Deeply Hidden, and Heavily Protected, Malware
Some malware, besides making it impossible for you to interrupt its processes, will make it impossible for you to even locate on your computer. This is called rootkit protection.
Any program that lists ("enumerates") objects on your computer, for instance,
- Process Explorer - lists processes and services running.
- Windows Explorer - lists files and folders in mass storage.
each of these programs depends upon system functions to tell it what is on your computer. None of these programs gets its list straight from system inventories, they ask system functions for a copy of those lists. Why is this relevant? Because, like any copy, things can be omitted when copying.
If your computer is infected by malware that's using rootkit protection, the system functions that enumerate processes and services, or those that enumerate files and folders, may have been customised. When Process Explorer asks for a list of processes, or Windows Explorer asks for a list of folders in storage, the list returned by the system may be filtered by the rootkit function.
Knowing what folders and processes are related to the protected malware, the rootkit function will simply not list those items. If "C:\Malware" contains the program library for the malware that has infected your computer, "C:\Malware" simply won't be listed by Windows Explorer. You can't delete what you can't see.
That's the bad news. Now the good news.
Any file, folder, process, or service, that isn't enumerated by a system function, is quite likely malware. There are several special programs, distributed by security experts, that enumerate system objects by bypassing the rootkit functions. They compare the results with a normal enumeration, calling the standard (and possibly rootkitted) system functions. If there are objects in the former list, that are not in the latter list, those objects are quite possibly rootkit protected malware.
Two of these special programs are
- F-Secure Blacklight.
- SysInternals RootkitRevealer.
That's the good news. Now for the bad news, again. Many experts believe, that if Blacklight, RootkitRevealer, or a similar program, identify unknown system objects, your computer is probably compromised beyond reliablity. In this case, the only option is to nuke and pave.
>> Top