Dr.Web - removal of rootkits from a smartphone. Kaspersky Tdsskiller rootkit removal program from the company of the company

The origin of the term " ruckit"The roots goes to the operating system of the UNIX family. In the English version" rootkit."Consists of two words: root - Super Usser (Administrator Analogue in Windows) and kit. - A set of software that allows an attacker to get "privileged" access to the system - naturally, without the consent of this administrator. The first rootkites appeared in the early 1990s and for a long time were a feature of exclusively UNIX systems, but good ideas, as you know, and the end of the 20th century was marked by the fact that viral programs of this kind functioning under Windows began to appear massively.

Who and why use rootkits

The main function that rolls is performed is to ensure remote access to the system. In other words, they give their creators almost unlimited power over computers have nothing suspects. Implementing into the system, such malicious programs can easily intercept and modify low-level API functions, which allows them to high-qualityly hide from the user and antiviral on their presence on the computer.

It cannot be said that the rootkit exclusively malicious program. In essence, they are the overwhelming majority of software protection tools (as well as the means of circumventing these protection). Take for example a sadly known case when the Japanese Sony corporation embedded the utility of this kind into their licensed audio discs.

How the rootkits are distributed

The most popular way to distribute: via instant messaging programs. Once on the computer, rootkit sends messages containing malicious attachments, all whose addresses are in the contact list. There is a more modern approach that lies in the insertion of a malicious code into PDF files. To activate, just open the file.

What are the rucchites

There are several types of rootkits that differ from each other by the degree of impact on the system and the complexity of detection. The easiest of them is rootkit, functioning at the user level ( user-Mode.). It starts on a computer using administrator rights, which allows it to successfully hide its presence, issuing its own actions for the work of system services and applications. Although it is quite difficult to get rid of it - a malicious program creates copies of the necessary files on the hard disk partitions and automatically starts at each start of the system - this is the only form that detects the detection of antivirus and anti-spin programs.

The second type - rootkits operating at the kernel level ( kernel-Mode.). Understanding that a malicious program that operates at the user level can be detected, the developers have created a rootkin, capable of intercepting functions at the level of the operating system core. One of the signs of its presence on the computer is the instability of the operating system.

Hybrid rootkit. This type of malicious software combines the simplicity of use and stability of the rootkits of the user mode and the steep root of the kernel level. The mix turned out to be very successful and is currently widely used.

Modifying firmware rootkit. His feature is that it is able to register in the firmware. Even if the antivirus program detects and remove the rootkit, then after rebooting, it will be able to return to the system again.

What are the symptoms of contamination of rootkit

As mentioned, to detect their presence in the system is extremely difficult, but there are some signs that suggest infection:

  • The computer does not respond to the actions of the mouse and keyboard.
  • The operating system settings are changing without user participation - this is one of the ways of rootkita hide your actions.
  • Unstable access to the network due to significantly increased Internet traffic.

It is worth noting that a properly working ructite is quite capable of preventing the emergence of all these symptoms, except for the latter. Yes, and that is only if the computer acts as a spam repeater or participates in DDoS attacks (the volume of traffic is sometimes increasing so that it is not possible to hide it).

Detection. Unfortunately, most modern antiviruses will not respond to the appearance of rootkit, because its main goal to hide itself and everything is connected with it. Rukkitts are also almost all the so-called copy protection tools, as well as CD and DVD-equipment emulator programs. Special programs are required to detect and delete rootkits.

2 step

Sophos Anti-Rootkit utility. This is not a big program for finding and destruction of rootkits, which works in all versions of Windows starting with XP. You can download the program from the official site. Working with the program is very simple, you need to select objects for scanning and click on the button. Start Scan.. After scanning, select the objects found and click Clean Up Checked Items to remove them.

3 Step

Rootkit buster program. This is another free means of destroying rootkits. Installing the program is not required, you need to unpack the archive and run the file rootkit buster.exe.. You can download from here. To start scanning, click Scan Now.. The utility scan all files, registry branches, drivers and MBRs. If roottops are found, the program will display their list, select Objects and click Delete Selected Items..

