RootKit Detection Treasure Trove !

Hey this is such a great read so many avenues of interest to keep us occupied for a very long time.We've been looking for info like this for a time now and all those links and detailed research it led us to was mind blowing.Too much to take in all at once but we intend to go through it all piece by piece.

Keep up the good work my man and thanks ever so much for all of this it must have taken an age to do but was worth it we can tell you.

Charles Z

 

If you want to block rootkits from even getting into your computer in the first place, get processguard today. Prevention is better than cure!
www.diamondcs.com.au

 

Some of those links look somewhat suspicious to me, and being the cautious guy that I am, how do we know some of them are not rootkits themselves or contain a rootkit of some kind?

I guess I'm saying I don't think I would want to download something unless I'm absolutely sure I'm not downloading a rootkit. I'm sure they all scan for and find rootkits, but what else could they be doing or installing?

True, they look somewhat safe, but how do we really know what's in these programs? Maybe I'm just paranoid here, but the people who make these tools would probably also know how to slip a rootkit in with the rootkit detector, so all along you think your getting just a detector, but in reality there's a little surprise in the package.

I do trust sysinternals free detector, but that's about it for me. I just don't really trust many of these other free rootkit detectors and think people should be cautious when downloading this type of free software. Maybe someone could convince me otherwise, but I doubt it.

I would like to have as many detectors as possible too, knowing how serious a problem rootkits could become, but I won't download any of them because I just don't trust those sources.

 

Hi,

***Mr cautious

The rootkit's paranoia is a little bit legitimate.
Because there's no radical solution for detection (known/unknown), and neither for prevention.

But we have more chance to be infected by a worm/virus/trojan (specially P2P user) than by an advanced rootkit.
But Mr cautious, i think you're already infected like many of us by the Perfect Rootkit: Windows itself (advpack.dll...).

For anything else (trusted source or not), i'll not try to convince you.

***Spanner

Great idea to summarize rootkit's tools on one good post.

***To complement the subject:

*Detection tools:

-RootkitRevealer,

-Unhackme: http://greatis.com/unhackme/

*RKScan (against Knark and Adore) for Linux:

http://www.hsc.fr/ressources/outils/rkscan/index.html.en

*Solutions with bootable CD Rom:

-Microsoft Strider GhostBuster: http://research.microsoft.com/rootkit/

Important: GhostBuster is not available.It still a project.

-Alternative: BartPE: available but limited:

http://www.nu2.nu/pebuilder/

A little summary: http://www.pcmag.com/article2/0,1759,1747874,00.asp

For Linux (but there's a possibility to use them on Windows):

-Knoppix: http://www.knoppix.net/

-Helix: http://www.e-fense.com/helix/index2.html

*Emergency solution from Winternals:

http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp?pid=erd

*Others emergency solutions: Erase the hard drive, reformat, re-install Windows...

*Tracker, a little tool to fin any change .diificult to find (see on broadband forums)

*more tools and informations on the 2 or 3 rootkit's threads.

Regards

 

Just had a quick look at the "hacking exposed" site. Now maybe I am missing something here and if i am, i apologise, but dont the contents there amount to a detailed hackers guide?

jock

 

Thanks for that Spanner. I had already read the foreword, but was still concerned over the fact that the info could be used for the very purpose it was meant to defeat, however, after a nights sleep and a good look at the site, i can appreciate your viewpoint.
It is true of course that in oreder to effectively counter a threat, one has to understand that threat, and i accept that i had lost sight of that . I suppose that it will always be a judgement call as to whether to publish this sort of info in order to strengthen your own defences, and given that the scummers already have extensive reources of their own, in balance i can see the value of it.

Jock

ps
in fact, it wouldnt hurt me to know more about how these sh..s go about their trade so that i can be more informed in countering them....

 

Hi Spanner intheWorks,

Thanks for the effort you have put into this. Much appreciated .

Nick

 

@spanner

well done thread - next to robert hensing's blog my most important information source...

keep up the great work!

 

Nice reading, many thanks.

