Many computer users have heard of rootkits. Still many more have not. They have been around for a long time and are mostly known to people familiar with Unix or Linux Operating Systems. Originally, rootkits were designed to perform program functions for the benefit of the program user. Later on, rootkits became a tool used by hackers to carry out their own intents. In recent times, they have been used maliciously and beginning in December 2004 we saw the start of rootkits designed for malicious use against Windows Operating Systems emerge in large numbers. This is when rootkits suddenly moved into the spotlight. They finally were written in large numbers and for use against Windows, the system that runs 90% of the worlds’ computers. In this article, I hope to increase your knowledge in this area, tell you what a rootkit is, how it works, and why it can be so dangerous. This is not a paper designed to make you fearful. Quite the contrary – remember that with knowledge comes ability and power, power to accomplish things.
Definition:
A rootkit is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkit will usually either manipulate the data set the operating system relies on, or alter the execution flow of the operating system.
It is important you realize that rootkits are designed to be very stealth, meaning they are difficult to find or detect by normal means. Many rootkits have been so well written that their presence can go undetected for years. They are written by experienced individuals with an advanced level of programming knowledge far above that of the average virus or malware writer. A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.
It is also important not to confuse a rootkit with a virus, or a worm. The main difference is in propagation and stealth. Like a rootkit, a virus also alters software components of a system. A virus, however, is designed to do damage and possibly provide additional service(s) to the attacker. This usually alerts the user right away that something is wrong, and gives away its existence. A worm is usually designed to scan for vulnerabilities and take advantage of them, as well as spread to other computers connected to a network, thereby doing the same damage to them. Again, this alters computer behavior significantly enough to alert the user to its existence and that there is something wrong. A rootkit, on the other hand, is designed to maintain its own integrity, and remain hidden from the user in order to allow the attacker to use the compromised computer for a long period of time for his or her own nefarious means.
A well written and executed rootkit can easily remain hidden and operate literally for years without giving away its presence to the user, or even a systems administrator or other IT professional. This has already happened many times, especially in companies that maintain large networked systems, and continues today even while you are reading this paper.
Functions:
A rootkit is designed to hide logins, processes, files, and logs, and may include software to intercept data from terminals, network connections, and the keyboard. They are often considered as Trojan horses and indeed may even contain Trojans and backdoors as part of the rootkit.
Types:
There are three basic types of rootkits - library, application and kernel. There are also two subtypes - memory based, and persistent, but more on that later.
Library level rootkits will most commonly patch, hook or replace system calls with versions that hide information so the rootkit is not visible by normal means. That is to say you won’t be able to find the files with a normal file search, or by going to the task manager to check what applications are running.
Before discussing the next two, it is important to remember that current versions of Windows were designed with security and stability in mind. Some readers may scoff at this statement in light of the vulnerabilities reported in Windows operating systems, but it is true. No operating system is designed from the beginning with protection from malicious intruders subverting the system in mind. The kernel is protected from user applications while still allowing functionality. Windows currently supports two modes of execution: user mode and kernel mode. Applications will run under user mode, which is unprivileged, thus protecting the kernel.
Application level rootkits usually operate by replacing normal application binaries with Trojan style fakes, or modifying program behavior through the use of hooks, patches, or other injected code. Your first alert to the possible existence of a rootkit hiding in an application is abnormal or different behavior of one of your application programs. The key here is to know your software and pay attention to how in normally runs.
Kernel level rootkits usually add additional code, or replace a section of kernel code with modified code in order to hide the existence of the rootkit, as well as any backdoor(s) that have been added as a way in for the attacker. Remember that kernel mode execution is a mode of execution by a processor that grants access to all system memory and all the processors instructions. Windows will tag specific sections of memory specifying which mode is required to access that section of memory, but it does not protect memory in kernel mode from other threads that are also running in kernel mode. This is what makes kernel level rootkitsrootkits usually do not alter the operation of the computer in a significantly enough fashion to alert the user to their existence. This level of rootkit is virtually impossible to detect without the use of specialized software.