4 Step

Signs of infection. So, how to know whether your computer is infected with rootkats? Most signs are similar to the signs of the virus, that is, sending data without your command, hang, unauthorized launch of something, etc. However, with viruses in this regard, unlike rootkits, viruses are detected by antivirus. If the symptoms of viruses appeared, and the antivirus does not find anything, then the likelihood of the contamination of rootkit is great. Install the firewall (firewall) if it will notify you about an attempt to exit any programs on the Internet (anyone, except browser and antivirus, there is nothing to do), block them.

  • Update the antivirus and OS on time.
  • Install the firewall, such as Comodo.
  • Connect to PC only proven flash drives.
  • During the scanning of anti-tip, turn off the antivirus, firewall and the Internet for a while.
  • Do not let outsider for your PC!

More recently, attackers wrote only viruses that protective programs were caught and neutralized without any problems. It was enough to install and properly set up the antivirus system, regularly update its base ... and live calmly.

Today, Internet attackers act where much larger! They are no longer imposed by "just" infection of hundreds of thousands of computers and even a pandemic of a new virus. They seek to gain control over the multitude of PC and use them for their dark cases. Of the millions of infected systems, they create huge networks managed via the Internet. Using the gigantic computing performance of "zombies networks", you can, for example, produce mass spam mailing and organize hacker attacks of unprecedented power. As an auxiliary tool for such purposes, a new, particularly dangerous type of malicious program - is very often used - ruckty

What is rootkits?

Rootkites are not only hiding themselves, but also hide another malware, penetrating the system. The purpose of the disguise is unnoticed for antiviruses and other protective programs to capture someone else's computer. In such rootkits like Hacker Defender.In stock highly sophisticated tricks. This disguised "pest" bypassing the firewall opens secret loopholes on the Internet, which allow hackers to manage an infected computer. Through the "black stroke" created by the rootctats, you can get confidential data (for example, passwords) or implement other malicious programs into the system. Rootkits while little. But, unfortunately, "Designers" created for them (as for viruses), using which, even inexperienceful hooligans can create "disguised pests" (see the insert on page ??) and use them at their discretion. Most antivirus programs recognize such malicious "software" until it is active (let's say, "dorm" in the form of a document attached to an email). But it is worth a double-click open seemingly innocuous file, and the rootkit is activated and "takes" into the intimate depths of the system. After that, only special applications will be able to do it and neutralize it. ComputerBild tested 8 programs whose task is to recognize and remove rootkits. All testing participants are present on the DVD attached to this magazine number.

Trocked trotter

Rukkit is pierced into the computer to use it for criminal purposes. It can be attached to an email, for example, in the form of an account in PDF format. If you click on an imaginary account, the invisible pest is activated.

Then the rootkit is closed deep into the Windows operating system and changes one of the library files - * .dll. And the sequence of commands that manages the correct operation of the programs falls under the control of the pest.

« Capture of power"Ruchkit remains unnoticed, and he calmly loads another malicious" software "from the Internet. New pests are disguised with rootkit. Now the computer can be used for various fraudulent actions, for example, for spam mailing.

How are the rootkites mask?

Antivirus programs usually recognize malicious "software" by signatures - the characteristic chains of the code in the body of the virus. This is a kind of "special signs", for which you can identify and destroy the "pest". Protective program manufacturers regularly post upgrades with the latest detected signatures. In addition, antiviruses recognize the "pests" for some features of their behavior - this method was called "Heuristic Analysis". If, for example, a certain program is going to delete all MP3 files stored on the hard disk, most likely, this is a virus whose work must be blocked, and it is to destroy it.