 

i think if you want to find out if you have a rootkit on your PC you can ask a friend to use their PC to look on your computer as the process is only hidden on the target computer.

 

Ice, So, do you use that remote desktop thing or .....? Can you give more detail? Do they have to be the same as far as well, guess it would have to be same program, what else?

 

hi, Marja when a rootkit is installed it is only hidden from the computer it is installed on, so any other computer can connect to the infected PC and probably have a look in Task Manager and see the rootkit there.

one of the first things a hacker will do is try and work out the topography (Star, Tree, Bus, Ring) of the network they have accessed. so, i'm not sure, but i'd guess that that would mean there's a chance anyone of the computers could have rootkits on them, and again, i'd guess that would mean the PCs on that network wouldn't be able to see rootkits installed on the other PCs. so to check for a rootkit it would be best to use a PC that isn't apart of that network - a friend's.

i have my remote desktop disabled, i think it is disabled by default now with SP2

 

Unfortunately all these posts where people are like 'just connect to the possibly rootkit'd machine from a clean remote machine and then scan the <filesystem/registry/running processes> and you'll see any hidden <files/registry entries/processes> are dead wrong.

This may work TODAY - but it is not a long term solution.
How do you think the clean remote machine is getting the file / registry / process information from the rootkit'd machine? It's making API calls across the network - the API calls are run on the rootkit'd machine.

It's only a matter of time before the miscreants shut the door on this approach and 'fix the glitch' (Office Space).

Don't get me wrong - it's a good idea, and it works against kits like Hacker Defender - but it should not be relied upon as the ultimate solution becuase it's not.

The best approach I've seen is the method that MSR came up with and used by their Ghostbuster tools (which sadly aren't released yet) in which they dump the registry / file system while the machine is online and then they boot off a boot CD and mount the file system and registry and dump them again while the suspect system is offline. Then they diff the two sets of output looking for things that show up offline that didn't show up online. This IMHO is a great way to detect persistent rootkits - but even it can be defeated in a variety of ways. In fact any solution can be defeated - there is no bullet proof way of detecting rootkits.

 

I saw several file integrity checkers mentioned.
I would like to add those:
- NIS File Check (no longer maintained; see archived forum)
- File Change Alarm (no longer maintained; see archived forum)
- FileChecker from Javacool
- Inspector in KAV Pers Pro (more or less like ADinf32)
- Alfa File Monitor and Alfa File Protector (very expensive)

A useful tool : RegDefend from Jason

A useful tool for comparing files, registry, etc, might be Beyond Compare

Useful tools might be PortExplorer from DiamondCS and AtelierWeb Ports Traffic Analyzer

 

iceni60,

you said:
"...so any other computer can connect to the infected PC and probably have a look in Task Manager..."

Could you elaborate on that one? I don't see any functionality within TM (I'm currently on XP Pro) that would allow me to run it remotely against another system that I'm connected to.

And to the (in)famous Robert van Hensing,

I agree with your comments, but for the nounce, accessing and checking the system remotely *does* work. So, why not put that in our toolkit for now, and keep working on other methods?

I think that important thing to point out (as you did) is that GhostBuster, while great in concept, is not yet available. Also, it requires taking the system down, which is something that cannot always be done.

I, for one, would like to see (and be involved in) efforts to come up with Windows incident response solutions, in general.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

 

Hi,

***iceni60

One of the most important target of the rootkit's client\hacker is to hide processes and therefore you can be sure that you'll not be able to see any suspect process on the TM or process tool .

If a computer is suspected to be infected, one of the possible solution is to shutdown the system and to analyze the hard drive from a CLEAN machine/computer (or to boot up with CD rom solutions).

***Rootkits are more frequent in Solaris/Unix/Linux systems than in Windows.
The same IDS/IPS rule can also be applied to prevent rootkit:

"That which can not be detected should be prevented, that which can't be prevented should be detected".