Categories:
There are two basic categories that modern rootkits in the wild can be divided into: those that are designed to hook, and those that are designed to use DKOM. These will be explained below. Hacker defender is one of the more popular rootkits that works by hooking. It hides processes, services, files, directory keys and ports. FU is a popular rootkit that is designed to use DKOM. Fu can hide processes and device drivers and elevate privileges and groups of any Windows process.
Hooks (or hooking) –
In the above section, we mentioned a hook. A hook, or hooking, is a method used by a rootkit to alter the normal execution path of the operating system. Modern operating systems are designed to be flexible, extendable and backward compatible. If they weren’t, you would have to replace all your applications software with newer versions every time you got a newer computer or newer operating system. This is why if you upgraded to, let’s say, Windows XP, your other software still runs with Windows XP as it did with your older operating system.
By using a hook, a rootkit can alter the information that the original operating system function would have returned, using it for the rootkits’ own designs as programmed by the attacker.
Some of the more common areas a rootkit will hook are: execution paths, import address tables, system service descriptor tables, and layered filter drivers.
DKOM –
DKOM stands for Direct Kernel Object Manipulation. Rootkits designed to use DKOM rely on creation of kernel objects by the operating system, which are normally used by the system for auditing normal operation. By modifying these objects sufficiently, the rootkit can trick the operating system into thinking a particular operation or process was performed by a normal function of the program. This will prevent the system from logging an incorrect operation, and a system alert, thus allowing the rootkit to remain hidden from normal detection means. Since all kernel process objects are linked, the rootkit unlinks the process it performed from itself, and links it to a normal process function of the operating system. The system is tricked, and thinks the operation was performed as a legitimate function of the program.
Rootkit Subtypes –
As we hinted at earlier in the section on rootkit types, there are two subtype categories – memory-bases and persistent. The main difference is that a memory-based rootkit only resides in memory and it will not survive a computer re-boot.
Memory-based -
An attacker that wants to perform a quick, one-time, in-and-out procedure of some sort, remain undetected, and then leave un-noticed without intending to return, usually uses memory-based rootkits. These types of attacks are usually used as information gathering missions by an attacker that has already discovered when a machine is normally turned on or running. These kinds of rootkits are extremely stealth and virtually impossible to detect due to the short life-span nature of their existence. These rootkits can also be reserved for use only against server machines that are left running for long periods of time, and by an attacker that wants to remain completely undiscovered and untraceable. A computer scan catching one of these rootkits would result more from sheer luck than by design.
Persistent:
Persistent rootkits, on the other hand, are designed to easily survive a system re-boot. In order to survive a re-boot, this kind of rootkit must have some means of permanently storing its code on the victims’ machine, usually on the hard drive. It must also use some form of a hook in the system boot sequence so it will be loaded from disk into memory each time the machine starts so it can begin execution again.
Hiding a rootkits existence:
As we discussed above, a memory-based rootkit is virtually impossible to detect. But, what about the persistent form of rootkit and how does it hide? These kinds of rootkits survive a system re-boot, and remain on the machine for very long time periods, perhaps even years.
In order to hide its existence and remain undetected, a rootkit must be able to conceal the presence of its own executable code. Some do this better than others. The rootkit must also be able to hide the memory-based modifications in the operating system (hooks or DKOM). The rootkit must also be able to hide its code on long-term storage in the system and conceal the permanent hook in the system boot sequence it uses to load itself when the system starts. For these reasons, successful rootkits are designed to often reside at least partially in the boot sector of the hard drive. The main reason for this is to avoid detection from most modern anti-virus scans. Many anti-virus programs are not fully functional until the system boots up, after which the boot sector cannot be properly scanned for vulnerabilities because the system is running. There are a few programs that include boot sector scans before the system boots up, and I recommend you check for this functionality before purchasing an anti-virus product. They do not slow the boot process very much, and the added protection offered is well worth the extra time it takes for the machine to be ready to go.