To deceive antivirus programs, rootkits manipulate processes by which computer applications exchange data. From these streams, they delete information about themselves and other pests. Antivirus gets false information and believes that "in Baghdad everything is calm"

Some rootkits (the so-called "ruttiles of user mode") intercept the data flows between the programs (for example, between Windows and the antivirus) and manipulate them at their discretion.

Other rootkits (they are called "core mode rootkats") "sit" deeper, between individual components of Windows or even in the system registry, and from there send false data from

How do rootkites apply?

  • Sometimes rootkites come in postal investments, concealing under documents of different formats (for example, PDF). In fact, such a "imaginary document" is an executable file. The one who tries to open it activates the rootkit.
  • Another distribution path - the sites undergoing hacker manipulation. Nothing the user just opens the web page - and Rukkit goes to his computer. It becomes possible because of "holes" in the security system of browsers

"Homemade" rootkits

Thousands of computers infected with rootkitts form a huge "zombie networks" used to send spam bypassing any suspect users. Until recently, it was believed that such fractions are available only to experienced professional programmers. However, in the near future, the situation may change. On the Internet, the so-called toolkits (sets of tools) are increasingly found for the manufacture of hidden pests, for example, quite popular Pinch. With this "software", even an inexperienced user can create a "invisible pest" ... The basis for it will be the Pinch Builder Trojan, which can be equipped with a variety of malicious functions using the Pinch software interface. According to information published on the website of the manufacturer of Antivirus Panda Software, Pinch Builder Trojan can:

  • steal the passwords of browsers, in particular Mozilla and Opera, and send them to Internet fraudsters; Thanks to access to special areas of Windows, it also knows how to display Internet Explorer and Outlook passwords;
  • read data entered from keyboard (in particular, passwords) and transmit them to the Internet;
  • hide your malicious functions - the program skillfully protects Trojan processes from detecting anti-virus "software".

Andreas Marx, an expert anti-virus test laboratory AV-Test, which regularly conducts a test on ComputerBild, confirms: "Sets for creating Trojans are already sold on special websites for several hundred euros. If the Internet will spread a wide wave of such homemade "pests", the rootkits will become a real disaster for users. "

How to get rid of rootkits?

Install the Gmer program that won in our test. She confidently discovers the rootkits and hidden "pests" of other types, and also can remove most of them. The remaining rootkits can be "done" using the AVG Anti-Rootkit utility. After deleting the "pests", check the system with a conventional antivirus, for example, from the Kaspersky Internet Security software package.

Generalization of test results

Our test 8 of Anti-Courts showed that against cunning pests there is a reliable means. True, to get rid of the uninvited guests, you will have to send several "hunters" immediately in search of rootkits.

Rucket recognition

During testing, it turned out that not all the "rootkitam hunters" can be removed on the clean water of disguised "pests". Detect all active rootkits were able to only three programs: the winner of the Gmer 1.0 test, Avg Anti-Rootkit and Rootkit Unhooker. The one who uses these applications can be sure that his computer will not expose the invasion of "invisible pests". In addition, Gmer was the only program that was able to find all the rootkits in alternative data streams.

Removal of rootkitov

It was no better at no better deal with the removal of malicious "software". Gmer Although found all the rootkits, was able to destroy only 63% of them, as well as 87% of other dangerous programs masked "for the company". The pests that were hidden in alternative data streams were even less: there were not one of them on hard disks of test computers. This brought the program victory. But at the second winner, the proportion of remote active rootkits was above almost a quarter (86.67%). In the unlikely case, when the winner of the Gmer test cannot be removed from the hard disk of all pests, AVG Anti-Rootkit will bring the work to the end.

Too complicated management

The fact that the detection of hidden malware "software" is a matter of serious, noticeable by the complexity of management of programs. The interface of all applications participating in the test, English, and incomprehensible messages are able to confuse even an experienced user ...

