Library of Congress Control Number: 2006926390 ISBN: 978-0-471-91710-6 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1B/RS/QR/QX/IN 01_917106 ffirs.qxp 12/21/06 12:04 AM Page v About the Authors Nancy Altholz (MSCS, MVP): Nancy is a Microsoft Most Valuable Professional in Windows Security. She holds a master’s degree in Computer Science and an undergraduate degree in Biology and Medical Technology. She is a Security Expert, Rootkit Expert and Forum Lead, and Wiki Malware Removal Sysop at the CastleCops Security Forum. She has also volunteered at other online security forums. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention. As a Security Expert and Rootkit Expert, she helps computer users with a variety of Windows computer secu- rity issues, including malware removal. Nancy coauthored the Winternals Defragmentation, Recovery, and Administration Field Guide for Syngress Publishing which was released in June 2006. She has recently been asked to write the foreword for a book authored by Mingyan Sun and Jianlei Shao, (developers of the DarkSpy Anti-rootkit program), on advanced rootkit detec- tion techniques. She was formerly employed by Medelec: Vickers’ Medical and Scientific Division, as a Software Engineer in New Product Development. Nancy’s interest in malware and rootkits evolved as a natural extension of her interest in medicine and computers, due to the many parallels between computer infection and human infection. Besides the obvious similarities in naming conventions, both require a lot of detective work to arrive at the correct diagnosis and enact a cure. Nancy enjoys investigating the malware life cycle, and all the factors and techniques that contribute to it – in short, she likes solving the puzzle, and of course, helping people, along the way. Nancy lives with her family in Briarcliff Manor, NY. Larry Stevenson: Larry has worked as a security consultant for over fifteen years. His education is abundant, including continuing studies in computer security, history, and fine arts. Larry works as an expert, volunteer modera- tor, and writer on staff at CastleCops, providing assistance and written articles to all users. In 2005, he wrote weekly articles on computer security topics for the Windows Security Checklist series. He helped develop, and co-wrote the CastleCops Malware Removal and Prevention procedure. For these published efforts he was given the MVP Award: Microsoft Most Valuable Professional in Windows Security, 2006. Currently a co-founder with Nancy Altholz of the CastleCops Rootkit Revelations forums, he continues to develop ways for users to obtain assistance and information from rootkit experts. A Canadian citizen, he is currently employed at a multi-function, government- owned facility which includes private residences for people with special needs, a senior citizens care home, daycare center, offices, a cafeteria and a public access theater. We would especially like to thank Paul and Robin Laudanski for their extra- ordinary contributions to computer security in general and the generous ongoing support they extended during the writing of Rootkits For Dummies. We give thanks to all the people on the Wiley team for their expertise and patience, including Melody Layne, Rebecca Huehls, Laura Moss, Barry Childs-Helton, James Russell, and Technical Editor Lawrence Abrams (BleepingComputer) for the outstanding job he did. We offer heartfelt grati- tude to the Advisors and Rootkit Research Team at CastleCops, every one an expert in their field: Media Advisor Mahesh Satyanarayana (swatkat), Firefox Advisor Abdul-Rahman Elshafei (AbuIbrahim), Firewall Advisor Allen C Weil (PCBruiser), IE7 Advisor Bill Bright, and our Rootkit Research Team, includ- ing Don Hoover (Hoov), James Burke (Dragan Glas), Anil Kulkarni (wng_z3r0), David Gruno (wawadave), and Michael Sall (mrrockford). We would like to acknowledge Wayne Langlois, Executive Director and Senior Researcher at Diamond CS in Australia, for devoting his time, knowledge, and expertise to the “Tracking a RAT” section in Chapter 9. We’d like to thank Przemyslaw Gmerek, developer of the GMER Anti-rootkit program, for freely sharing his rootkit expertise and allowing us to distribute the GMER Anti-rootkit Program on the Rootkits For Dummies CD. We’d like to thank Mingyan Sun, codeveloper (along with Jianlei Shao) of the DarkSpy Anti-rootkit program, for freely shar- ing his in-depth technical knowledge of rootkit methodology and for giving us permission to distribute the DarkSpy program on the Rootkits For Dummies CD. We would like to recognize and extend a special thanks to Mahesh Satyanarayana for sharing his exceptional technical expertise and so much more, during the development of Rootkits For Dummies. Nancy would also like to thank her family and friends for their patience and understanding during the course of writing Rootkits For Dummies. We give special thanks to Forensics Advisor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE), who provided valuable insights to our network and forensics sections, and who also helped get this book up and running by providing much needed hardware. Dave has worked in the Information Technology Security sector since 1990. Currently, he is the owner of SecurityBreachResponse.com, and lead litigation support technician for Secure Discovery Solutions, LLC. As a recognized security expert, and former Florida Certified Law Enforcement Officer, he specializes in litigation support, computer forensic investigations, incident response, and intrusion analysis.
