Excellent site for beginners and review:

http://www.webs4u.co.nz/hints/hints.html

 

 

ROOTKITS

What are they?

·                    Software tools intended to “conceal running processes, files or system

·                     data, thereby helping an intruder to maintain access to a system whilst

 avoiding detection.”

·                    Not malware but programs that cleverly and deeply hide the presence of

 malware programs

·                    Malwear program may report your PC to be clean

·                    Files not seen with usual Windows programs, e.g. WE, Task Manager, Startup

 folder

·                    Received lots of publicity re 2005 Sony copy protection software on some CDs

 installed a rootkit on Windows computers; Symantec also involved

·                    Originated with Unix tools to hide intruder traces thus allowing “rooting”

 

How are they used?

·                    In the past by hackers to hide Trojans; now to hide spyware or mass circulation

 viri/worms

·                    May take over your PC in a surreptitious manner

·                    May work with worms, sniffers, keyloggers, DoS (Denial of Service), email spam,

 access user names and log-in information for sites that require them

 

What are the various types?

·                    1. Persistent Rootkits: A persistent rootkit is one associated with malware that

 activates each time the system boots. Because such malware contain code that

must be executed automatically each system start or when a user logs in, they

must store code in a persistent store, such as the Registry or file system, and

configure a method by which the code executes without user intervention.

 

·                    2. Memory-Based Rootkits: Memory-based rootkits are malware that has no

·                     persistent code and therefore does not survive a reboot.

 

·                    3. User-mode Rootkits: There are many methods by which rootkits attempt to

 evade detection. For example, a user-mode rootkit might intercept all calls to the

Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration

 utilities, including Explorer and the command prompt, to enumerate the contents of

file system directories. When an application performs a directory listing that would

otherwise return results that contain entries identifying the files associated with the

rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-

mode services and more sophisticated user-mode rootkits intercept file system,

Registry, and process enumeration functions of the Native API. This prevents their

detection by scanners that compare the results of a Windows API enumeration with that

returned by a native API enumeration.

 

·                    4. Kernel-mode Rootkits: Kernel-mode rootkits can be even more powerful since,

not only can they intercept the native API in kernel-mode, but they can also directly

 manipulate kernel-mode data structures. A common technique for hiding the presence

 of a malware process is to remove the process from the kernel's list of active processes.

 Since process management APIs rely on the contents of the list, the malware process will

 not display in process management tools like Task Manager or Process Explorer.

 

 

How do we diagnose the presence of Rootkits?

·                    Not easy!

·                    Most AV and anti-spyware scanners worthless although some now are adding this feature

·                    Need a special detector

·                    Many being developed and improved but still are difficult to use and are non-specific

·                    Good idea to use several

·                    This one looks promising: RootkitRevealer:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

·                    Other examples: BlackLight from F-Secure (free); RootkitRevealer (free); Rootkit Hook

Analyzer (Beta and free); IceSword (free, Chinese, experience users only)

·                    Malicious Software Removal Tool from MS

·                    Not dedicated to RKD

·                    Distributed via MS and Windows Update services

 

What is the therapy?

·                    Two pronged i.e. removal of the RK then the malwear

·                    Extremely difficult to remove even with positive diagnosis

·                    Many feel better formatting & re-installing the OS would be best approach

·                    Back up clone possible only if backup done prior to the infestation

 

What prophylaxis should I use?

·                    Same as avoiding malwear infections in general i.e. use several layers of protection

·                    Running Windows from lesser than Administrator account (not always practical)

·                    Use security tools that prevent global hooking e.g. Process Guard ($29.95), Anti Hook

(free); not practical for all users i.e. only P2P users, and crackers those that downlad and

install programs “frequently”

·                    the best advice “an ounce of protection…..”!