Detection:
Let me say at the beginning of this section that rootkit detection is still a work in progress. There are currently a number of methods in use, some of which we will discuss here. As of this writing, all of them have their particular strengths and weaknesses, and none of them have been proven to be completely effective or foolproof.
Rootkits have become very sophisticated over the past two years, and we continue to see new ones spawned almost every month. As the writing skills of rootkit programmers improve, detection becomes more difficult all the time.
Signature based detection –
Signature based detection is currently the most common detection method, and it can work to a fair degree against rootkits programmed with publicly available code available on the Internet. Programs with this scanning capability are usually from anti-virus software vendors who have included the capability in their products only recently. They work the same way that they scan for viruses, worms and trojans. They look for a specific or known fingerprint unique to the threat located in the computer. This form of detection is helpful against publicly available rootkit code, but is useless against more advanced rootkits for which a signature does not exist. These include rootkits that hook virtual memory that are capable of controlling the memory threads of the scanning program.
Heuristic detection –
Heuristic detection is the next step upwards in detection. Instead of looking for a particular fingerprint, heuristic detection instead looks for deviations from normal system patterns and behavior. This gives the ability to find new and previously unidentified rootkits. This technology is currently emerging and not readily available yet, and uses various heuristics to identify a rootkit based on the execution path hooks it uses. Current examples of this form of technology are VICE and Patchfinder. At this time, they only work with Microsoft .NET Framework installed on the computer, and they are not foolproof either. They can be subverted by some rootkits, and still others will remain undetected. One of the problems is trying to determine which hooks are malicious, and which hooks are legitimate and part of the normal operating system (false positives can be the result).
Profiling –
Another method of detection currently being developed is profiling, or more specifically, profiling the runtime execution path. The only tool currently known to this writer with this technology is a very promising proof of concept tool called Patchfinder. It is discussed and made available on a Website called invisiblethings.org run by rootkit expert Joanna Rutkowska. It is built on the observation that a rootkit adds code to a given execution path, and operates by counting instructions. The technique can still result in false positives, and is vulnerable to rootkits that have the ability to realize they are being traced. Nonetheless, I believe the technology has excellent merit and I hope development continues and is able to eliminate the problems encountered so far.
Cross View –
Cross view based detection techniques are both very new and very promising. The detection software works by enumerating data within the system such as files, processes and Registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the system’s common APIs (Application Program Interface). A difference between the two results can indicate something hidden. This technology is still being developed and improved to eliminate false positives when the program runs. Current examples of this developing technology are Rootkit Revealer from Sysinternals, Klister by Joanna Rutowsksa, BlackLight by F-Secure, and Strider Ghostbuster from Microsoft.
Integrity –
Integrity based detection is an alternative to either signature based detection or heuristic detection, and works by comparing a snapshot of the filesystem or memory with a known trusted baseline. Differences between the two are taken as an indicator of malicious activity. Examples of this are Tripwire from Sourceforge, and System Virginity Verifier by Joanna Rutowska. Tripwire was effective against early rootkit designs, but virtually useless against the modern rootkit. System Virginity Verifier, on the other hand, is, to me, very promising as it also checks the integrity of data structures and uses advanced heuristics to help deal with false positives stemming from normal system hook operation.
Hardware detection:
Join me in keeping high hopes for this one. It could be absolutely great!
This technology is very new and was born as a project at the University of Maryland. A new company, Komoku of College Park, Md. is currently the owner of this technology. With funding (at around $2.5million) coming from government contracts, specifically DARPA (Defense Advanced Research Projects Agency), the Department of Homeland Security, and the U.S. Navy, they have developed a proprietary, high-assurance PCI card based detection system called Copilot. The PCI card has its own processor and memory allowing it to remain independent of the system it is installed into. It also has its own network interface allowing communications to an outside administrative department or team. The prototype PCI card solution is currently not publicly available and is more than likely pretty pricey at this time, but represents a formidable foe to rootkits. Personally, I have high hopes that the governmental agencies involved will allow mass production after the prototype is finalized so the benefits of this new technology will become both available and affordable to the general computer user like you and me.