Outcome

To our joy, the winner of the test - Gmer 1.0. - and the second winner, AVG Anti-RootkitThey found all 30 rootkits, "hidden" on test computers, and regularly reported on other hidden hazards. Gmer, moreover, recognized all the "disguised pests", which were hidden in alternative data streams (this is exactly what brought it to her in the overall standings). AND Gmer., I. AVG Anti-Rootkitremove most of those found "pests", but still not all ... achieve the maximum effect allows the simultaneous use of these two programs. All other anti-tanks received a "bad" rating.

A variety of computer viruses is growing, and attackers come up with all new ways, how to harm users and bring themselves benefit. A few years ago, the first priority of the creators of the viruses was to hack the user's computer, after which it was notified about it and demanding money. Now it is much more interesting for the creators of viruses to get a user's computer in its management to use it later to use, for example, to send spam, mining and other actions. As a tool-virus, which is used to "capture" users of users, rockers are used.

Table of contents:

What is rootkits


Rukkty are a malicious program that penetrate the computer in various ways. For example, rootkit can get to the computer with a program loaded from the Internet, or with a letter file. Activating rootkit on the computer, the user actually provides intruders access to its PC. After activating, the rootkit makes changes to the registry and the Windows library, opening the ability to manage this computer to manage your "master".

Please note: ordinary massive antiviruses are able to "catch" the rootkit at the stage of its download from the Internet and download. But after he made changes to the work of the system, they do not see that the virus struck the computer and cannot solve the problem.

Through the rootkit hackers can receive all the necessary information from the computer. These can be confidential data (logins, passwords, correspondence, information on bank cards, etc.). In addition, through the rootkits, hackers can control the computer and perform various actions, including fraudulent.

Example: Rukkit hit the user's computer. After some time, the Internet provider disconnected him from the network, explaining this "mass flood". As it turned out, the user's computer via the network distributed Broadcast data packets to all network users with a speed of several thousand per minute (then as in normal mode, the user sends 10-15 such packages).

Examples like hackers can use rootkits on the user's computer, mass. Accordingly, these viruses are extremely dangerous, and should not be infected with their computer.

Please note: sometimes rootkits penetrate the computer completely legally, together with one of the programs loaded from the Internet. Users rarely read license agreements, and in them the creators of the Program may indicate that rootkit will be installed with their application.

How to determine that there is a rootkit on the computer

Rutkit from the point of view of detection of an extremely unpleasant virus. Not all antivirus programs see it, especially after introducing into the system, and explicit signs that he "settled" on the computer is practically no. Among the signs that may indicate the presence of rootpit on the computer, it is worth highlighting:

  • Mass sending data over the network when all applications interacting with the Internet are deactivated. Unlike many "ordinary" viruses, rootkits often mask this factor, since many of them work in "manual" mode. That is, massively forwarding data may not constantly, but only at some moments, therefore, it is extremely difficult to "catch" this case.
  • Enlightening a computer. Depending on what actions hold the owner of rootkit with a sacrifice computer, the load on the "iron" is bred. If, for incomprehensible reasons, the computer (especially low-power) began to hide in itself, and it is difficult to associate with some kind of activity of working applications, perhaps the penetrating rootkit is to blame.

How to remove rootkits

Anti-virus disks are the best tool. Many large companies specializing in combating viruses offer their anti-virus discs. With the removal of rootkits, Windows Defender Offline and Kaspersky Rescue Disc cope well.

Select anti-virus disks to combat roottats follows from the considerations that viruses when starting the anti-virus disk can not prevent the system checking in any way. This is due to the fact that anti-virus discs work when Windows itself is not running, and with it they are not launched and related programs, including viruses and rootkites.

As you know, there are several basic types of malicious programs. Many users do not distinguish between them, combining the common name "viruses". As a result, the required software for protection is not installed or used incorrectly. Naturally, this approach may jeopardize the security of the system.

Concept and history of rootkits

About 20 years ago, the rootkits were created as a kind of addition to other types of malicious programs - "Spies" and viruses. Their main goal was only to hide such software from the user and its protection.

