Linux tools for finding Windows rootkits

Discussion in 'all things UNIX' started by Gullible Jones, Jan 19, 2013.

Thread Status:
Not open for further replies.
  1. Just out of curiosity...

    Say you've got a Windows computer which may or may not have a rootkit. You have a Linux rescue CD, but it doesn't come with any heavy-duty AV scanners; likewise, you don't have any Windows-based rescue media, and all the ARK tools you've thrown at the installed OS have turned up nothing.

    What can be done, with Linux CLI tools alone, to establish the presence (or probable lack thereof) of a Windows rootkit?

    I'm thinking

    - At a bare minimum, 'find' could be used to look for recently modified driver files in strange places.

    - For bootkits, one could dump the MBR and compare it to a known good MBR.

    Any other ideas?
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi

    There is enough good Windows solution for that purpose...
    Linux tools are not necessary, and in some case not interesting for Windows rootkits detection.
    Memory analysis is an accurate and reliable method to detect Windows or Linux rootkits, and in this case the Volatility framework is a must
    http://code.google.com/p/volatility/
    It has some helpful plugings, is integrated in some forensic LiveCD (like Orion http://sourceforge.net/projects/orionlivecd/ ), but requires a solid background of Windows and memory architecture.

    rgds
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I am considering two directions here:
    1. A registry viewer in Linux to detect suspect keys (In the Tools section there are some suggestions http://www.forensicswiki.org/wiki/Windows_Registry)
    2. Obtaining a list of hashes for clean Windows files and check them in Linux.
     
Loading...
Thread Status:
Not open for further replies.