By being able to remain independent of the computer’s processor and memory it is installed in, this PCI card can scan and monitor all processes, memory, files and activity in the computer at the hardware level, looking for any modifications or abnormal behavior, thus making any rootkit design an easy target to find. According to the project designers, instead of looking directly for the rootkit, it looks instead for the side effects of the rootkits activities. Coupled with a software-monitoring and cleanup component that is also being partnered (by guess who – Symantec), it could actually be capable of putting and end to the rootkit threat on any machine it is installed in.
Komoku also plans to release a low-assurance software-only clone of this technology called Gamma sometime this summer – I can hardly wait to see it. Komoku is currently partnered with Symantec to handle disinfection, cleanup and restoration after a rootkit or other sophisticated malware is found. Symantec’s Live State product combined with Copilot and Gamma can restore the system to its original operating state as if nothing had ever happened.
I see some really exciting, commercial software offerings becoming available for us in the hopefully not too distant future, and I really hope the Copilot PCI card becomes a reality for us as well.
Rootkit Removal:
For the time being, rootkit removal is rather subjective. There is a large body of opinion that believes it to impractical. The majority seems to recommend copying and saving your data files, wiping the hard drive clean, and re-installing everything from scratch. The feeling is this will take less time than trying to remove the rootkit and restore the system. If it was a truly severe case, and sensitive data and material were at stake, I would tend to agree.
For the average user, however, I would recommend running the Malicious Software Removal Tool from Microsoft, scanning with Windows Defender, and trying a scan with the latest version of SpySweeper from WebRoot. All have some degree of rootkit detection and removal capability built in that I have had good success with in the past. I have also cleaned up and removed some boot sector rootkits with AVG Pro from Grisoft, another product I like a lot. A number of other constituents I am in contact with also have reported good success with BlackLight from F-Secure. BlackLight will be rolled into another F-Secure product this summer as part of a security software suite, but it is still free until June 1, 2006, after which it stops working. One thing to keep in mind – BlackLight is currently a Beta program, and you assume all responsibility for its use. If using it breaks your system, it’s your problem. Final release of the integrated product from F-Secure this summer will come with support.
Prevention:
On final thing to remember – a rootkit alters the operating system, and thus needs administrator privilege to install (not that you can expect a warning that it is about to install, and you certainly will not see a Windows Installer screen). You can greatly reduce your exposure to this threat in the first place if you remember to not go on-line with an account on your computer that has administrator privilege. Use a limited account when connecting to the Internet. If you absolutely must be on-line as an administrator for certain programs to work, you might want to look into a protection program like Process Guard (shareware, $29.95) that has the capacity to prevent programs from installing global hooks and performing process injection. If you are a high-risk user, such as a P2P user, and must be on-line as an administrator, then you should definitely consider such a program as mandatory and a must have.
Another possible program to look into is called AntiHook. Of the two, I can only honestly recommend Process Guard for the high-risk user. AntiHook is freeware and is a less powerful program, but it offers good, solid protection for the average home user. Please note that AntiHook is only for home use, and currently (AntiHook v 2.5) does not work properly with Windows XP Home edition. New versions AntiHook 2.6 and AntiHook 3.0 are due out in a few weeks and promise to fix this issue. Both programs (Process Guard and AntiHook) feature real-time kernel mode protection. If you are a home user that downloads a lot and installs downloaded programs, I really would recommend you use one of the two programs.
Either of these programs will be noisy at first as they go through a learning curve of the software on your system, much like what you see with pop-up warnings after installing a new firewall. Don’t despair though as things will settle down soon when the program learns your particular system. You can also minimize this if you use AntiHook by initially running it in fingerprint mode for the first few days while it learns. Before doing this, however, you might want to first scan your system if it has been on-line for a while to be sure it is clean in the first place.