The first such programs appeared in the UNIX era. Today, their activities are mainly related to Windows. Over time, the rootkits have changed and today include a full range of functions inherent in malicious programs. With their help, it is possible to carry out almost any actions on the victim's device:

  • check information: passwords, bank data;
  • track behavior on the network;
  • install, delete programs, etc.

That is, in essence, they allow driving a sacrifice computer at a distance. Now the rootkites are already an independent type of malicious software.

One of the main features and at the same time threats is that such pest programs are usually not recognized by standard antiviruses or firewalls. The search often does not give anything. Therefore, once penetrating into system files or memory, they can remain unnoticed for many years, damaging the device and its owner.

Such applications are specifically created in such a way as to hide when searching, conducted by defender programs. Little of, some of them are able to disable antiviruses And other security tools. Arsenal may have various tools:

  • bot for DDoS attacks;
  • "Thief" passwords;
  • card scanner;
  • keyboard "spy" and others.

Driving a stranger computer allows the backdoor function. With it, it is connected and installing the necessary modules. Next, the hacker can do with the device almost anything.

Types of rootkitov

Ruckites can be divided into two main categories:

  1. User level - They have on the computer rights on a par with other applications. They interfere with other processes and use their memory. The most common appearance.
  2. Kernel level - penetrate the system and get almost limitless access to any processes. There are noticeably less often, apparently because they are more difficult to create. They are worse detected and removed.

Examples of common applications:

  • Alureon;
  • TDSS;
  • Necurs.

In addition to the main, there are more rare forms - bouquets. They are convert the bootloader and intercept control Without waiting for the operating system launch. In connection with the increasing value of smartphones, in the past few years you can meet rootkits working on Android.

Infection methods

Methods of penetration are no different from other classes: viruses, worms, Trojanov:

  • a visit to unreliable sites - "weak points" in the browser;
  • through other devices, sometimes attackers specifically leave flash drives in places attended;
  • suspicious files sent by mail and others.

Detection and struggle

The question of how to remove rootkits. Difficulties in the struggle are present from detection. The search for the usual means will not give the result. In the arsenal of rootkits there are various methods of disguise: hiding files, registry keys, etc.. As a rule, special programs are needed to search pests. Some of them are designed to detect and remove only one specific type of rootkit, others - many, including those unknown. The first refers, for example, TDSSKILLER (Kaspersky). The search is usually done using:

  • signature analysis;
  • behavioral analysis;
  • narrow-controlled methods.

Delete them is also not easy. Often the process includes several stages. As a result, as a rule, deleting affects many files. If system resources are damaged too much, sometimes you have to reinstall the operating system. For simpler cases, it is quite suitable, for example, standard treatment procedure in Kaspersky Internet Security. To disable regular search for rootkits in Kaspersky Lab products, it is usually enough to open the settings and remove the corresponding tick in the Performance menu item. Although this is not recommended.

Application tdsskiller

One of the programs that can find rootkits is the TDSSKILLER utility. Released by the famous "Kaspersky Lab", so it does not have to doubt it. As can be seen from the name, verification is aimed at searching for one of the common types of rootkits. - TDSS. You can check your computer with its help free of charge. To do this, it is enough to find it on the official website.

The program does not require installation, after downloading can be immediately tested. Before work will have to accept the terms of use. After that, it is possible to change the verification parameters of the corresponding command. If there is no additional wishes, you should leave everything by default and click the button to start checking in the same window.

Further, you need to wait a bit until the program checks the specified system elements. If dangerous applications are detected, disconnectedThe possibility of treatment is provided. In order for them to be removed, reboot the computer is optional.

There are other effective anti-sectors. The main thing is not to forget to use them. When choosing an antivirus, it is advisable to immediately pay attention to the possibility of combating such an application type. Unfortunately, most standard defenders programs do not have a similar function or is not effective enough. In this case, it is desirable to replace the antivirus or use the specialized program for removal. Only so you can protect yourself from the unwanted consequences caused by rootkitams.