WINDOWS ROOTKIT DETECTION PART 2:
-Micosoft Removal Tool: It scans the system for the most prevalent malawares.
HackerDefender is the only rootkit included on its database.
If MRT detects easily the rootkit, the removal is not done radically (only service registry keys are removed).
-Microsoft Strider Ghosbuster:
It's a rootkit detector via APIs from the MST research team.
Unfortunately, Strider GhostBuster is not available yet.
***DETECTION by Desktop Intrusion Prevention System:
If there's plenty of effective Personal HIPS (HIPS for home users), most of them are unfortunately paid.
Many of them operate at low level and are able to detect and to block the installation of kernel drivers used by rootkits.
And in this case they can be classified in the Prevention list.
There is a Desktop application firewall (All-Seeing Eye) which is quite efficient for detecting service/driver installation without the ability to block the event instantaneously.
That's why this free software can be considered as a detector.
All-Seeing Eye warns the user about kernel driver installation but can't block the rootkit from being installed.
Example with HxDef:
Example with FU:
***detecting a rootkit by packet and network analysis:
A rootkit which is not activated and does not communicate with the intruder is sterile and quite unnecessary.
Consequently by analysing local host communications, it's still possible to detect sign of backdoors, RAT, Trojan or Keyloggers presence.
The backdoor is often the weakness of a rootkit, specially because even if its not difficult to hide connection from netstat or port viewers, it will be hard to resist to a deep inspection and analysis.
Even with port redirectors, packets encryptions, anti-sniffers and others tools, there will always be a way to detect suspect packets.
An advanced packet analyzer or sniffer is still the more intresting for home users: Ethereal for instance is effective and open source; and for a list of free sniffers, it can be suited to have a look at this network tools database.
Most of the time, the rootkit uses port 80 and the attacker expects that his suspicious data and illegitimate traffic will be mixed with usual ones.
More services and protocols are disabled, more simple will be the analysis.
Well known examples of backdoor detection methods can be found here (quite old article) and here, a simple article about packets analysis is available.
Once suspect packets and data are decoded, we can then trace the attacker1 and even submit the event to specialized security agencies (NHTCU in UK, OCLCTIC in France, Cyberpol/Cybernetic Police in Russia and so on)2.
An IDS can also be helpful, but how many home users have an IDS installed on their machines?
Another way to detect that a host has been compromised is a port scan from a remote clean machine.
A scanner such as NMAP is useful in this case, but some vulnerability scanners such as Nessus, ATK or Retina are also very interesting to find some possible holes exploited by the attacker (especially if the user has installed a web server like APACHE for instance).
If NMAP reports an open port that is not shown with netstat, or tools such as TCPView or ActivePorts, we can suppose that "something" (backdoor, RAT, keylogger, Trojan) is active and hidden.
But unfortunately, this forensic analysis method consume a lot of time and it can be suited to use firstly a rootkit detector.
In all cases this methodology requires to be familiar with sniffers, protocols and packet analysis; and is consequently more appropriate for advanced users and network managers.
***OUTSIDE-The-BOX ANALYSIS with CDROM:
This old method for checking system's file integrity by booting from CDRom like BartPE or Knoppix does not present too much warranties.
***Detecting a rootkit with another rootkit:
FU rootkit has really interesting features (list of running processes, user accounts etc), and it can be used to detect another rootkit.
As many rootkits, it has the ability to hide files, service, drivers:
Here's an example with a SQL injection attack tool (DataThief):
Once hidden, the tool is easily detected by F-Secure BlackLight and IceSword:
FU is one of the most interesting rootkit for training purpose.
But this detection solution is only for information, and is not suited for people who are not familiar with rootkits.
Here we can see that HackerDefender is detected by the simple command "fu -pl":
***List of others free detectors:
Patchfinder, Klister (Joanna Rutkowska), RKDetect...
This tool from Greatis softwares is one of the most interesting anti-rootkit tool.
Easy to use, with simple options, it works at a low level with a kernel driver and scan hidden registry keys in real time.
It has the ability to detect most common Windows rootkits (HxDef, Vanquish, Afex2005) and some stealth keyloggers.
UnhackMe is often updated (about each 6 months) to follow the cat and mouse game between rootkit and detectors.
Its primary advantage is that it does not interfere with softwares installations (games, windows updates etc) by blocking services and drivers.
Moreover, UnHackMe has also the ability to remove the rootkit easily (stop button).
In this case, it's a good choice for beginners, classical and P2P users who install softwares frequently and does not have specific skill about rootkits.
Greatis provides also a registry utility (RegRun) which detects rootkits registry entries.
