Six Rootkit Detectors To Protect Your PC

An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

Print version.

[antdude]

Click here [informationweek.com] to going to next pages. :)

On debian/ubuntu

[delirium of disorder]

apt-get install chkrootkit [chkrootkit.org] rkhunter [rootkit.nl]

Summarized: The free one is the best!

[tgbrittai]

Ironically enough, it was one of the independent tools -- Rootkit Unhooker -- that turned out to be the best.

It's interesting that programmers working outside of a corporate environment produce such amazing products. Hmmm... I wonder what's up with that?

I am the author of AFX Windows Rootkit 2003

[Afecks]

Hey, thanks for the mention in the article but that is a really old version you've used to test! The last version I've released publicly is AFX Windows Rootkit 2005, it's open source and can be found on http://www.rootkit.com/ [rootkit.com] the other more recent versions I've sold privately.

Now on the subject of rootkit detection. Most of these use the method based on Microsoft's Strider: GhostBuster. Which uses a low-level method to gather seemingly clean system information then gathers the same information using a high-level method. The idea is that rootkits will have only hooked the high-level methods so there should be a difference in results. Whatever is listed in the low-level results and not listed in the high-level results is displayed as "hidden information". Effectively they are using the rootkit's own hiding functions against itself to detect it. If the rootkit doesn't hide itself to avoid detection it's still made itself visible.

The problem is that you put yourself in an arms race with who can hook system information at the lowest level. Luckily since we (the sysadmin) have access to the hardware and presumably the attacker does not, a hardware method of gathering system information would be the best. You can bet money that we are going to be seeing hardware level rootkit detectors sooner or later.

The final problem is that a backdoor can be hidden without using these rootkit methods. By hooking incoming socket connections we can make a hidden backdoor that creates no new processes, threads, files, registry keys or any other permanent data. I and others have released POC code already. Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

Re:how to secure your computer

[madsheep]

LOL is this a serious post? Most rootkits out there are designed to work on *nix based operating systems. True rootkits are far more common on for these flavors of OS over that of Windows. I am not sure if this is a reference to Ubuntu being secure. Maybe you could have recommended visting a site that houses a BSD flavor..won't bother pointing out one for that useless debate. Choosing Ubuntu is not going to protect you from rootkits in anyway.

Re:Security solutions

[Anonymous Coward]

When it's not being exploited [sans.org]

Re:Wow....

[jomama717]

If a native app [microsoft.com] can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot. This works for user mode and kernel mode rootkits, but if there's a BIOS rootkit you're pretty much screwed. See my previous post [slashdot.org], Norton AntiVirus 2007 operates in this way.

Re:Wow....

[EvanED]

If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot...

There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.

It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the results from the FindNextFile API; do a low-level parse of the registry hives, compare to the registry APIs; etc.) by UNHIDING the hidden/changed data from the rootkit detector rather than hiding from the low-level scans.

If you're running on an infected system, you can't be guaranteed to find anything.

Re:I am the author of AFX Windows Rootkit 2003

[Afecks]

My old site is down because I've moved away from this kind of stuff in the past. The only surviving mirror I can find is here. [opensc.ws] Basically you're just hooking accept() Winsock API in all processes and then any listening service is a potential backdoor. This is a simple user-mode method. Someone could write a more specific version for a particular service such as IIS that hooks deeper into the code that receives network data.

Re:I am the author of AFX Windows Rootkit 2003

[Afecks]

The simple answer is, yes.

The complicated answer is, for a little while. The reason is that there are rootkits being developed that are designed to store itself in your video card. The idea is that after the hard drive is reformatted the video card will load this rootkit back into the kernel. Right now it's highly unlikely.

Re:Correction, and possible next step in arms race

[Anonymous Coward]

Of course modern OSes do not use the BIOS any more... plus Windows has HAL (hardware Abstraction Layer) and Ctrl+Alt+Del login to protect against this.

Re:Blue Pill

[Cheesey]

Apparently one of them attempts to. From TFA:

The single most intriguing feature is the "Virtual Machine Detector," which uses the time elapsed between two low-level CPU instructions to determine if the operating system is running directly on the PC or in a virtual machine.

There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here [codeproject.com]). However, there is still an arms race: the rootkit programmer might attempt to detect these tricks and defeat them.

on rootkit detection, MD5 etc.

[Anonymous Coward]

Someone said we could MD5 Windows binaries... Of course we can, though MD5 is so broken in this 21st century that you'd better use SHA-1 ;)

Another dude said "but my rootkit detect attempt to MD5 and returns the correst sum". Kind of, it s even better than that for the best of the breed: they recognize themselves in *any* attempt to read the file and replace their code (that they recognized) with the code that the file is supposed to contain at that place. What I mean is: you don't specifically decide to defeat a cryptographic checksum or an anti-virus or or or... But you fake the infos coming from every single attempt to read the file.

Of course the real "game over for rootkits" comes when you unplug the drive, plug it to a known good system (for example, say, an OpenBSD system that has *never* been hooked to the Internet) and then compare every file with their previous version. Altered userinit.exe? Game over rootkit. Altered winlogon? Game over rootkit. It works the same for Unix systems (for which, btw, there exist many more rootkits, though not as successfull in spreading). Which is why projects like honeynet are so succesfull at catching malware "in the wild". And with projects such as Honeynet being so successful, rootkit writers sometimes decide to write rootkit that don't install to the disk and that don't install if they detect they're running on an emulated/virtualized system. Which means the rootkit will only live for as long as the computer is turned on. And then it will need to re-infect the machine using the same exploit if the machine reboots. Which is also a pain in the arse for rootkit writers: the vulnerability may very well have been patched meanwhile (think auto-update) or exploited by someone else, etc.

Note that you can always detect suspicious trafic using a passive sniffer too (think shomiti tap or one-way ethernet cable... or "software" passive sniffer).

There's no such thing as an "undetectable rootkit". No matter if it tries to hide in the BIOS (Sun machine have been having protection again BIOS write since ever btw), which is incredibly hard (the BIOS code being so small), no matter if it tries to hide in some GFX card's chipset (wtf? someone wrote there s work on that... I can only see it happen on broken-by-design GFX card and it is certainly not common practice), no matter if it tries to install as an hypervisor on VT-enabled systems...

There's always gonna be a way to detect a rootkit, wether you're on Windows or Unix systems, wether you and rootkit authors like it or not. I'm not arguing, I'm not discussing: I'm stating facts.

Re:What I'd like...

[Afecks]

Actually I've written an article describing how to do what you speak of. The only piece of the puzzle you left out is that you need to scan the system from inside Windows first. Then boot into Linux and scan the hard drive from there so you can compare the results.

The article can be found here here. [rootkit.com]