One final point. If you install either of these programs, please do not fool yourself into thinking that you are now totally safe from all rootkits. Although the vast majority of rootkits use hooking, remember that we also discussed advanced rootkits that use DKOM. Although there are few of them in existence so far, they are still out there, and I’m sure more will be coming.
Definition:
A rootkit is a program or set of programs used by an intruder to both hide their presence on a computer system and allow future access to that same system. A rootkit will usually either manipulate the data set the operating system relies on, or alter the execution flow of the operating system.
It is important you realize that rootkits are designed to be very stealth, meaning they are difficult to find or detect by normal means. Many rootkits have been so well written that their presence can go undetected for years. They are written by experienced individuals with an advanced level of programming knowledge far above that of the average virus or malware writer. A rootkit is not an exploit. It is what an attacker uses after an initial exploit to allow future undetected access to a compromised computer.
It is also important not to confuse a rootkit with a virus, or a worm. The main difference is in propagation and stealth. Like a rootkit, a virus also alters software components of a system. A virus, however, is designed to do damage and possibly provide additional service(s) to the attacker. This usually alerts the user right away that something is wrong, and gives away its existence. A worm is usually designed to scan for vulnerabilities and take advantage of them, as well as spread to other computers connected to a network, thereby doing the same damage to them. Again, this alters computer behavior significantly enough to alert the user to its existence and that there is something wrong. A rootkit, on the other hand, is designed to maintain its own integrity, and remain hidden from the user in order to allow the attacker to use the compromised computer for a long period of time for his or her own nefarious means.
A well written and executed rootkit can easily remain hidden and operate literally for years without giving away its presence to the user, or even a systems administrator or other IT professional. This has already happened many times, especially in companies that maintain large networked systems, and continues today even while you are reading this paper.
Functions:
A rootkit is designed to hide logins, processes, files, and logs, and may include software to intercept data from terminals, network connections, and the keyboard. They are often considered as Trojan horses and indeed may even contain Trojans and backdoors as part of the rootkit.
Types:
There are three basic types of rootkits - library, application and kernel. There are also two subtypes - memory based, and persistent, but more on that later.
Library level rootkits will most commonly patch, hook or replace system calls with versions that hide information so the rootkit is not visible by normal means. That is to say you won’t be able to find the files with a normal file search, or by going to the task manager to check what applications are running.
Before discussing the next two, it is important to remember that current versions of Windows were designed with security and stability in mind. Some readers may scoff at this statement in light of the vulnerabilities reported in Windows operating systems, but it is true. No operating system is designed from the beginning with protection from malicious intruders subverting the system in mind. The kernel is protected from user applications while still allowing functionality. Windows currently supports two modes of execution: user mode and kernel mode. Applications will run under user mode, which is unprivileged, thus protecting the kernel.
Application level rootkits usually operate by replacing normal application binaries with Trojan style fakes, or modifying program behavior through the use of hooks, patches, or other injected code. Your first alert to the possible existence of a rootkit hiding in an application is abnormal or different behavior of one of your application programs. The key here is to know your software and pay attention to how in normally runs.
Kernel level rootkits usually add additional code, or replace a section of kernel code with modified code in order to hide the existence of the rootkit, as well as any backdoor(s) that have been added as a way in for the attacker. Remember that kernel mode execution is a mode of execution by a processor that grants access to all system memory and all the processors instructions. Windows will tag specific sections of memory specifying which mode is required to access that section of memory, but it does not protect memory in kernel mode from other threads that are also running in kernel mode. This is what makes kernel level rootkitsrootkits usually do not alter the operation of the computer in a significantly enough fashion to alert the user to their existence. This level of rootkit is virtually impossible to detect without the use of specialized software.
Categories:
There are two basic categories that modern rootkits in the wild can be divided into: those that are designed to hook, and those that are designed to use DKOM. These will be explained below. Hacker defender is one of the more popular rootkits that works by hooking. It hides processes, services, files, directory keys and ports. FU is a popular rootkit that is designed to use DKOM. Fu can hide processes and device drivers and elevate privileges and groups of any Windows process.
