WINDOWS ROOTKITS COUNTERMEASURES Part 3: Windows Rootkits Detection

Publié le par Kareldjag

 

If we consider the IDS mantra ( "that which cannot be detected should be prevented; that which cannot be prevented should be detected."), prevention and detection countermeasures must be applied.

A rootkit, much more than most other malwares, is a sign of intrusion.

And behind a rootkit, there's often an intruder: the user, the security or network manager have the proof that their system has been broken.

When a rootkit is detected on any system, it's often too late because it's difficult to know exactly what has been done.

By detecting what kind of files have been hidden (keylogger, backdoor, sniffer etc), we can just figure that the attacker had theft, spying intentions or other ones.

Consequently the user should focus his attention on rootkits prevention by applying best practices and deploying a strong line defense.

And the goal is to prevent:

-the attacker from gaining access on a system (not always possible),

-the rootkit from being installed.

 

There's many security softwares designed prevent and detect the rootkit threat.

The web is not only a wild business world and fortunately some of them are available for free.

Therefore we'll just make a short overview of paid ones (how they work) after the presentation of free rootkit detection and prevention tools.

 

WINDOWS ROOTKITS DETECTION:

 

Many free tools are available for detecting signs of rootkit presence but we can't unfortunately be as exhaustive as possible (a list can be found at the end of this section).

 

Some of these tools require a minimum skill and should be used with cautiouslys to limit false positives and errors results.


It's quite recommended for a rootkit detection:


- to run the tool from external drives (floppy disk, CDRom, USB key) if it's possible (most often the case);

 

-to use only necessary system's services and processes: then it's suited to reboot on the diagnose mode (original boot.ini) for the analysis ("Execute", "msconfog").

 

 

***ICESWORD:

 

IceSword 1.12 is a Chinese tool designed by Pjf.

This is a simple executable which loads a kernel driver (IsPubDrv.sys).

It can be considered as an advanced task manager with the ability to enumerate hidden files.

IceSword lists processes, services, open/listen ports, kernel drivers, System Service Descriptor Table entries, BHOs, messages hooks, registry keys and files.

 

If a rootkit hides its service from the Service Controller Manager (by hooking specific APIs like EnumServiceStatus, EnumServiceGroup etc), IcSword can get or catch the clean and unhooked APIs from advapi32.dll and the difference is consequently easily detected as suspicious.

This tool is easy to use and does not require advanced knowledge.

 

How to detect the sign of a rootkit presence with IceSword:

 

-check firstly processes and Win32 Services: if hidden executables and services are detected, they're marked and shown in red.

Example with HackerDefender:

 


 

 

-then we can inspect:

 

* the registry:

 

*kernel drivers (kernel modules):

 

*folders like Prefetech:



IceSword has the ability to stop the rootkit (service, process) and to remove its registry entries.

But it's more suited to apply radical solutions (reformatting the hard drive and reinstalling a clean back up of the system), especially if the user does not know how the rootkit came in his host.

 

 

***F-Secure BlackLight:

 

F-Secure is involved in stealth malware detection since 2004 (more info in their BlackHat paper: "Hide'n'Seek: anatomy of stealth malware"). 

With Kaspersky Labs and AVZ, this is one of the rare Antivirus publisher who takes seriously into consideration the rootkit danger not only with signatures detection.

BlackLight is an executable which can be run from external drives.

Its only target is to find hidden files (*.exe, *.sys etc) which can be a symptom of rootkit infection.

 

In this example, i've hidden (with the rootkit itself) an ICMP backdoor (much more interesting than the HackerDefender one), 2 keyloggers, a Bios reader, a packet sniffer and spoofer and an antivirus killer (antivirusdisable, from Trustware): this an example of what an attacker can hide for spying goals.

BlackLight detects the 53 hidden items:





BlackLight is just a detector, it does not provide options or features for removing or stopping a rootkit.

Renaming hidden files is not a solution because it only prevents files from being hidden at the reboot (then all files are seen on the hard drive and the rootkit service is seen and listed by the Service Control Manager.



This tool, very simple and easy to use, is consequently more intended for beginners and classical users.

 

***RootkitRevealer:

 

This anti-rootkit from Sysinternals (coded by Bryce Cogswel and Mark Russinovitch) is the more well known.

It's an executable which loads its own kernel service/driver and scans the system for searching all that is hidden.

It has the ability to scan Alternate Data Streams, an interesting hiding area for rootkits.

Unfortunately, it's just a detector, but really effective.

It detects for instance files and folders hidden by legitimate softwares such as Hide Folders XP:

 

 

Here an example with HackerDefender:


 

 

***RKDETECTOR:

 

This spanish detector exists since two years but the old version (0.6) does not detect HackerDefender.

Andreas Tarasco Acuna, the author and developer, has recently (14/11/2005) released the version 2.0 which is a beta.

