Attack Method: Rootkit Infection
Description: Rootkits are a special class of trojan. Particularly insidious by nature, rootkits actually modify parts of the operating system (such as Windows kernel API functions) to alter the nature of the operating system itself. For example, a rootkit may patch the functions that enumerate processes so that its own process isn't shown. KERNEL mode Windows rootkits such as "fu", "Hacker Defender", "He4Hook", "NT Rootkit" and others all obtain their low-level capabilities by using kernel-mode device drivers (.sys files) which need to be installed by a 'dropper' trojan before the rootkit can go stealth.

SOLUTION: DiamondCS Process Guard easily prevents kernel rootkits from being able to install their drivers. This essentially neutralises them by preventing them from being able to 'go kernel-mode'.

Case Example:.
The 'fu' rootkit, like most Windows rootkits, comes with two components - the dropper (fu.exe), and the driver (msdirectx.sys). Running fu.exe on its own we're prompted with usage information. So with Process Guard's protection active we run "fu -ph <process ID>" to try and use fu to hide a process. As you can see from the screenshot, it fails with an error Unable to Load Driver (Process Guard has blocked it): 

If we then look in the Process Guard window we can see that the block was logged:

The rootkit infection has been prevented. If the infection succeeded, Windows Explorer would no longer show the trojan file as existing. The rootkit changes file results so you, and MANY scanners (all usermode scanners) cannot see the rootkit file at all !

Related websites:
 Bookshop Special: Rootkits: Subverting the Windows Kernel
 ITNews: "Stealthy" worms, trojans seen tripling in number
 EWeek.com: UConn Finds Rootkit in Hacked Server
 EWeek.com: Spyware Danger Meets Rootkit Stealth
 EWeek.com: Rootkits Spawn New Malware
 PC World: Microsoft warns of new security threat
 Microsoft: The Strider GhostBuster Project