Detection Example: DSE vs AFX Rootkit
Description: AFX is a rootkit written by author 'Aphex'. Being purely a user-mode rootkit it doesn't use any kernel-mode drivers, so to achieve its stealth attributes it is required to modify all other running processes, which it does by patching the code at the start of important functions.
This allows it to hide processes, handles, modules, files & folders, registry keys & values, services, TCP & UDP sockets, and system tray icons.
Detection: The easiest way to spot AFX is to simply look in the Process List tool, where we can easily see its process, including the fact that it's hidden:
Now lets look at those code modifications that AFX makes:
We can see that it hooks into 16 functions in 4 different modules. It does this with every process.
The reason why it is seen as "jumps to <unknown>" is because AFX allocates new memory inside the process, as opposed to loading a DLL.
AFX creates a hidden thread in every process, and hides two of its own threads also:
And last but not least we can see it running as a hidden service:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.