Six Rootkit Detectors To Protect Your PC 108
An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."
Print version. (Score:5, Informative)
On debian/ubuntu (Score:5, Informative)
Summarized: The free one is the best! (Score:5, Informative)
It's interesting that programmers working outside of a corporate environment produce such amazing products. Hmmm... I wonder what's up with that?
I am the author of AFX Windows Rootkit 2003 (Score:5, Informative)
Now on the subject of rootkit detection. Most of these use the method based on Microsoft's Strider: GhostBuster. Which uses a low-level method to gather seemingly clean system information then gathers the same information using a high-level method. The idea is that rootkits will have only hooked the high-level methods so there should be a difference in results. Whatever is listed in the low-level results and not listed in the high-level results is displayed as "hidden information". Effectively they are using the rootkit's own hiding functions against itself to detect it. If the rootkit doesn't hide itself to avoid detection it's still made itself visible.
The problem is that you put yourself in an arms race with who can hook system information at the lowest level. Luckily since we (the sysadmin) have access to the hardware and presumably the attacker does not, a hardware method of gathering system information would be the best. You can bet money that we are going to be seeing hardware level rootkit detectors sooner or later.
The final problem is that a backdoor can be hidden without using these rootkit methods. By hooking incoming socket connections we can make a hidden backdoor that creates no new processes, threads, files, registry keys or any other permanent data. I and others have released POC code already. Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.
Re:how to secure your computer (Score:2, Informative)
Re:Security solutions (Score:2, Informative)
Re:Wow.... (Score:2, Informative)
Re:Wow.... (Score:3, Informative)
There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.
It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the results from the FindNextFile API; do a low-level parse of the registry hives, compare to the registry APIs; etc.) by UNHIDING the hidden/changed data from the rootkit detector rather than hiding from the low-level scans.
If you're running on an infected system, you can't be guaranteed to find anything.
Re:I am the author of AFX Windows Rootkit 2003 (Score:4, Informative)
Re:I am the author of AFX Windows Rootkit 2003 (Score:5, Informative)
The complicated answer is, for a little while. The reason is that there are rootkits being developed that are designed to store itself in your video card. The idea is that after the hard drive is reformatted the video card will load this rootkit back into the kernel. Right now it's highly unlikely.
Re:Correction, and possible next step in arms race (Score:1, Informative)
Re:Blue Pill (Score:3, Informative)
There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here [codeproject.com]). However, there is still an arms race: the rootkit programmer might attempt to detect these tricks and defeat them.
on rootkit detection, MD5 etc. (Score:2, Informative)
Another dude said "but my rootkit detect attempt to MD5 and returns the correst sum". Kind of, it s even better than that for the best of the breed: they recognize themselves in *any* attempt to read the file and replace their code (that they recognized) with the code that the file is supposed to contain at that place. What I mean is: you don't specifically decide to defeat a cryptographic checksum or an anti-virus or or or... But you fake the infos coming from every single attempt to read the file.
Of course the real "game over for rootkits" comes when you unplug the drive, plug it to a known good system (for example, say, an OpenBSD system that has *never* been hooked to the Internet) and then compare every file with their previous version. Altered userinit.exe? Game over rootkit. Altered winlogon? Game over rootkit. It works the same for Unix systems (for which, btw, there exist many more rootkits, though not as successfull in spreading). Which is why projects like honeynet are so succesfull at catching malware "in the wild". And with projects such as Honeynet being so successful, rootkit writers sometimes decide to write rootkit that don't install to the disk and that don't install if they detect they're running on an emulated/virtualized system. Which means the rootkit will only live for as long as the computer is turned on. And then it will need to re-infect the machine using the same exploit if the machine reboots. Which is also a pain in the arse for rootkit writers: the vulnerability may very well have been patched meanwhile (think auto-update) or exploited by someone else, etc.
Note that you can always detect suspicious trafic using a passive sniffer too (think shomiti tap or one-way ethernet cable... or "software" passive sniffer).
There's no such thing as an "undetectable rootkit". No matter if it tries to hide in the BIOS (Sun machine have been having protection again BIOS write since ever btw), which is incredibly hard (the BIOS code being so small), no matter if it tries to hide in some GFX card's chipset (wtf? someone wrote there s work on that... I can only see it happen on broken-by-design GFX card and it is certainly not common practice), no matter if it tries to install as an hypervisor on VT-enabled systems...
There's always gonna be a way to detect a rootkit, wether you're on Windows or Unix systems, wether you and rootkit authors like it or not. I'm not arguing, I'm not discussing: I'm stating facts.
Re:What I'd like... (Score:3, Informative)
The article can be found here here. [rootkit.com]