Friday, August 10, 2007

AFX RootKit (2003 & 2005)

Continuing my studying for my GCIH I will move on to the next Rootkit: AFX RootKit (2003 & 2005). My review of this little gem will not be as detailed as the adore-ng rootkit as I do not have a separate Windows system to trash as a full test. What I will note are the details of the rootkit that are posted on many places already.

The rootkit hides the following:
  1. Processes
  2. Handles
  3. Modules
  4. Files & Folders
  5. Registry Values
  6. Services
  7. TCP/UDP Sockets
  8. Systray Icons
The installer copies itself to the system directory and extracts 2 DLL files from it's resources. It saves the files as "iexplore.exe" and "explorer.exe". The first dll is loaded into "explorer.exe" which then installs hooks contained in "explorer.dll". The included ReadMe.txt has detailed instructions on how to install the rootkit.

Detection of the rootkit can be accomplished by the presence of
iexplore.dll and/or explorer.dll.

-ab

No comments: