Sunday, January 21, 2007

Rootkit Storm and Solutions

It wasn't really my intent to go back and revisit all these security post lists. That's just how it seems to have turned out. That's OK. Software gets developed and updated. Lists grow. New and better versions get released....

So this time, I'm re-visiting my original anti-rootkit post: Windows Rootkit Detectors

To summarize: "...a rootkit is executable code that attempts to evade detection of running processes, files or system data. There are many ways it can do this, but the end result is that they are very hard to find and can make an infected system look clean and safe even to traditional anti-virus and anti-malware software." More here: Wikipedia : Rootkit

At the time of my original post, there were just a handful of anti-rootkit tools available to the public. I just offered five.

Now most all major anti-virus/security software vendors have issued anti-rootkit solutions, though some are still in a beta release form.

The Threat

How seriously concerned should the average user be? Well...if you are practicing "safe-surfing" by staying away from "risky" websites, keeping your operating system patched, scanning all files downloaded and sent in email with an up-to-date anti-virus program, you should be mostly ok. I say mostly because it is still possible for a system to become compromised with a rootkit, even if you are playing by the rules.

Certain individuals would like nothing else than to get a home-broadband user's system infected with a rootkit. Not so much to steal your personal information--though that's always a potential target--but to install trojan services that would allow them to leverage the system for attacks on other larger systems, spam-mail-bot rental services, or even hosting of their hidden/illegal files on the system. Any of these events could seriously make a home or corporate user's system a great big pile of steaming cow-dung for the user and those impacted by those services. Bummer!

SANS-ISC recent reported that Europe has been pounded lately by emails which include variants of a virus/trojan loader file: European Storm Video E-Mail. While bad, it doesn't sound too serious...but!

heiseSecurity in Germany expands the story with more details, much more disconcerting: "Storm worm" sloshes through the internet. What the trojan seems to be doing is download additional files from the internet, and "...according to GDATA, one action it takes is to install the rootkit Win32.agent.dh." Depending on the anti-virus company, different names may be used.

Over at the Anti Rootkit blog: New Storm-Worm Rootkit creating Botnets Steo does some more research on just how this rootkit does its deed. Interesting.

Rootkit writers aren't happy about the attention. Just this week, they have worked to get the GMER anti-rootkit mirrors shut down under a massive DDOS attack. As soon as new mirrors for the files went up, they also were attacked. More information: GMER Anti Rootkit & People Power, and Martijnc's blog post: DDoS attack

The battle for pc security rages on.

The Response

There are a number of ways to look for a rootkit on your system.

The first is to download and run several of these rootkit detection tools on your live system. These rootkit detection tools are specially programmed to check for hidden files and masked running or injected processes. It's a cat and mouse game, and some tools and methods are more effective than others. Just as hard as the security programmers work to prevent and detect these rootkits, the developers on the other side are working to make them more difficult to be detected.

A second technique is to download and run several of these rootkit detection tools onto a USB drive. Then using a bootable "LiveCD" like BartPE or Linux, run the appropriate rootkit detection tools on the "dead" system's drive(s). This may be a much more effective approach. Since the infected system isn't being booted, the drives just contain "static" data files that shouldn't be executed. They could be, but that's the point...to not run or launch any files on the potentially compromised system. That way they can be detected and removed while "dormant". Using a Linux "LiveCD" to scan a Windows system disk is even more safe as the likelihood of cross-contamination is almost non-existent.

If a rootkit is found you have two options: 1) Use one of the detection/removal tools to--hopefully!--remove it. Or, 2) recover your critical data files to another drive/media location, then do a full wipe of the infected system, and reinstall it fresh.

Speaking as a half-way competent computer geek, I personally would feel more comfortable going with option two, because otherwise I would always have a shadow of doubt of the system's integrity. Nor would I have have the patience to pick through a manual removal process if the tools failed to remove it.

Rootkit Detector Tool List

InformationWeek posted an excellent article recently titled Review: Six Rootkit Detectors Protect Your System. I was familiar with some of them, and had come across a few more on my own that didn't make the author's cut. But that got me observing the increase in the number to tools now at our disposal. With some more careful searching, I've ended up collecting quite a list. Almost all are offered as freeware or trialware.

I have only used a handful of these tools and only keep a few with me on my USB system administrator's stick. So far, I haven't found a rootkit on my systems (here or at work) so I can't speak of their effectiveness in removal. Also, because of the nature of how these tools work and where they look, it is quite possible that removal of a real rootkit or a listed file in error (that wasn't actually malicious) can cause your Windows system to fail, not boot, or BSOD to the point you will be recovering files off the dead OS drive and then reinstalling your system.

You've been warned!.

  • F-Secure BlackLight - Restrictive wizard interface, but easy to use for the uninitiated.

  • IceSword 1.20 - Developed in China but nicely translated into English. Busy interface but updated often. Has some advanced tools like the ability to "reboot and monitor" during the boot process.

  • RKDetector 2.0 - Two tools in one; 1) scans for hidden files on drives, 2) scans for hidden processes and hooks. Takes a bit of work to run the scans, and can't do a global system scan with both.

  • Trend Micro RootkitBuster 1.6 - Runs scans in five system areas and exports a nice log file. You can then opt to remove the detected items.

  • RootkitRevealer 1.71 - From the Sysinternal's team. Easy to use, but does often turn up documented false-positives. Just identifies suspicious processes...you are on your own to delete them with other methods and applications. Better for system checking and monitoring, rather than protection and removal in-of-itself.

  • Rootkit Unhooker 3.0A - Russian software team project. Does a self-test to make sure it hasn't been compromised; that's a good feature. Provides lots of details and the ability to do focused scans or a global element scan. Also provides multiple methods to address/remove the located processes and files.

  • McAfee Rootkit Detective Beta - "McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system." Nice interface.

  • Sophos Anti-Rootkit - "Sophos Anti-Rootkit provides an extra layer of detection, by safely and reliably detecting and removing any rootkit that might already have secreted itself onto your system." Note: Registration required for download from the vendor's site. The utility itself is free.

  • Gmer - The tool that's got everyone in a fuss! Scans for hidden processes, services, files, registry keys, drivers, and hooks. Also allows some system function monitoring. Highly regarded by the antirootkit professionals. More screenshots (while the site is up).

  • Advanced Rootkit Detector for Windows (rkdetector) - This command-line based scanner was one of the very first rootkit detectors I became familiar with. I don't think it has been updated since it's original release (back in 2004). The website is in Spanish, but the application worked just fine for me. I can't say it now can handle the newest rootkit methods of attacks, but just for posterity I'm offering it here.

More follow as discovered on Antirootkit.com's incredible website. They've done a bang-up job of finding and detailing all these. Please check out their site for more information as well as some screenshots, reviews and evaluation ratings. These guys (and gals?) are doing great work and deserve full credit for locating these wide selections of tools.

Note: Some products here are beta products and may not be available or will work past a certain date. Others are trialware/crippleware. In these cases I have chosen to still include them so you can keep an eye on possible future development or releases.

  • Gromozon, Rustock, Haxdor related removal tools - Specialized and targeted rootkit removal tool list via Antirootkit.com

  • Aries Sony Rootkit Remover - Tool to remove the Sony/BMG DRM CD protection software.

  • Archon Scanner - More of a process, injection, hooking scanner. But has other specialties as well. - current version was beta and has expired...developer's promise new one sometime.

  • AVG AntiRootkit - Beta product. Doesn't seem to be offered anywhere but from Antirootkit.com.

  • Avira Rootkit Detection - Beta product disabled after 1-4-07. See Antirootkit.com's page for file.

  • DarkSpy - Chinese developed tool. Supports process, kernel mode, file, registry scan (disabled in test version) and hidden port detection. Screenshot via Antirootkit.com.

  • Helios - Alpha level program right now. Behavior-based, not signature based detection. Interesting interface and approach. Worth looking at, but remember it is alpha/beta level... Developers offer videos as well of their tool in action.

  • HiddenFinder - trialware - Shows hidden processes and drivers on a system and then allows for killing of the desired process.

  • HookExplorer - Tiny little application. Displays import address table (IAT) hijacks and "detour style hooks." Lots of information in the tiny display!

  • OS X Rootkit Hunter - Mac OS X 10.4 product. I don't support Apple systems, but there you are. Screenshot page by developer. (I didn't think Mac's got sick like this!)

  • chkrootkit - Linux rootkit scanner

  • Panda Anti-Rootkit - beta software. Looks at hidden drivers, processes, modules, files, registry items, hooks. Not a lot of user options...scan, clean, and view results.

  • Process Master - trialware - API comparison tool.

  • RootKit Hook Analyzer - Reports on any system hooks and modules and displays findings.

  • Rootkit Hunter - Linux rootkit scanner.

  • RootKitShark - trialware - Command-line scanner. Unmasks located files and prevents from boot-execution. Then can be manually removed by user or using other security tools.

  • WinShark - trialware - GUI based version that incorporates RootKitShark (above) among other features. Allows process and user monitoring of systems. (Intrusion Detection System). Detection enabled in trial version, but rootkit elimination feature only in the fully-licensed version.

  • RootKit Uncover - beta - Appears to be a hidden process and file scanner. See Antirootkit.com's page for overview. Bitdefender doesn't have any information on their site for it.

  • SEEM - Multi-purpose system reporting tool that has an interesting interface. Includes a rootkit scanner as part of it's features. Website (translated from French) has quite a bit of good information on rootkits and as they apply to their program. Download page (kinda hard to find in French). Get the English version unless you know French.

  • System Virginity Verifier - Tool developed by Joanna Rutkowska to validate system integrity by checking important Windows System components targeted by hidden malware. She also provides links to some related PowerPoint presentations.

  • Unhackme - trialware - limited to 10 runs until license purchased and entered - In standard, "Roaming" and "Professional" editions. University of Minnesota's Safe Computing page documents rootkit removal tutorial with Unhackme.

  • Zeppoo - Linux rootkit scanner. Screenshot page. Blog page.

Additional Resources

See you in the skies...
Claus

2 comments:

H. Carvey said...

Great blog, and excellent blog entry.

Harlan

Anonymous said...

Hi Claus,

Thanks for including our title, Rootkits For Dummies in your blog. We appreciate it. You've written an excellent article too. Ever been to CastleCops? Our book was developed by the Staff there.

All the best,

Larry Stevenson