DeepMonitor - Detect Hidden Process and Rootkit
section: download, for your questions: KezNews forum, 4.6.2008
Rootkits is a computer security threat that is designed to modify the core software components of the system, inserting code which attempts to hide the “infection” and provides some additional feature or service to the attacker.
Some advanced trojan also has the capability to hide itself using rootkits techniques. One example is Bifrost which is able to unhook kernel mode hooks to allow bypassing more firewalls.
Nowadays many security suite software such as Kaspersky Internet Security and Norton Internet Security is able to detect and defend against rootkits. If you are like me who doesn’t like to install and use bloated security suites, you can try this very small and simple yet powerful hidden process detector. It claims to detect most of rootkits technologies!
DeepMonitor is an hidden process detector, for Windows XP SP2 only, defeating most of rootkits technologies. It can also detect some hidden injected modules techniques. Although it is very good in detecting hidden process, this tool can’t tell you if a normal running process that can be seen at Windows Task Manager is dangerous or not. Let’s take svch0st.exe for an example. By looking at the filename, it is obviously a virus or spyware because the letter O has been replaced by the number zero (0). If you run DeepMonitor, it will also show scvh0st.exe but it will not warn you because it is not a hidden process.
One technique that many trojan authors will use to defeat traditional security measures is to co-opt other applications to do their dirty work. For example, an application can take control of privileged applications, such as Internet Explorer or Firefox, to carry out all of its malicious activity. This will cause all of the attacks to come from Internet Explorer or Firefox, not the actual trojan.
One of the trojan that does this is Bifrost. This trojan injects code into the explorer.exe process, which then spawns a non visible Internet Explorer (iexplorer.exe) or Firefox (firefox.exe) process. The trojan then injects extra code into iexplore.exe (not as an extra dll, it just writes the malicious code directly into the memory space of iexplore.exe). This extra code then causes iexplore.exe to act as a backdoor into the computer from which an attacker has complete visibility of the file system and registry.
I tried infecting my own computer with Bifrost with DeepMonitor monitoring my system. DeepMonitor detects a hidden process and shows a warning through tray balloon notification.
When I launched DeepMonitor from Windows tray bar, it shows firefox.exe in red which is a hidden process. The blue ones are legitimate processes. I can double click on the process for more information or kill the process. When I check Windows Task Manager, firefox.exe also appears in the list but I wouldn’t know whether it has been tampered or not.
Download:
DeepMonitor (link 1)
DeepMonitor (link 2)
Send link 2 friend | Permalink
MORE RELATED ARTICLES:
Process Monitor 2.0 for Vista and XP || Microsoft Plans to Add Rootkit Detection to Windows Live OneCare
Comments(8)
what?? no vista version... ick
vista is so good and so secure all third party protections are obsolete
not compatible with vista n xp mce sp3. sorry
quote: vista is so good and so secure all third party protections are obsolete
,
unquote
bulls.hit! vista can be infected as fast as xp can! what a stupid
remark. out of the box vista is just as vulnerable as any other os until one adds anti
virus and anti spyware protection, get real!
i think he was being sarcastic
vista s u c k s anyway.
so it will be worth downloading
most r.a.t. hidden rootkits makers are a couple of steps ahead of deepmonitor - i suspect
it will only pickup script kiddies stuff and m$ spyware.
No new comments are allowed for this article.
For your questions use our KezNews Forum
Where is it for vista?
By Ru4Sure on 05.06.2008 - 02:06