Re: Integration and Tatoos
First, in both of your posts, I am not sure what you mean by "If it integrates itself, you can check the integration points and spot it." -- "it" being the malware.
IMHO, we could agree that a rootkit which installs a kernel-mode driver to conceal its processes and files has "integrated" itself into the computer system. The concept and its implications were discussed by Mark Russonovich in his comments about Rootkit Revealer on the old Sysinternals web site, which is now Microsoft Sysinternals on their TechNet site.
Rootkit Revealer attempts to discover whether a kernel-mode rootkit driver is active by comparing a "high level" datastream to a "low level" datastream, which could reveal differences if the driver only hooks one stream (usually the high one).
Are there other "integration points" that you have in mind?
Note: the Windows Vista/7 Patchguard feature will not allow a kernel-mode driver to be installed on a 64-bit Intel system.
Second: "USB storage devices that are seen as removable (as opposed to fixed, or spoofing as optical type via U3) will have no Recycle Bin, so if you see one, it's prolly a baddie."
In my experience so far, whether a removable USB HDD has a "Recyle Bin" depends upon the Properties chosen for the user's desktop Recycle Bin. When I first attached the 320 GB USB Maxtor One Touch 4 HDD to the computer, my desktop Recycle Bin "contained" (by default) any files which I deleted from it, as well as files which I deleted from the primary internal HDD. The USB Maxtor had a RECYLER root directory, though, where the file data was actually stored.
However, I've since used the desktop Recycle Bin's Properties to specify that no files which are deleted from the USB Maxtor HDD are to be stored in its Recycle Bin. So, now the USB Maxtor HDD does not contain a RECYCLER root directory. Any file that I delete from that HDD is "gone forever" unless I use a file-recovery utility before it is overwritten by another file.
How do you search the system for a hidden Desktop? Or determine the CLSID of a "fake" Recycle Bin? And I've never found a way to "scrub" the 10 MB that Windows leaves at the end of the last partition of every HDD. Which is not to say that there are no tools for doing, any of these things (today), just that I haven't found them.
By the way, it always appeared to me that the rootkit was most likely to be "active" while there was a connection to the Internet. Dunno whether it ever actually found anything on the HDD that was worth sending to another computer.
And the fact that malware tends to leave traces which scanners do not remove is one sound reason to nuke and re-image the HDD after backing-up the current data. Even so, I would beware of the possibility of an infected "data file", since a .PDF can contain JavaScript which Adobe Reader (among others) will execute unless that feature is disabled.
