how to scan for Root kits?

Discussion in 'Trojan Defence Suite' started by BABY_DID_A_bOOM_BOOM, Mar 28, 2003.

Thread Status:
Not open for further replies.
  1. If I a rootkit was installed on my system and I am unable to access my SafeMode how will I go about scanning for it? Does TDS-3 comes with DOS Shell ability? Or a low level loading? Since once Windows loads it's too late.

    Thank You
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    How about using exec protection disabling the thing to execute at all and stopping it in it's traces?
     
  3. Babby thingy

    Babby thingy Guest

    Yes that would solve one of the problems but what if the rootkit loads before TDS-3? Also what if rootkit got installed before TDS-3 did? Some rootkits can redirect requests to that specific file thus appearing as if the file never existed. For example if you try to scan for subseven 2.2 and a rootkit is installed with that given trojan defined then it is possible that any scan made to find subseven 2.2 will come out clean since the data will go from user level to rootkit to os.
    I dont know just a thought.
    It would be nice if one could scan the system before actually loading windows.
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    can you scan from a session booted from some other place? I don't think DOS boot disk will do (although NOD f.ex. has a dos scanner that should be possible to put on a (set of) boot disks as well - and it uses the same sig. database as the win version), but maybe you can scan over a network or maybe even take out your hdd of the pc case and build it into another PC that boots from its own hdd and has tds available... (There are people who always have two installations of the same OS in one system just for that purpose (one backup boot system) - i had when i had NT4)

    Andreas
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, If you check the primary list, you will find that TDS3 has many root kit detection entries. (Help, Primary list)
    So I think that TDS will detect even one that redirects by it's signature + heuristics will catch new variations. Sub-seven detection is probably better in TDS than any other scanner.
    So exec protection will still catch it & if you do regular scans with the latest updates there should not be a problem.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Andreas, Pilli, would this mean scanning with online scanners would help as well?
    I understood from some discussions in the private TDS forum the rootkits are transported and activated mainly via trojans, is that correct?
    So those trojans would be stopped in their traces in the first place already with the exec protection.
    Are they not remotely controlled in most cases, so we would see unexplained netstat connections and with Port Explorer or the TDS > Network > Port listen function be able to see what kind of packets would be involved?

    Can imagine the question with a possible infection before TDS was installed because of the hiding functions of the rootkits. In the discussions mentioned is spoken about several tests which are still possible to detect them.
    I think others and the DCS team can explain much better what we can do with TDS-3 exactly for cleaning out such former infections.
    Very good reasons to look forward to the TDS-4 families and other new DCS tools in near future too!
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Isn't this where (if TDS isn't already installed) you d/l TDS, re-name the exe before installing and install it to a non-standard directory? Pete
     
  8. Dan Perez

    Dan Perez Guest

    Hey Baby :)

    What OS are you running?

    If it is NT/2K/XP then I think Andreas' suggestion of a parallel install is the best option.

    A good means (though not perfect) of combatting against the rootkits would be to regularly run MD5 or SHA1 hashes on critical system files and compare later runs against your earlier baselines to see what gets changed. (THis is the basic principle behind the Tripwire product. Tripwire is an expensive commercial product but I know there are some less expensive or free products that would provide the hash collection/comparison functionality. This is rather pointless in this instance as you have a suspicion that there is a rootkit present but no previous baselines of md5 hashes to test against.

    You might want to consider adopting the hash compare routine once you get things settled.

    Dan
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Rootkits are a fundamental problem of any OS, and we hope by TDS-4 we can have some super strong protection. It's just another thing delaying TDS-4 release, we want to do some serious research on the matter.

    Scanning from another system is possible, plugging the hard drive in so its not booted from, Safe Mode, but hopefully there will be better options soon :)
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    We're researching other means of detecting rootkits, and while you will have to wait for TDS-4, the results are already promising. I'm working on and anticipating :

    - generic rootkit detection, it seems possible
    - rootkit blocking, a way of immunising your system when TDS installs
    - rootkit disabling, similar to above, once you reboot the rootkit doesnt work anymore :)
    - rootkit removal, proper detection after either of the above, perhaps more detection possibilities too :)

    Lots to research, so I cant promise everything will work out yet :)
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Glad that hammering on the subject and continually providing new links about the subject in the private DCS forum led to all the brainstorms! :) Pete
     
Thread Status:
Not open for further replies.