Hooks (or hooking) –
In the above section, we mentioned a hook. A hook, or hooking, is a method used by a rootkit to alter the normal execution path of the operating system. Modern operating systems are designed to be flexible, extendable and backward compatible. If they weren’t, you would have to replace all your applications software with newer versions every time you got a newer computer or newer operating system. This is why if you upgraded to, let’s say, Windows XP, your other software still runs with Windows XP as it did with your older operating system.
By using a hook, a rootkit can alter the information that the original operating system function would have returned, using it for the rootkits’ own designs as programmed by the attacker.
Some of the more common areas a rootkit will hook are: execution paths, import address tables, system service descriptor tables, and layered filter drivers.
DKOM –
DKOM stands for Direct Kernel Object Manipulation. Rootkits designed to use DKOM rely on creation of kernel objects by the operating system, which are normally used by the system for auditing normal operation. By modifying these objects sufficiently, the rootkit can trick the operating system into thinking a particular operation or process was performed by a normal function of the program. This will prevent the system from logging an incorrect operation, and a system alert, thus allowing the rootkit to remain hidden from normal detection means. Since all kernel process objects are linked, the rootkit unlinks the process it performed from itself, and links it to a normal process function of the operating system. The system is tricked, and thinks the operation was performed as a legitimate function of the program.
Rootkit Subtypes –
As we hinted at earlier in the section on rootkit types, there are two subtype categories – memory-bases and persistent. The main difference is that a memory-based rootkit only resides in memory and it will not survive a computer re-boot.
Memory-based -
An attacker that wants to perform a quick, one-time, in-and-out procedure of some sort, remain undetected, and then leave un-noticed without intending to return, usually uses memory-based rootkits. These types of attacks are usually used as information gathering missions by an attacker that has already discovered when a machine is normally turned on or running. These kinds of rootkits are extremely stealth and virtually impossible to detect due to the short life-span nature of their existence. These rootkits can also be reserved for use only against server machines that are left running for long periods of time, and by an attacker that wants to remain completely undiscovered and untraceable. A computer scan catching one of these rootkits would result more from sheer luck than by design.
Persistent:
Persistent rootkits, on the other hand, are designed to easily survive a system re-boot. In order to survive a re-boot, this kind of rootkit must have some means of permanently storing its code on the victims’ machine, usually on the hard drive. It must also use some form of a hook in the system boot sequence so it will be loaded from disk into memory each time the machine starts so it can begin execution again.
Hiding a rootkits existence:
As we discussed above, a memory-based rootkit is virtually impossible to detect. But, what about the persistent form of rootkit and how does it hide? These kinds of rootkits survive a system re-boot, and remain on the machine for very long time periods, perhaps even years.
In order to hide its existence and remain undetected, a rootkit must be able to conceal the presence of its own executable code. Some do this better than others. The rootkit must also be able to hide the memory-based modifications in the operating system (hooks or DKOM). The rootkit must also be able to hide its code on long-term storage in the system and conceal the permanent hook in the system boot sequence it uses to load itself when the system starts. For these reasons, successful rootkits are designed to often reside at least partially in the boot sector of the hard drive. The main reason for this is to avoid detection from most modern anti-virus scans. Many anti-virus programs are not fully functional until the system boots up, after which the boot sector cannot be properly scanned for vulnerabilities because the system is running. There are a few programs that include boot sector scans before the system boots up, and I recommend you check for this functionality before purchasing an anti-virus product. They do not slow the boot process very much, and the added protection offered is well worth the extra time it takes for the machine to be ready to go.
Detection:
Let me say at the beginning of this section that rootkit detection is still a work in progress. There are currently a number of methods in use, some of which we will discuss here. As of this writing, all of them have their particular strengths and weaknesses, and none of them have been proven to be completely effective or foolproof.
