http://www.securityfocus.com/infocus/1850?ref=rss
In 2005, the bar has been raised in the arena of malicious software. This has never before been more evident than in the recent deployments of Windows rootkit technology within some of the latest viruses, worms, spyware, adware, and more. It has become increasingly important to understand what this threat is and what can be done to detect malicious use.
The first of this three-part series will discuss what a rootkit is and what makes them so dangerous. We’ll start by looking at various modes of execution and the ways they talk to the kernel: hooking tables, using layered filter drivers, and dealing directly with Windows kernel objects. The second article will address the latest Windows rootkit approach that uses virtual memory hooking to provide a high degree of stealth. Then the third and final article will discuss various methods of rootkit detection and countermeasures for security professionals.