Windows Rootkit Analysis Report
- 243 pages
- November 2008
This report focuses on Windows Rootkits and their affects on computer systems. We also suggest that combining deployment of a rootkit with a BOT makes for a very stealth piece of malicious software.
We have used various monitoring tools on each of the rootkits and have included most but not all of the monitor logs due to space constraints. However, if a log is needed for perusal it is available. Some of the rootkits we investigated contained readme files which were, for the most part, quite informative and actually substantiated some of our monitoring log findings. For the rootkits that contained readme files we have either included them within the document or have included a link for them.
At the beginning of this report we have included clean monitoring logs from two different tools that we employed on the rootkits. We have other clean logs but did not include them for the sake of space. Once more, as the logs for the rootkits will be available if needed so will these clean logs.
Most of the rootkits that we studied had executable files included in their collection of files and folders. Our monitoring process took place after executing these files. In the group of eleven rootkits that we were given there were two rootkits that did not contain executable files (AK922 and NTRootkit); at the time of this report’s submission we do not have monitoring logs for these, but we are working toward that goal.
It is our hope that the logs included in this report will give an understanding of how each rootkit is affecting the computer system. Further we would like to think that it will help in the efforts to create a new software tool which might discover and eradicate these computer irritants more efficiently and consistently than what is available at the present time.