Free rootkit detector from Sysinternals

There is a new free program from Sysinternals for detecting rootkits called RootkitRevealer. I thought some of you may find it useful. http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

I ran the scanner and it turned up 78 things labled either "Access is denied" or "Hidden from Windows API". I guess it's an interesting concept but the program fails really bad as far as help, It tells you nothing about what to do if these things show up in a scan and how you can tell if one is a real rootkit. The main problem after you run it is the question Now What?

 

The example SysInternals gave had found 42 discrepancies, you found 78. Well I've just tried this thing and for me it found over 62,000 discrepancies!!!!!

Just trying to read through that lot would take all day - what a TURKEY!

 

Do you have KAV 5.0? That screws this application up because it shows all files hidden from windows API because of the ADS that KAV uses (unless you decline to use IStreams).

 

Sounds like maybe it's time to format, Topper. Maybe it's a PITA for some, but it's a start. When doing that kind of scan, I would want to know everything that's hidden, anyway.

I think it should be kept in mind that SysInternals primarily makes tools for techs, programmers, and people that are otherwise interested in the internal workings of the system. You can download all of SysInternal's tools, but none of them will do you much good if you don't know what they do.

That said, what you would mainly be looking for are executable files and drivers. If anything turns up, you would want to Google it.. of course I'm sure you could post here at Wilders if anything was found that you are worried about. If you find out that you have a rootkit on your system, however, you would really want to consider reformatting and installing something like ProcessGuard (in that order), at the very least you would want to get some professional advice.

For those that want something a little easier, there is always UnHackMe from Greatis Software.. it performs a similar function, but only in very specific areas.

I, for one, am very happy to have such a tool made freely available from a company like SysInternals. They make some great tools, and this is no exception.

 

Mele: That would make sense

 

While hunting for new rootkit detection tools a few days ago, I wondered when Sysinternals would get involved. Glad they did.

On one system (with KAV previously installed), RootkitRevealer found about 677 discrepancies. That's after running Streams for the first time about a month ago. One my other system, no KAV on a recent XP install, 42 discrepancies.

Nick

 

230 for me, now what? Unhackme found nothing in one second?

 

The main thing to look out for, IMHO, would be Registry entries marked "Hidden from Windows API." [EDIT: Also, of course, you would want to definitely watch out for any actual EXEs marked as Hidden from Windows.] I'm not sure how some of you are getting massive quantities of discrepancies. I only had 29, with 15 of those very likely being just NTFS metadata entries "Hidden from Windows API." and 14 of them being registry entries where "Access is denied." (7 in each of ControlSet001 and ControlSet002).

I'm wondering if some of you are attempting to do lots of other things on your machines while you performed the scan. You must remember the way this thing works... it scans your harddrive twice, once with raw drive scan and once with Windows API calls. It then compares the two. So, if you are doing things in between scans like -- moving files, renaming files, browsing the web and adding/replace entries in your web cache, using some utility that adds/deletes/modifies registry entries, etc. -- then these will show up as discrepancies. I did a test second scan and renamed a file in the middle of the process, and you will generate two entries as a result; one that says "Hidden from Windows API." and one that says "Visible in Windows API but not in MFT or directory index." If you are seeing a bunch of the latter entries saying "Visible in Windows API but not in MFT or directory index" then you are probably getting a lot of false positives from some sort of in-between file activity since a real Rootkit would unlikely add things to be visible from the Windows API.

By the way, a normally created alternate data stream (ADS) does not seem to show up as a discrepancy. Before my second scan, I also created a simple test file with an ADS, and it did not appear in my output list. So, I'm not sure that is the full explanation. Perhaps KAV does something else to the files?

Personally, I think this is a great tool, and I'm really glad we have the guys at Sysinternals around to help us out! Their utilities are some of my all time favorites and are often some of the first tools I grab on a new computer (Process Explorer, Autoruns, TCPView, Filemon, etc). They also write an extremely informative book!

 

something is not right with this. I tried again, now I have:

http://img152.exs.cx/img152/5256/root8ql.jpg

**edit - yeah, i have a lot going on right now - perhaps this should be run in safe mode?

 

It doesn't have to be run in safe mode necessarily, just as Admin with nothing else going on. Think of it sort of like a defrag utility... shut down every other active application, start it, and walk away. Also turn off any resident utilities which might cause signifcant background activity (disk drive indexers, schedulers, etc.). I left my AV, NOD32, and firewall, ZA, on without any problems... but, theoretically I suppose, some AVs might intercept Windows API filesystem calls in a way that messes this scanner up? Yeah... ok.... maybe safe mode isn't such a bad idea after all.

 

found 35 with winpatrol, LNS, NOD32, and BoClean running.

 

Hi,

First of all, thanks for the link Wolfpack.

This Sysinternals tool seems more useful than RKdetect which use binaries comparisons.
Well known rootkits are not a problem because many AV (Kav/McAfee...) or AT(TDS/PestPatrol...) can detect them.

The problem is only for new and unknown rootkits.

Each rootkit has his own way to work and to corrupt a system.
Therefore, there's not one manner to detect them with 100% result.
We just have to prevent them and to audit our system with various tools and manners.

Against advanced malwares like rootkits and worms, a system without a strong integrirty protection ( other than the Windows one which is easily bypassed) is quite a mistake.

The problem in that case is often the price : one of the most efficient of integrity protection (for small enterprise) cost 199 dollars/Euros) : Data Sentinel:

http://www.ionx.co.uk/html/products/data_sentinel/index.php

But i'm always waiting for the Microsoft tool. ..