But RegRun can be more considered as a prevention tool.
NB. UnhackMe kills the rootkit executable, stop the service, but does not remove all registry keys.
RootKit is an on demand scanner: it detects hidden items in the registry:
It's a command line utility which saves the result as a text file:
09/11/2005 23:31:17 RootKitShark v3.27 (C) 2004-2005 Advances.Com, Inc.
09/11/2005 23:31:17 Checking usage mode
09/11/2005 23:31:17 FIX feature requested
09/11/2005 23:31:17 Trialware license; please visit http://www.advances.com/ to make a purchase
09/11/2005 23:31:17 -fix option not permitted for trialware version
09/11/2005 23:31:17 Scan started
09/11/2005 23:31:17 Backup privilege gained
09/11/2005 23:31:17 Dumping hive
09/11/2005 23:31:18 Hive HKCU dumped
09/11/2005 23:31:18 Registry analyzer connected, parsing started
09/11/2005 23:31:19 Parsing ended
09/11/2005 23:31:19 Dumping hive
09/11/2005 23:31:26 Hive HKLMSOFTWARE dumped
09/11/2005 23:31:26 Registry analyzer connected, parsing started
09/11/2005 23:31:28 Parsing ended
09/11/2005 23:31:28 Dumping hive
09/11/2005 23:31:29 Hive HKLMSYSTEM dumped
09/11/2005 23:31:29 Registry analyzer connected, parsing started
09/11/2005 23:31:30 SUSPICION (code 1) : "HKLMSYSTEMControlSet001ControlSafeBootMinimalHackerDefender100"
09/11/2005 23:31:30 SUSPICION (code 2) : "HKLMSYSTEMControlSet001ControlSafeBootMinimal"
09/11/2005 23:31:30 SUSPICION (code 1) : "HKLMSYSTEMControlSet001ControlSafeBootNetworkHackerDefender100"
09/11/2005 23:31:30 SUSPICION (code 2) : "HKLMSYSTEMControlSet001ControlSafeBootNetwork"
09/11/2005 23:31:30 SUSPICION (code 1) : "HKLMSYSTEMControlSet001EnumRootLEGACY_HACKERDEFENDER100"
09/11/2005 23:31:30 SUSPICION (code 2) : "HKLMSYSTEMControlSet001EnumRoot"
09/11/2005 23:31:30 SUSPICION (code 1) : "HKLMSYSTEMControlSet001EnumRootLEGACY_HACKERDEFENDERDRV100"
09/11/2005 23:31:30 SUSPICION (code 2) : "HKLMSYSTEMControlSet001EnumRoot"
09/11/2005 23:31:30 SUSPICION (code 1) : "HKLMSYSTEMControlSet001Hardware Profiles
Only the registred version provides the ability to remove the reg keys that have been found.
Then i can't confirm the effectiveness or not of this option.
RootkitShark is included in Winshark which is a more exhaustive anti-rootkit detector because it scans the system in real time.
This is an enumerating tool (services, processes etc) and the publisher claims that it detects hidden items.
Unfortunately, WinShark is too expensive and is mostly intended for small business than for home users.
-Security Task Manager:
It's another enumerating tool which detects hidden processes and services/drivers.
Very easy to use as a simple but powerful task manager, this product is an interesting choice for beginners and classical users: if a suspect and hidden file is detected, the program gives an infection level:
It’s good alternative to IceSword for people who are not familiar with English language (many languages are included).
IRPTrace is tool intended for developers and which monitors I/O request packages (IRP) sent to kernel mode drivers.
IRPTrace can detect that a new driver has been added, and can also track its behaviour for analysis purpose.
This a powerful program which might crash the computer if used by imprudent hands.
Here an example of devices/drivers enumerating list:
***ProDiscover for Windows (by Techpathways):
This expensive (495 $) software is mostly intended for professionals (Systems Administrators, Network Managers, Consultants and so on) and has been designed for forensic analysis.
It's really a powerful software which has the ability to scan hidden files even in ADS/metafiles and even if deleted and can be used remotly for a forensic analysis.
Here's some screenshot against HackerDefender which is easily detected after 45 minutes (deep scan):
Screenshot 1, screenshot 2, screenshot 3,
and screenshot 4.
***REMOVING A ROOTKIT:
Generally, removing a rootkit is not the best solution.
The Microsoft Removal Tool is interesting, even if its job is not done properly (remove only services registry keys.
A complete analysis of the system is often necessary for listing the damages and the intruder intentions.
And the most important question is "how the rootkit came in the system".