Rootkits have become very sophisticated over the past two years, and we continue to see new ones spawned almost every month. As the writing skills of rootkit programmers improve, detection becomes more difficult all the time.
Signature based detection –
Signature based detection is currently the most common detection method, and it can work to a fair degree against rootkits programmed with publicly available code available on the Internet. Programs with this scanning capability are usually from anti-virus software vendors who have included the capability in their products only recently. They work the same way that they scan for viruses, worms and trojans. They look for a specific or known fingerprint unique to the threat located in the computer. This form of detection is helpful against publicly available rootkit code, but is useless against more advanced rootkits for which a signature does not exist. These include rootkits that hook virtual memory that are capable of controlling the memory threads of the scanning program.
Heuristic detection –
Heuristic detection is the next step upwards in detection. Instead of looking for a particular fingerprint, heuristic detection instead looks for deviations from normal system patterns and behavior. This gives the ability to find new and previously unidentified rootkits. This technology is currently emerging and not readily available yet, and uses various heuristics to identify a rootkit based on the execution path hooks it uses. Current examples of this form of technology are VICE and Patchfinder. At this time, they only work with Microsoft .NET Framework installed on the computer, and they are not foolproof either. They can be subverted by some rootkits, and still others will remain undetected. One of the problems is trying to determine which hooks are malicious, and which hooks are legitimate and part of the normal operating system (false positives can be the result).
Profiling –
Another method of detection currently being developed is profiling, or more specifically, profiling the runtime execution path. The only tool currently known to this writer with this technology is a very promising proof of concept tool called Patchfinder. It is discussed and made available on a Website called invisiblethings.org run by rootkit expert Joanna Rutkowska. It is built on the observation that a rootkit adds code to a given execution path, and operates by counting instructions. The technique can still result in false positives, and is vulnerable to rootkits that have the ability to realize they are being traced. Nonetheless, I believe the technology has excellent merit and I hope development continues and is able to eliminate the problems encountered so far.
Cross View –
Cross view based detection techniques are both very new and very promising. The detection software works by enumerating data within the system such as files, processes and Registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the system’s common APIs (Application Program Interface). A difference between the two results can indicate something hidden. This technology is still being developed and improved to eliminate false positives when the program runs. Current examples of this developing technology are Rootkit Revealer from Sysinternals, Klister by Joanna Rutowsksa, BlackLight by F-Secure, and Strider Ghostbuster from Microsoft.
Integrity –
Integrity based detection is an alternative to either signature based detection or heuristic detection, and works by comparing a snapshot of the filesystem or memory with a known trusted baseline. Differences between the two are taken as an indicator of malicious activity. Examples of this are Tripwire from Sourceforge, and System Virginity Verifier by Joanna Rutowska. Tripwire was effective against early rootkit designs, but virtually useless against the modern rootkit. System Virginity Verifier, on the other hand, is, to me, very promising as it also checks the integrity of data structures and uses advanced heuristics to help deal with false positives stemming from normal system hook operation.
Hardware detection:
Join me in keeping high hopes for this one. It could be absolutely great!
This technology is very new and was born as a project at the University of Maryland. A new company, Komoku of College Park, Md. is currently the owner of this technology. With funding (at around $2.5million) coming from government contracts, specifically DARPA (Defense Advanced Research Projects Agency), the Department of Homeland Security, and the U.S. Navy, they have developed a proprietary, high-assurance PCI card based detection system called Copilot. The PCI card has its own processor and memory allowing it to remain independent of the system it is installed into. It also has its own network interface allowing communications to an outside administrative department or team. The prototype PCI card solution is currently not publicly available and is more than likely pretty pricey at this time, but represents a formidable foe to rootkits. Personally, I have high hopes that the governmental agencies involved will allow mass production after the prototype is finalized so the benefits of this new technology will become both available and affordable to the general computer user like you and me.
