Ramblings on information technology... Programming, Security, IT Architecture, and Integration by Aaron Bush.
"Any fool can know. The point is to understand."
Friday, August 10, 2007
AFX RootKit (2003 & 2005)
Continuing my studying for my GCIH I will move on to the next Rootkit: AFX RootKit (2003 & 2005). My review of this little gem will not be as detailed as the adore-ng rootkit as I do not have a separate Windows system to trash as a full test. What I will note are the details of the rootkit that are posted on many places already.
The rootkit hides the following:
Files & Folders
The installer copies itself to the system directory and extracts 2 DLL files from it's resources. It saves the files as "iexplore.exe" and "explorer.exe". The first dll is loaded into "explorer.exe" which then installs hooks contained in "explorer.dll". The included ReadMe.txt has detailed instructions on how to install the rootkit.
Detection of the rootkit can be accomplished by the presence of iexplore.dll and/or explorer.dll.