3OBSERVING ROOTKIT INFECTIONS
How do we check whether a potentially infected system harbors a rootkit? After all, the whole purpose of a rootkit is to prevent administrators from examining the true state of a system, so finding evidence of the infection can be a battle of wits—or, rather, a contest to understand the system’s internal structures. Analysts must initially distrust any information they obtain from an infected system and strive to find deeper sources of evidence that are trustworthy even in a compromised state.
We know from the TDL3 and Festi rootkit examples that approaches for detecting rootkits that depend on checking the kernel ...
Get Rootkits and Bootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
