Tech Off Thread

3 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Rootkits on x64 Vista: Are they feasible?

Back to Forum: Tech Off
  • User profile image
    TimP

    I've noticed my desktop icons seem to be refreshing a lot more than I remember in the past and any suspicious behavior always triggers paranoid malware fears in my mind, but that's beside the point. I was thinking about the rootkit "epidemic" and was wondering if they're still a legitimate risk on x64 Vista.

    As far as I understand, rootkits that effectively hide their presence (i.e. not showing up in the process list, registry, file system, etc.) require a kernel mode component to intercept queries for information that could reveal them and return a modified result with themselves omitted.

    With x64 Vista closing the door on unsigned kernel drivers, is it still possible to have a truly stealthy rootkit (obviously moot if the rootkit is a signed)?

    Have there been any stories of Vista rootkits in the wild?

  • User profile image
    stevo_

    I wouldn't expect you are infected with a rootkit.. and what the rootkit does, it tries to fool that host OS into believing its talking directly to the hardware, where as its actually talking to the rootkit, which is acting as 'proxy'.

    The rootkit then has the ability to 'abuse' whatever data it feels nec coming from the kernel..

  • User profile image
    figuerres

    TimP wrote:
    

    I've noticed my desktop icons seem to be refreshing a lot more than I remember in the past and any suspicious behavior always triggers paranoid malware fears in my mind, but that's beside the point. I was thinking about the rootkit "epidemic" and was wondering if they're still a legitimate risk on x64 Vista.

    As far as I understand, rootkits that effectively hide their presence (i.e. not showing up in the process list, registry, file system, etc.) require a kernel mode component to intercept queries for information that could reveal them and return a modified result with themselves omitted.

    With x64 Vista closing the door on unsigned kernel drivers, is it still possible to have a truly stealthy rootkit (obviously moot if the rootkit is a signed)?

    Have there been any stories of Vista rootkits in the wild?



    while I have not been spending time on this subject I will say:

    Yes, they are still "possible"

    just that the methods used by the cracker will have to be altererd to fit the new OS.

    I am not so sure that the "signed driver" bit even has much to do with a rootkit --- other than as a way in the door.

    as for your desktop well... find out what you changed recently.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.