By being able to remain independent of the computer’s processor and memory it is installed in, this PCI card can scan and monitor all processes, memory, files and activity in the computer at the hardware level, looking for any modifications or abnormal behavior, thus making any rootkit design an easy target to find. According to the project designers, instead of looking directly for the rootkit, it looks instead for the side effects of the rootkits activities. Coupled with a software-monitoring and cleanup component that is also being partnered (by guess who – Symantec), it could actually be capable of putting and end to the rootkit threat on any machine it is installed in.
Komoku also plans to release a low-assurance software-only clone of this technology called Gamma sometime this summer – I can hardly wait to see it. Komoku is currently partnered with Symantec to handle disinfection, cleanup and restoration after a rootkit or other sophisticated malware is found. Symantec’s Live State product combined with Copilot and Gamma can restore the system to its original operating state as if nothing had ever happened.
I see some really exciting, commercial software offerings becoming available for us in the hopefully not too distant future, and I really hope the Copilot PCI card becomes a reality for us as well.
Rootkit Removal:
For the time being, rootkit removal is rather subjective. There is a large body of opinion that believes it to impractical. The majority seems to recommend copying and saving your data files, wiping the hard drive clean, and re-installing everything from scratch. The feeling is this will take less time than trying to remove the rootkit and restore the system. If it was a truly severe case, and sensitive data and material were at stake, I would tend to agree.
For the average user, however, I would recommend running the Malicious Software Removal Tool from Microsoft, scanning with Windows Defender, and trying a scan with the latest version of SpySweeper from WebRoot. All have some degree of rootkit detection and removal capability built in that I have had good success with in the past. I have also cleaned up and removed some boot sector rootkits with AVG Pro from Grisoft, another product I like a lot. A number of other constituents I am in contact with also have reported good success with BlackLight from F-Secure. BlackLight will be rolled into another F-Secure product this summer as part of a security software suite, but it is still free until June 1, 2006, after which it stops working. One thing to keep in mind – BlackLight is currently a Beta program, and you assume all responsibility for its use. If using it breaks your system, it’s your problem. Final release of the integrated product from F-Secure this summer will come with support.
Prevention:
On final thing to remember – a rootkit alters the operating system, and thus needs administrator privilege to install (not that you can expect a warning that it is about to install, and you certainly will not see a Windows Installer screen). You can greatly reduce your exposure to this threat in the first place if you remember to not go on-line with an account on your computer that has administrator privilege. Use a limited account when connecting to the Internet. If you absolutely must be on-line as an administrator for certain programs to work, you might want to look into a protection program like Process Guard (shareware, $29.95) that has the capacity to prevent programs from installing global hooks and performing process injection. If you are a high-risk user, such as a P2P user, and must be on-line as an administrator, then you should definitely consider such a program as mandatory and a must have.
Another possible program to look into is called AntiHook. Of the two, I can only honestly recommend Process Guard for the high-risk user. AntiHook is freeware and is a less powerful program, but it offers good, solid protection for the average home user. Please note that AntiHook is only for home use, and currently (AntiHook v 2.5) does not work properly with Windows XP Home edition. New versions AntiHook 2.6 and AntiHook 3.0 are due out in a few weeks and promise to fix this issue. Both programs (Process Guard and AntiHook) feature real-time kernel mode protection. If you are a home user that downloads a lot and installs downloaded programs, I really would recommend you use one of the two programs.
Either of these programs will be noisy at first as they go through a learning curve of the software on your system, much like what you see with pop-up warnings after installing a new firewall. Don’t despair though as things will settle down soon when the program learns your particular system. You can also minimize this if you use AntiHook by initially running it in fingerprint mode for the first few days while it learns. Before doing this, however, you might want to first scan your system if it has been on-line for a while to be sure it is clean in the first place.
One final point. If you install either of these programs, please do not fool yourself into thinking that you are now totally safe from all rootkits. Although the vast majority of rootkits use hooking, remember that we also discussed advanced rootkits that use DKOM. Although there are few of them in existence so far, they are still out there, and I’m sure more will be coming.
No comments:
Post a Comment