Regards

 

Well if your a newbie and are having trouble with RootkitRevealer 1.0 because it's too hard to figure out, or you don't want to take the time to learn how to use it. I would suggest you get a copy of Security Task Manager http://www.neuber.com it is easy to use and very good at detecting rootkits as well as other malware like keyloggers and trojans. If you know how to read your computer clock, you should be able to handle this program. Good luck newbies, good luck!

 

Would not something like ProcessGurd be the best solution for this sort of thing?

 

For me it is definitely KAV that is causing the huge find of discrepancies; I now see that every entry is marked to KAV at the end. Also I get an error message. So Mele20's explanation seems right.

 

I'm sorry, but I'm pretty sure that this is wrong. System Task Manager is comparable to Sysinternals Process Explorer, not to RootkitRevealer. I think people need to understand what their tools are trying to do. STM and Process Explorer both enumerate running processes with standard API calls. The whole point of a rootkit is that it gets installed at the kernel mode driver level and can thereafter intercept the API calls for things like process enumeration and file enumeration. Once intercepted, the rootkit can filter itself out from the list of processes and/or files enumerated. It takes some tricky programming to do, and that is why most malware can be enumerated through utilities like STM and Process Explorer. But this is exactly what these advanced rootkits are designed to avoid.

RootkitRevealer, on the other hand, attempts to make use of raw driver commands to enumate files and directories in addition to the commonly used higher-level API calls. It is looking for things that don't match between the two, which can possibly indicate that some process is actively trying to hide certain things from apps that utilize the API calls. As Sysinternals points out, its not totally infallible since theoretically someone could intercept the raw driver command instructions as well, but according to the authors it would be a much more difficult process because the malware writers would need to know much more about the details of the filesystem and the registry hive structures and it would be a very complex programming job to try and intercept.

One thing about the ADS streams. As I seem to recall from reading some technical info on the NTFS filesystem, small data streams can actually be stored in the directory entry for the file in question... but larger data streams have to be allocated actual additional drive clusters. Perhaps that is why my test file did not show as a discrepancy? I only used a small secondary data stream of text. Perhaps KAV's additional streams are quite long? If so, that is just one more reason to really dislike KAV's approach utilizing ADS.

 

Hi,

Hé Spanner, let's keep a little bit sense of humour...



I'm not sure that the task manager from Neuer will be enough to detect a rootkit...
And i have a little pity for this Security Task Manager.
We're on a serious forum and i want only the best: take a look at Take Control of Windows, a dream for devs. and Programers but a nightmare for the wallet...

http://www.computersinmotion.com/product_tcwae.htm

***I forgot what is a rootkit...and if someone does not know what it is (like everybody exept TheGeek ):

http://www.infosecwriters.com/texts.php?op=display&id=156

http://en.wikipedia.org/wiki/Rootkit

***Why rootkits are difficult to prevent and to detect?

Because it's difficult to verify/check the System/OS when he's in use!
A system may be infected by a rootkit and all could be normal for the user.

The target/objective of a rootkit is to be as invisible as possible.
Consequently, each part and each legitimate component of the system can be used (ADS ,kernel, syscalls...).
As invisible as possible in order to hide a network bachdoor, files, connections, keyloggers...).

***How to prevent and detect them.

Usuals rootkits (HackerDefender, Vanquish etc) are often detected by some AV/AT or specialized tools (UnHachme, RootkitRevealer, RKDetect, or Chrootkit and RootkitHunter for Linux users).

Just quickly some possibilities:Registry protection (blocking and not monitoring which is not enough), Integrity protection (strong algorithm), process monitoring (ProcessExplorer, Filemon...), API calls monitoring (APIMonitor, APISpy), debug tools, restrict privileges and rights...

But the only solution is to reboot the system from a "virgin" and reliable (certified 100% clean) System/OS.

Here more information (from the Microsoft project):

http://windowsir.blogspot.com/2005/02/rootkit-detection-ms-way.html

http://www.schneier.com/blog/archives/2005/02/ghostbuster.html

***More info about rootkits :

*Why integrity Protection is important:

http://www.windowsnetworking.com/kb...ChangeDetectionIntegrityResourceRootkits.html

*Kernel level weakness: http://www.securityfocus.com/infocus/1811

*By a specialist: http://www.securityfocus.com/news/2879]

*A very interesting site by a pretty woman (see the photo ) with great papers and tools (Flister, Patchfinder):

http://invisiblethings.org/

*A recent and excellent pdf paper about a method used by advanced rootkits in order to be undetectable: Remote Windows Kernel Exploitation:

http://www.eeye.com/html/resources/whitepapers/research/index.html

Even if we're newbies on Wilders forum, we often try to be exhaustive .

***Some ADS tools for Alec:

*StreamExplorer: http://www.rekenwonder.com/streamexplorer.htm

*CrucialADS;: http://www.crucialsecurity.com/downloads.html

*ADSSpy(Merijn): http://www.bleepingcomputer.com/files/adsspy.php

Best Regards

kareldjag

 

Updated to 1.01. From the RSS feed:

"This update fixes a bug that results in a crash of RootkitRevealer on some systems.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml"

Nick

 

Using: http://invisiblethings.org/tools/flister.txt - I clicked the exe and cmd popped up for a second - is that all? So it means, as far as this test goes, my pc is clean?

 

Hi lynchknot,

It has to be run from a command prompt. Go Start/Run, type cmd, and press Enter. If you have the executable in your path, just type flister and hit Enter to execute it. If you don't, you will have to navigate to its directory.

Nick

 

Thanks. What do you do if it starts with "C:\Documents and Settings\lynchknot>"
*edit - nevermind i moved it to DandS

here is result:

 

Just type cd c:\* where * would be the directory where flister.exe is located.

Nick

 

so it found nothing as well... thanks.

 

If it had, you would have seen something like this: FLISTER for Windows.

Nick