I'm agree with Fanj that integrity protection is important.
But only a very strong one, like Veracity (Rocksoft), Data Sentinel (Ionx) or Tripwire.
Integrity utilities (Integrated on AVs or the Windows one) can be bypassed (see the Phrack's article:" bypassing integrity checking systems").

In all case, there's some little things that any user can do for prevention:

*Hard Windows (services, registry, rights and privileges, patches),
*remove all programs that the user does not use any more,
*Install a strong line defense and still as aware as possible...


More information:

https://www.wilderssecurity.com/showthread.php?t=68531

https://www.wilderssecurity.com/showthread.php?t=67742

Well...2005 seems to be the Rootkit's year...

regards

kareldjag

 

Or: DeepFreeze - http://www.faronics.com/html/deepfreeze.asp
Nothing written to the HD survives a reboot.

The problem with anti__ (fill in the blank) programs is that they are reactive, not proactive. That is, they can only react to known code. Once an anti- tool or program is released, it is hacked and then needs to be updated. The latest victim is sysinternal's rootkitreveal. It's a constant battle with no clear solution. If you read between the lines, it's become a war game.

One newsletter refers to "Keeping up with an accelerating arms race."

On another forum: "So the war between the miscreants and the first responders / incident responders is just that - it's a war with casualties... and it is complete with an arms race in the form of stealthing (miscreants) and detection (incident responders) technologies. They hack and hide - we try to find them and recover the servers."

You begin to wonder if the IR, Anti-virus, Anti-spyware industries really want a permanent solution. There would be no more game, very little business.

Consider this: If overnight all of the virus writers were eliminated, wouldn't the antivirus companies be forced to write their own?

Consider this: If everyone used one of the products mentioned above (and there are others) you would have in place a proactive rather than a reactive defense. What would result? Very little business for those industries. Is it really in their best interest to eliminate viruses and related malware? If so, why don't you see more focus on proactive prevention?

In businesses, if an Administrator has to call an IR team, that Administrator isn't doing her/his job. Any Administrator who does not bulletproof the system from such attacks with such products as above should be fired for being uninformed and incompetent.

In the home, the average user has no idea of what's going on behind the scenes of her/his computer, and could care less about the technical gobbledygook of explanations. All the average user wants is a comfortable and pleasant computing experience. Rather, the average user is forced to play the game by keeping constantly updated with the various anti- programs. For many the computing experience has become a constant nightmare, not knowing when the next attack will sneak by the defense, so-called, infect the system with unwanted pop-ups, trojans, or completely trash the computer, requiring the format/reinstall.

None of this has to be.

To quote nadirah again: Prevention IS better than cure!

 

Hi,

With the others rootkit's thread, it's surely one of the most exhaustive documentation about rootkits that we could find on the web .

*** "Prevention is better than cure"

This Hippocrate sentence is still legitimate for computer's security.
And it's difficult to contest Rmu's arguments.

PREVENTION is the future of security, specially against advanced threats like rootkits, worms, bots and network backdoors.

***Infection Prevention System : (Anti-Malwares with integrity checking features):

*Abtrusion Protector: http://www.abtrusion.com/

*Viguard: http://www.viguard.com/en/intro_en.php

*Integrity Master: http://www.stiller.com/

*Invircible: http://www.Invircible.com/

*Zorro Pc Protector (a french one): http://www.thierryaragon.com/zorro/

***Hard drive protection (like DeepFreeze):

*Shadow User Pro: http://www.shadowstor.com/products/ShadowUser/

*Drive Vaccine:

http://www.horizondatasys.com/product_page.html?page_id=1


Regards

 

A few other programs that can also auto revert your hard drive like DeepFreeze are

1. GoBack www.symantec.com/goback

2. RestoreIT www.farstone.com/home/ensite/products/rit.shtml

But one problem with any program like these is if you allow the rootkit to run, not knowing that is what you are doing, you will get infected. Same goes for programs like Process Guard. If the rootkit is packaged with some program that you trust, it could install and you wouldn't even be aware of it, even if you had both Deep Freeze and Process Guard running, so nothing is perfect.

