What is a RootKit?
At the core of the term “rootkit” are two words- “root” and “kit”. Root refers to the all-powerful, “Administrator” account on Unix and Linux systems, and kit refers to a set of programs or utilities that allow someone to maintain root-level access to a computer. However, one other aspect of a rootkit, beyond maintaining root-level access, is that the presence of the rootkit should be undetectable. A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the the computer system user knowing about it. This means that the owner of the rootkit is capable of executing files and changing system configurations on the target machine, as well as accessing log files or monitoring activity to covertly spy on the user’s computer usage. Many experts have theorized that rootkits will soon be thought of as equally troublesome as viruses and spyware, if they aren’t already. Rootkits have become more common and their sources more surprising. In late October of 2005, security expert Mark Russinovich of Sysinternals discovered that he had a rootkit on his own computer that had been installed as part of the digital rights management (DRM) component on a Sony audio CD. Experts worry that the practice may be more widespread than the public suspects and that attackers could exploit existing programs like the Sony rootkit. “This creates opportunities for virus writers,” said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. “These rootkits can be exploited by any malware, and when it’s used this way, it’s harder for firms like ours to distinguish the malicious from the legitimate.
Is A Rootkit Malware?
That may be debatable. There are legitimate uses for rootkits by law enforcement or even by parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee’s / children’s computer systems. Products such as eBlaster or Spector Pro are essentially rootkits which allow for such monitoring. However, most of the media attention given to rootkits is aimed at malicious or illegal rootkits used by attackers or spies to infiltrate and monitor systems. But, while a rootkit might somehow be installed on a system through the use of a virus or Trojan of some sort, the rootkit itself is not really malware. Almost all spyware scanners do not detect rootkits!
Is there a rootkit problem?
First, you need to determine if there is a problem. To determine if there is truly a rootkit operating behind the scenes, use a system process analyzer such as Sysinternals’ ProcessExplorer or, better yet, a network analyzer. By using these tools, you’ll likely be surprised to find what programs are doing and what’s going in and out of your network adapter. You may also discover that you simply have an over-taxed system running with too little memory or a severely fragmented hard drive. With that in mind, I recommend checking your system configuration and defragmenting your drive(s). Remember, though, that it’s better to be safe than sorry, so run a rootkit scan as well.
Rootkit detection
Rootkit technologies are rapidly cropping up in a variety of places, including commercial security products and seemingly benign, third-party application extensions. Finding and removing rootkit installations is not an exact science. Rootkits can be installed on a computer in many ways. No single tool (and no combination of tools) can correctly identify all rootkits and rootkit-like behavior.
- Search your system memory. Monitor all ingress points for a process as it is invoked, keeping track of imported library calls (from DLLs) that may be hooked or redirected to other functions, loading device drivers, etc. The drawback to this approach is that it is tedious, time-consuming and cannot account for all possible avenues in which a rootkit can be introduced into the system.
- Seek the truth — expose API dishonesty. One good rootkit detection application for Windows is the RootkitRevealer by Windows security analysts Bryce Cogswell and Mark Russinovich. This tiny (190 KB) binary scouts out file system locations and registry hives, looking for information kept hidden from the Windows API, the Master File Table, and directory index. In addition, Jamie Butler, author of the highly recommended trade book Subverting the Windows Kernel: Rootkits, has created a tool called VICE, which systematically hunts down hooks in APIs, call tables and function pointers. RootkitRevealer may take a while to complete because it performs an exhaustive search. First it dumps the registry hives, then it examines the C: directory tree for known rootkit sources and signatures, and finally performs a cursory analysis of the entire C: volume.
- Keep abreast of the latest antivirus and malware protection software from leading antivirus and security vendors. Sysinternals and F-Secure offer standalone rootkit detection tools (RootkitRevealer and Blacklight, respectively). Even Microsoft has implemented rootkit detection features in its own Malicious software removal tool.
- Update your firewall protection. Remember, for the concealment process to be effective to a potential attacker, it is vital that the hacker can get back into a machine once it’s been compromised. Although firewalls do nothing to mitigate application-level risks, they can pose a significant challenge to attackers when they prohibit re-entry into a victim machine.
- If possible, harden your workstation or server against attack.This proactive step prevents an attacker from installing a rootkit in the first place. The National Security Agency publishes a guideline for hardening Windows environments, which is a great jump-off point for educating yourself on preventive actions against system intrusion.
Rootkit removal
Rootkits are relatively easy to install on victim hosts. To upload a rootkit, a determined attacker can do everything from exploit a Windows vulnerability to crack a password or even obtain physical system access. They can even execute a phishing attack, where a hacker cons a user into running an executable file in an email attachment or via a hyperlink distributed via email or instant messaging. Once they’re in place, as you’re likely to find out, rootkits aren’t so easy to find or get rid of.
The rootkit threat is not as widespread as viruses and spyware. Given this fact, and the lack of a truly effective rootkit prevention solution, removing rootkits is largely a reactive process.
Top RootKit Detectors and Removers 2008:
Gmer is a hidden services, hidden registry, hidden file scanner and also other features. It is an excellent piece of software and has a very nice user interface which makes it very easy for non technical people to use.
IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn’t a “click-here-to-delete-rootkits” product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine. Hacker Defender is a strong rootkit, and the Gold and Silver Hacker Defender packages are more potent. Many antirootkit programs, such as Rootkit Revealer and BlackLight, can’t detect Hacker Defender. (Such statements can be found on the Web site of the author of Hacker Defender.) I haven’t got the Gold and Silver packages. But on the author’s home page, it is stated that Hacker Defender cannot evade IceSword. And IceSword is continually improving.
Regarding the public version of HxDef, IceSword can detect all the hidden stuff, such as files, register maps, processes, services, and so on. My techniques can detect such a rootkit and quarantine and clean it. In addition, a tool called Ishelp in IceSword version 1.22 is also very helpful in detecting rootkits.
Panda Anti-RootKit Panda Anti-Rootkit shows hidden system resources, identifying known and unknown rootkits. It analizes hidden drivers, processes, modules, files, registry entries, SDT modifications, EAT hooks, modification to the IDT, non standard INT2E and SYSENTER, IRP hooks. Unlike other anti-rootkit utilities which merely “reveal” hidden objects, Panda Anti-Rootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.
Sophos anti rootkit Sophos Anti-Rootkit is a tool for removing rootkits, and cleaning up any malicious files. Rootkits are programs designed to conceal the presence of an application on a computer by hiding processes, files, configuration information, network traffic or other observable information from a user.Sophos Anti-Rootkit runs on Windows NT/2000/XP/2003 computers. For system requirements details, see the Sophos Anti-Rootkit user manual. Both Windows graphical user interface (GUI) and command line versions are available.
Sophos AntiRootkit can find the following Rootkits:
AFX Rootkit
Dice Rootkit
Generic compressed rootkit driver
Hacker Defender
Haxdoor backdoor Trojan
PCClient Backdoor
Port stealthing Rootkit
Process stealthing Rootkit
Rustok Rootkit
Settec Alpha-DISC copy protection
Vanquish Rootkit
XCP2 Copy Protection
Avg anti rootkit AVG Anti-Rootkit is a powerful tool with state-of-the-art technology for detection and removal of rootkits.Rootkits are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide itself it is very hard to find the malware on your PC. AVG Anti-Rootkit gives you the power to find and delete the rootkit and to uncover the threat the rootkit is hiding. AVG Anti-Rootkit is available in English only
Features:
- Powerful cleaning due to advanced cleaning driver
- Easy to use interface
- Fast and efficient detection (even for NTFS-ADS objects)
- Special interface for visually impaired people
DarkSpy DarkSpy is a new rootkit detection tool from China. It’s coded by two guys : CardMagic & wowocock,and supports some new features that can make the detection more effective.
DarkSpy 1.0.5 new features:
Enhanced Process/Driver Module detection.
Fixed some problems working with other security software(Karspersky…etc).
Enhanced process force terminate functionality.
Start to support multi-cpu and hyperthread.
Registry functionality added.
Help document added.
DarkSpy is consisted of five parts:
1.Process:
Detect hidden process(even hide with FUTo…)
Force kill process(even Icesword)
2.Kernel Module:
Detect hidden kernel module(even hide with FUTo…)
3.File:
Detect hidden files
Force copy file
Force delete file
4.Registry function is not provided in test version.
5.Port: Detect hidden ports
RootKitUnhooker Microsoft have just gained one of the best anti rootkit teams on the planet. EP_X0FF and the development team of Rootkit Unhooker have joined Microsoft. They are currently making plans to ship off to Wittenberg in Germany ( where Martin Luther is buried ) where the Rootkit Unhooker team will finish off work on their, up to now,secret project called Secured Eye (SEye),“…in a two words this is project mix of software/hardware related to distributed calculations and virtualization technologies based on Vanderpool / Pacifica extensions. Not a Blue Pill. To be more correct some parts of SEye can be used as a pill for any kind of Blue Pill variations.
Public version
SSDT Hooks Detection and Restoring
Shadow SSDT Hooks Detection and Restoring
Hidden Processes Detection/Terminating/Dumping
Hidden Drivers Detection and Dumping
Hidden Files Detection/Copying/Deleting
Code hooks Detection and Restoring
Report generation
System internals RootKitRevealer RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at http://www.rootkit.com/, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys).
PREVENTION OF ROOTKITS
Defensewall HIPPS DefenseWall HIPS (Host Intrusion Prevention System) is the simplest and easiest way to protect yourself from malicious software (spyware, adware, keyloggers, rootkits, etc.) when you surf the Internet!Using the next generation proactive protection technologies, sandboxing and virtualization, DefenseWall HIPS helps you achieve a maximum level of protection against malicious software, while not demanding any special knowledge or ongoing online signature updates.
Process Guard ProcessGuard is a powerful new cutting-edge program that greatly increases the security of your computer by preventing processes from being able to attack each other. It is considered by experts to be a must-have program for all users
of Windows, and is the only program available that can prevent the
infection of all known rootkit trojans.
Other Helpfull links
http://www.antirootkit.com/software/index.htm
http://www.antirootkit.com/rootkit-list.htm
http://www.techsupportalert.com/best_46_free_utilities.htm#7
http://www.rootkit.com/index.php
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
0 comments:
Post a Comment