Old threats, new target: The upcoming windows rootkit wars
“Root kits are old hat in the UNIX and Linux world, but are rarely found on hacked Windows hosts. ‘They're a scary thing,’ says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. ‘In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening.’ “The above quote was taken from an article written by Kevin Poulsen for securityfocus.com. His article illustrates the upcoming threat for Windows users. The article also gives a detailed explanation of kernel mode Windows rootkits.
Included in his article was a link that directed me to CNET Asian. There I was able to download Hacker Defender (a working Windows rootkit) into a Windows XP Pro test machine. The install process was flawless - when I executed the kit's executable, no dialog box opened and nothing happened. In fact, I was sure it was broken. I later ran the client program and connected to the test machine on a normal service port (135). In doing so, I was immediately granted full access to the entire test machine. Unfortunately Windows rootkits aren't intended to be uninstalled, so I was forced to boot my XP cd and complete a repair installation. After I scanned the install files with a fully updated version of Norton Anti-Virus I found nothing. As for other anti-virus software detecting these new kits, I am unsure. I am sure however, that this type of trojan can be made to work inside almost any type of firewall, because it's not port dependant. Because the kit runs at kernel level, it can intercept a client connection from any open port (1-65000) so long as the client delievers the proper key.
Protection drivers that prevent the installation of these kits are being developed, however I've yet to hear of any working successfully and permanently.For further information regarding Windows rootkits please visit Rootkit.com