RKDetector is free for a personal use but with limited features.

A paid version is available for more advanced rootkit investigation and analysis and removal).

 

But the free version is already enough, and the user/administrator can perform a scan of hidden files and registry keys), ADS; and can also recover deleted files.

As this beta seems to suffer of some bugs, examples and screeshots will be seen here later.

 

***SYSTEM VIRGINITY VERIFIER:

Joanna Rutswoka provides on her site (invisiblethings.org) interesting papers and tools about rootkits since a few years and is a well known contributors on the official rootkit web site.

SYSTEM VIRGINITY VERIFIER or SVV is very interesting because it checks the system  for malicious hooking and also checks the integrity of code section modules directly in memory.

After the verification, SVV notifies the user with five level of infection or seriousness:


 

-level 0: 100% Virgin (not expected to ocuur in the wild);

-level 1: Seems ok;

-level 2: Innocent hooking detected;

-level 3: Very suspected but may be a false positive;

-level 4: compromised.

 

The final verdict uses a color codification from blue to deepred.

Resource: the SVV powerpoint presentation (available at invisiblethings.org).

 

It's important to note that many softwares can interfere with the verdict: antivirus such as Kaspersky, desktop intrusion systems which operate at a low level like AntiHook, ProcessGuard and so on.

 

SVV in action:

 

After  rebooting the PC in the diagnose mode, SVV gives its first verdict:

 

Microsoft Windows XP [version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

 

C:WINDOWSsystem32>svv check /m

module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:

 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0]   1 byte(s):  exclusion filter: s

ingle byte modification

  file   :c3

  memory :90

  verdict = 1

 

 0x804dc032  18 byte(s):  exclusion filter: KeFlushCurrentTb()

  file   :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80

  memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3

  verdict = 1

 

 0x804dc04a   1 byte(s):  exclusion filter: single byte modification

  file   :c3

  memory :00

  verdict = 1

 

 0x804df16a   1 byte(s):  exclusion filter: single byte modification

  file   :05

  memory :06

  verdict = 1

 

module ntoskrnl.exe: end of details

 

SYSTEM INFECTION LEVEL: 1

    0 - BLUE

--> 1 - GREEN

    2 - YELLOW

    3 - ORANGE

    4 - RED

    5 - DEEPRED

Nothing suspected was detected.

 

Level 1/Green: this a good news for a beginning.

 

Now let's hook some windows APIs and let's see the new verdict:

 

Microsoft Windows XP [version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

 

C:WINDOWSsystem32>svv check /m

ntoskrnl.exe         (804d7000 - 806ebf80)... module ntoskrnl.exe [0x804d7000 -

0x806ebf80]:

 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0]   1 byte(s):  exclusion filter: s

ingle byte modification

  file   :c3

  memory :90

  verdict = 1

 

 0x804dc032  18 byte(s):  exclusion filter: KeFlushCurrentTb()

  file   :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80

  memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3

  verdict = 1

 

 0x804dc04a   1 byte(s):  exclusion filter: single byte modification

  file   :c3

  memory :00

  verdict = 1

 

 0x804df16a   1 byte(s):  exclusion filter: single byte modification

  file   :05

  memory :06

  verdict = 1

 

 0x804e72c4 [ExAllocatePoolWithQuotaTag()+0]   6 byte(s):   JMPing code (jmp to:

 0xbab1dbfc)

  address 0xbab1dbfc is inside TRACE.SYS module [0xbab1a000-0xbab26000]

  target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON

2TRACE.SYS

  file   :8b ff 55 8b ec 51

  memory :ff 25 fc db b1 ba

  verdict = 2

 

 0x804eb321 [ExAllocatePoolWithTagPriority()+0]   6 byte(s):   JMPing code (jmp

to: 0xbab1dba4)

  address 0xbab1dba4 is inside TRACE.SYS module [0xbab1a000-0xbab26000]

  target module path: ??C:DOCUMENTS AND SETTINGSMICHELMES DOCUMENTSKAPIMON

2TRACE.SYS

  file   :8b ff 55 8b ec 53

  memory :ff 25 a4 db b1 ba

  verdict = 2

 

module ntoskrnl.exe: end of details

 

SYSTEM INFECTION LEVEL: 2

    0 - BLUE

    1 - GREEN

--> 2 - YELLOW

    3 - ORANGE

    4 - RED

    5 - DEEPRED

Nothing suspected was detected.

 

Now if we launch the installation of our rootkit example:

 

 

SVV detects malicious modifications and corruptions in some modules.

There's no doubt that the integrity of some system functions has been altered.

And the hooking of APIs such as EnumServiceStatusEx, EnumServiceGroup or NTDeviceIoControl is in most of cases a symptom that "something" tries to hide a service/driver from the system.