 

This is true with DeepFreeze (I can't speak to Process Guard) - anything installed while in a thawed state will become permanent once the system is put back into a frozen state with Deep Freeze.

The prevention here is user awareness. At this point, it seems safe to install programs that you purchase from a reputable company on a unopened CD, or those downloaded/installed from a reputable company with a secure website. I know that there are examples where the above seeming safeguards have been thwarted, but they are very few.

Those who download/install programs from questionable sites take a risk.

Those who obtain pirated programs - well, there's no sympathy here.

 

Hi Karel,

As for file integrity checking:
It is not only the used HASH Algorithm but also the question how secure your integrity checker saves checksums, that might be important here.
Several years ago I wrote a little theoretical note on that last issue, but I think it is nowadays too old... (and too far off topic here).

Cheers, Jan.

 

Windows PE is always a good choice to take a look at the infected system - the difficult task is to find the normally hidden files.

One way to start is to look at the local registry -> most rootkits use normal hidden "run"-keys to launch.

sadly scripts like silent-runners (http://www.silentrunners.org) are not very useful running on WinPE...

 

Sorry that it's took so long - but work is quite busy this days...

WinPE is a pure Win32 - no NTVDM, WOW16, Posix,... - environment that starts from CD-ROM and need no HDD-Drive to run. It was originally itended for automated setup - hence the name Preinstallation Environment.

I've built my version for over 2 years now from scratch - and doing so I've learned more about the inner working of Windows than ever before. But if you don't have 2 years (-;

BartPE Builder - http://www.nu2.nu/

Bootable CD Forum with a huge BartPE and WinPE section - http://www.911cd.net/forums

 

Spanner: making the files on the hard drive read only does very little to prevent malware, neither now or in the future. As an example, people in the mid 1990s made the MS Word Normal.dot read-only to try to prevent Word macro viruses. We found that word macro viruses still spread just as fast. Word would be virus-free when it was shut down, but when re-opened, the user would open an infected document and immediately be re-infected, spreading viruses to other files and users. Technically speaking, the virus was not able to load persistently; and yet MS Word was still persistently infected 95% of the time it was running.

The other problem is that with current Windows implementation, you can't easily make the entire system read-only. Current and future implementations that do so [such as WinPE and BartPE] make it difficult for users to save their customizations, and even then there would usually need to be a user-writable folder somewhere for saving data files and customization files.

MS Strider Ghostbuster is a useful research project, but the media and a few experts wrongly made too much of its current state and demanded it be released immediately to the public. It is not ready for release, as it has a number of vulnerabilities. On the other hand, the main Strider Ghostbuster tool is just a batch file that runs the DIR command and uses something like FC to compare the results, you could do that yourself today. Such a technique does not detect ADS files, which is a big vulnerability. There are also some ways this technique can be evaded, including using the same trick Hacker Defender used against Sysinternals Rootkit Revealer.

I think it is ideal to have AV product suites start to integrate anomaly detection a la sysinternals rootkit revealer... because if Hacker Defender tries to trick a product like rootkit revealer by not hiding, then the signature-based scanner that is running in the same "context" would then easily pick it up. This further raises the bar for rootkits.

I would also like to see an on-access service similar to Guidance EnCase Enterprise edition that makes a file hash of any new executable that is run, before the executable is run, and sends new hashes to a central syslog-style server. The central server would then divide file hashes up into known good, known bad and unknown. I feel this would be a pretty reliable way of detecting viruses, adware, rootkits and forbidden apps in a central location, without causing the latency and administrative overhead of a preventative whitelist tool like SecureWave's SecureEXE, and without a rootkit being able to avoid detection as tools like Encase Enterprise could be vulnerable to.

 

How about this use of some or all of these for comparing dumped hives ect?
Maybe with shadowuser or deepfreeze even. You need to look over each ones abilities.
nother question. Can't you still change attribs in DOS windo to view all file info?


http://www.vmware.com/


http://honeypots.sourceforge.net/monitoring_vmware_honeypots.html


http://www.cenatek.com/product_ramdisk.cfm

Bruce