruses. Rootkits are more common in the spyware field, and they are now also becoming more commonly used by virus authors as well.

They are now an emerging type of Super Spyware that hides effectively & impacts the operating system kernel directly. They are used to hide the presence of malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide it is very hard to find the malware on your PC.

Rootkits in themselves are not dangerous. Their only purpose is to hide software and the traces left behind in the operating system. Whether this is normal software or malware programs.

There are basically three different types of Rootkit. The first type, the “Kernel Rootkits” usually add their own code to parts of the operating system core, whereas the second kind, the “User-mode Rootkits” are specially targeted to Windows to startup up normally during the system start-up, or injected into the system by a so-called “Dropper”. The third type is MBR Rootkits or Bootkits.

When you find your AntiVirus & AntiSpyware failing, you may need to take the help of a good Anti-Rootkit Utility. RootkitRevealer from Microsoft Sysinternals is an advanced rootkit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

Microsoft Malware Protection Center Threat Report on Rootkits

Microsoft Malware Protection Center has made available for download its Threat Report on Rootkits. The report examines one of the more insidious types of malware threatening organizations and individuals today — the rootkit. The report examines how attackers use rootkits, and how rootkits function on affected computers. Here is a gist of the report, starting with what are Rootkits – for the beginner.

Rootkit is a set of tools that an attacker or a malware creator uses to gain control over any exposed/unsecured system which otherwise is normally reserved for a system administrator. In recent years the term ‘ROOTKIT’ or ‘ROOTKIT FUNCTIONALITY’ has been replaced by MALWARE – a program designed to have undesirable effects on a healthy computer. Malware’s prime function is to withdraw valuable data and other resources from a user’s computer secretly and provide it to the attacker, thereby giving him complete control over the compromised computer. Moreover, they are difficult to detect and remove and can remain hidden for extended periods, possibly years, if gone unnoticed.

So naturally, the symptoms of a compromised computer need to be masked and taken into consideration before the outcome proves fatal. Particularly, more stringent security measures should be taken to uncover the attack. But, as mentioned, once these rootkits/malware are installed, its stealth capabilities make it difficult to remove it and its components that it might download. For this reason, Microsoft has created a report on ROOTKITS.

The 16-page report outlines how an attacker uses rootkits and how these rootkits function on affected computers.

The sole purpose of the report is to identify and closely examine potent malware threatening many organizations, computer users in particular. It also mentions some of the prevalent malware families and brings into the light the method the attackers use to install these rootkits for their own selfish purposes on healthy systems. In the remainder of the report, you will find experts making some recommendations to help users mitigate the threat from rootkits.

Types of Rootkits

There are many places where malware can install itself into an operating system. So, mostly the type of rootkit is determined by its location where it performs its subversion of the execution path. This includes:

1. User Mode Rootkits
2. Kernel Mode Rootkits
3. MBR Rootkits/bootkits

The possible effect of a kernel-mode rootkit compromise is illustrated via a screen-shot below.

The third type, modify the Master Boot Record to gain control of the system and start process of loading the earliest possible point in the boot sequence3. It hides files, registry modifications, evidence of network connections as well as other possible indicators that can indicate its presence.

Notable Malware families that use Rootkit functionality

• Win32/Sinowal13 – A multi-component family of malware that tries to steal sensitive data such as user names and passwords for different systems. This includes attempting to steal authentication details for a variety of FTP, HTTP, and email accounts, as well as credentials used for online banking and other financial transactions.
• Win32/Cutwail15 – A Trojan that downloads and executes arbitrary files. The downloaded files may be executed from disk or injected directly into other processes. While the functionality of the downloaded files is variable, Cutwail usually downloads other components that send spam. It uses a kernel-mode rootkit and installs several device drivers to hide its components from affected users.
• Win32/Rustock – A multi-component family of rootkit-enabled backdoor Trojans initially developed to aid in the distribution of “spam” email through a botnet. A botnet is a large attacker-controlled network of compromised computers.

Protection against rootkits

Preventing the installation of rootkits is the most effective method to avoid infection by rootkits. For this, it is necessary to invest in protective technologies such as anti-virus and firewall products. Such products should take a comprehensive approach to protection by using traditional signature-based detection, heuristic detection, dynamic and responsive signature capability and behavior monitoring.

All these signature sets should be kept up to date using an automated update mechanism. Microsoft antivirus solutions include a number of technologies designed specifically to mitigate rootkits, including live kernel behavior monitoring that detects and reports on attempts to modify an affected system’s kernel, and direct file system parsing that facilitates the identification and removal of hidden drivers.

If a system is found compromised then an additional tool that allows you to boot to a known good or trusted environment may prove useful as it may suggest some appropriate remediation measures.

Under such circumstances,

1. The Standalone System Sweeper tool (part of the Microsoft Diagnostics and Recovery Toolset (DaRT)
2. Windows Defender Offline may be useful.

For more information, you can download the PDF report from Microsoft Download Center.

Related posts

• Sidee Looga Fogaadaa Khayaanada Khiyaamada iyo Weerarada?

• Waa maxay Gelitaanka Fog ee Trojan? Kahortagga, Ogaanshaha & Ka saarida

• Ka saar fayraska USB Flash Drive adoo isticmaalaya Command Prompt ama Faylka Dufcada

• Rogue Security Software ama Scareware: Sida loo hubiyo, looga hortago, looga saaro?

• Waa maxay Win32:BogEnt iyo sida loo saaro?

• Sida loo uninstall ama ka saaro Driver Tonic ka Windows 10

• Waa maxay FileRepMalware? Ma ka saartaa?

• Sida looga saaro Chromium Virus ka Windows 11/10

• Sida loo isticmaalo Malwarebytes Anti-Malware si meesha looga saaro Malware

• Sida loo hubiyo in faylku xaasid yahay iyo in kale Windows 11/10

• Sida loo hubiyo Registry for malware gudaha Windows 11/10

• Cryptojacking khatarta macdanta birawsarka cusub ee aad u baahan tahay inaad wax ka ogaato

• Weerarada Nuglaanta Afduubka DLL, Kahortagga & Ogaanshaha

• Spyware-ka ugu Fiican iyo Software ka saarida Malware

• Waa maxay weerarka Backdoor? Macnaha, Tusaalooyinka, Qeexitaannada

• Waa maxay IDP.Generic iyo Sidee si badbaado leh looga saaraa Windows?

• Hagaaji raadinta khaladka dhacay markii la wado chrome Malware Scanner

• Afduubka Browser-ka iyo Aaladaha Ciribtirka Af-duubaha Biraawsarkaaga

• Soo-gudbinta Malware: Halkee loo gudbiyaa faylasha malware-ka Microsoft iyo kuwa kale?

• Barnaamijyada ama Codsiyada aan la rabin ee suurtogalka ah; Iska ilaali inaad ku rakibto PUP/PUA