 

If we try to fix the modifications made by the rootkit:

 

C:WINDOWSsystem32>svv fix

ntdll.dll            (7c910000 - 7c9c7000)... suspected! (verdict = 5).

kernel32.dll         (7c800000 - 7c904000)... suspected! (verdict = 5).

WS2_32.dll           (719f0000 - 71a07000)... suspected! (verdict = 5).

ADVAPI32.dll         (77da0000 - 77e4c000)... suspected! (verdict = 5).

 

SYSTEM INFECTION LEVEL: 5

    0 - BLUE

    1 - GREEN

    2 - YELLOW

    3 - ORANGE

    4 - RED

--> 5 - DEEPRED

SUSPECTED modifications detected. System is probably infected!

current verdict level: 5

target verdict level : 2

WARNING: DISINFECTION process can crash your system!

You are doing it ON YOUR OWN RISK!!!

Are you sure (yes/no)?

yes

---> fixing kernel & current process modules

fixing module ntdll.dll... fixed.

fixing module kernel32.dll... fixed.

fixing module WS2_32.dll... fixed.

fixing module ADVAPI32.dll... fixed.

---> fixing foreign processes' modules

fixing module ntdll.dll...

ERROR (code = 0x3e6): Fixing module ntdll.dll

 

We check again for the integrity:

 

C:WINDOWSsystem32>svv check /m

module ntoskrnl.exe [0x804d7000 - 0x806ebf80]:

 0x804db4f0 [RtlPrefetchMemoryNonTemporal()+0]   1 byte(s):  exclusion filter: s

ingle byte modification

  file   :c3

  memory :90

  verdict = 1

 

 0x804dc032  18 byte(s):  exclusion filter: KeFlushCurrentTb()

  file   :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80

  memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3

  verdict = 1

 

 0x804dc04a   1 byte(s):  exclusion filter: single byte modification

  file   :c3

  memory :00

  verdict = 1

 

 0x804df16a   1 byte(s):  exclusion filter: single byte modification

  file   :05

  memory :06

  verdict = 1

 

module ntoskrnl.exe: end of details

 

SYSTEM INFECTION LEVEL: 1

    0 - BLUE

--> 1 - GREEN

    2 - YELLOW

    3 - ORANGE

    4 - RED

    5 - DEEPRED

Nothing suspected was detected.

 

It's important to know that this option (svv fix) does not stop or remove HackerDefender from the system: SVV just restores the integrity of the altered functions, and consequently, all that was hidden appears clearly on the hard drive: the rootkit files, and the service which is seen by Windows with a simple command ("sc query" and "net start") or in the control panel (mmc.exe).

 

Therefore it's suited to stop firstly the service and then to remove or delete it from the registry (we'll show how after).

 ***Resplendence Rootkit Hook Analyzer:

This tool is mostly a hooking detector but unfortunately not useful for most users because it requires knowledge and know-how about kernel hooking.

As a detector, it is not as effective as tools listed above.
A screenshot against HackerDefender (not detected) can be seen here.

***FRISK:

 

Frisk is an open source analysis tool coded by an engineer from Geoges Washington university.

It is more designed to run on servers, but can be used on Windows home users systems.

Frisk can be useful for an automatic host analysis as a first step for a more exhaustive forensic analysis (deep packet inspection etc).

This tool search for:

 

For the rootkit detection, it is based on RKDetector 0.62 which is actually bypassed by the recent public version of HxDef (then does not detect it).

 

***VICE:

 

After the Virgnity detector of Joanna Rutkowska, here's the VICE detector of James Butler and Greg Hoglund.

This tool is an executable which requires the Microsoft Net Framework.

The target of VICE is to detect all Hooking which occurs in the system.

And as pointed by Joanna Rutkowska in her SVV paper, Vice  can be bypassed, especially because it uses APIs to read processes: since APIs are not suposed to be pure in an infected systems, consequently results might be disturbed by falses positives.

Vice scans the system for userland and kerneland hooks, but does not provide a simple verdict which could be easy to understand for most users.

Therefore this tool could only be helpful for advanced users and almost developers.

 

 


***Drivers utilities:

 

Device Tree: It is a freeware from OSR: enumarate all installed devices/drivers even hidden.

Easy to use, Device Tree is highly recommended to take regular snapshots of the system after each software installation or system update (the list can be printed).



 


Drivers: This command line tool just query the system for installed drivers:

 


Drvloader: It's another command line utility, but more exhaustive than Drivers:

 

 

***COMMAND LINE UTILITIES:

There's many command line utilities designed to detect hidden processes, driver or services.

We can cite:

KHS (Kill Hidding Service), FHS (Find Hidden Service), MODGREEPER or KprocCheck.


WINDOWS ROOTKITS DETECTION SECTION 2

Publié dans LINE DEFENSE

Commenter cet article