The administrator can suspect a security hole, an exploit, a vulnerability, a privilege escalation, a social engineering with physical access and so on.
And killing or removing the rootkit will not block the door or the access key to the system.
This solution can for instance be used if the user is sure that he has infected his system by running some files downloaded from P2P networks, or by a click on an IRC link.
The most effective solution is to reformat the hard drive for reinstalling a clean back up of the system.
And the administrator must be sure that this back up is prior to the intrusion...
Solutions exist for a clean installation with BartPe for instance.
Removing a rootkit:
The first step is to stop the service:
And that means that the user knows the name of the service.
But a prudent and far-sighted attacker would certainly rename all rootkit files: a good choice is to use Windows similar names for the service and driver for instance: NDISUIO.sys is not well known from most users, and is only used for wireless network, which is more easier to attack and to crack...
And we can choose a well known Windows process such as "SVCHOST.EXE" or "SPOOLSV.EXE":
Or more funny:
But it could be an exciting files from P2P network like "beyonceXXX.exe" or "britneyspearsinbed.exe" and any other illegitimate file "(crack.exe").
That's why it's very important for the user to know what is exactly installed on his system and what is exactly running in his safe environment.
Stopping the service can be done by IceSword on a right click.
We can get the same result on command line:
-"sc stop name of rootkit service": sc stop HackerDefender100
NB. Winservice (included in the image above) is a free tool which monitors services in real time (but does not detect hidden ones).
Disabling and removing the service from the regisitry:
-sc delete name of the service: sc delete HackerDefender100
-delsrv (delete service): delsrv HackerDefender100
-drvloader: drvloader -h HackerDefender100 ( this command line is really effective: it stops the process, the service, and remove it from the registry):
And with FU:
NB. All these command lines are not available in Window, but can be downloaded from some web sites.
Once the service is stopped, the rootkit files are not hidden anymore and appear clearly on the hard drive.
If the user has installed files utilities such as Locate32 (highly recommended) for instance, the new files will be detected.
Here an example with FU:
And another one with HxDef:
Another result with Watcher:
It's also necessary to remove the driver, and this can be done by many ways:
-with Windows: example: "start" + "execute" + "devmgmt.msc" then we enable the "show hidden peripherals" on the "view" menu.
Here's the properties of HxDef driver:
On the list, we click on non non Plug-and-Play devices and search for the rootkit driver which we'll uninstall with a right click (a reboot is necessary).
-with service/drivers utilities:
Drvloader or EkinX (does not detect hidden services/drivers):
Then it's suited to search and remove all the registry entries made by the rootkit; and this can be done with registry tools like RegCool:
***LIMITATIONS OF ROOTKIT DETECTION:
As it was said in our "Introduction to Rootkits", there is a cat and mouse game between rootkits writers and rootkits detectors.
This is mostly due to the complexity of Windows meanders.
If public rootkits are often easily detected, it would not be the same for paid ones.
Holy Father (of HackerDefender) sells paid versions of his public rootkit which are designed to bypass antivirus and rootkit detectors.
And there's a price for each anti-detection feature.
More information can be found on the HxDef web site, or by taking a look at this article.
But it's difficult to confirm evasions possibilities of these paid versions since i never see one of them in action: then it's scientifically and logically not possible to certify them as undetectable.
Even if Holy Father seems to be a serious guy and a talented coder.
In fact, there's probably more exploitable weaknesses in Windows that we could expect it.
If we consider a paper like 'Subverting the Service Control Manager ", any developer could certainly try to write his own paid rootkit.
During my experimentations, i have the intuition of the Talion law: that which has hooked must be hooked!
So i’ve hooked the hooker (our example HxDef) and then launched some detectors for an analysis.
Result: the rootkit is not seen anymore by IceSword, neither by BlackLight; but is detected as hidden by RootkitRevealer.
If we try to do the same things with SERVICE.exe, the system warns about an imminent reboot with the error 259 (hooking is not always a good idea!):
This example confirms that rootkit detection is limited and bypassed.
But the most well known limitation concerns antivirus:
There's paid rootkits and keyloggers which evade detection engines with Unpackers like Morphine for instance: more "legitimate" info about the subject on Greatis site and Steven Hofmeyr/SanaSecurity blog (last article).
That's why antivirus which detect rootkits via APIs or any other similar method are much more interesting than antivirus which use signatures detection.
If a regular inspection with rootkit detectors may be suited for risky hosts and systems, the key for avoiding theses ghost trojans is and still the prevention.
That's what we'll define in the next part.
1."Tracking the Attacker", by Steven Bassi.
2. A classical example of Network Intrusion Detection is available on this page.