Wednesday, July 12, 2006

Windows Rootkit Detectors

In doing the prep-work for my post on software based firewalls, I made a list of other system security layers that needed to be considered.

One of those areas was rootkits.

At a most basic understanding, a rootkit is executable code that attempts to evade detection of running processes, files or system data. There are many ways it can do this, but the end result is that they are very hard to find and can make an infected system look clean and safe even to traditional anti-virus and anti-malware software.

Wikipedia : Rootkit This is a good place to start to get the general concepts down.

Episode #9 of Security Now featured a very good discussion between Leo Laporte and Steve Gibson.

Detection on Windows systems:

Two products that I know of that are very good in detecting the presence of rootkits on a PC are Sysinternals RootkitRevealer and F-Secure's BlackLight.

You don't run these applications in an ongoing state, but I do recommend running them every couple of weeks just to keep an eye on things.

However, just because they find something, doesn't mean that file/registry key is a rootkit. Many Windows system files and keys are legitimate. It's just something that takes time to understand and the more you understand what is going on with your system normally, the easier it is to spot something as "out-of-place".

Give the Sysinternal's link a good read. It has very helpful and clear information for interpreting the results as well as hosting a RootkitRevealer Forum and there are also additional reference links at the bottom of the page.

Suggested Response to a "real" Rootkit on your system:

I have only come across a handful of systems harboring a true rootkit. While not impossible to remove, they certainly can be challenging to remove successfully. I say that as they can often hook deeply into the registry and system files. If not removed cleanly and entirely they can often result in a dead non-booting system or come back to life and reload again.

My personal advice would be err on the side of caution and boot the system with a Live CD or pull the drive and stick it on a 2nd system as a slave drive, then copy the critical user files/folders off for safe keeping. Then I would secure wipe the compromised drive using DBAN and reinstall the system fresh and clean. That is the one way you can be sure you don't still have the rootkit sitting on your system.

Overkill? Maybe. Secure? You bet; as long as the system install disks you are using haven't been compromised.

Coming soon--process monitoring solutions, sandboxing techniques, and virtual machines.

UPDATE (7-16): Some additional rootkit detecting applications I have just come across:

GMER - Free - helpful in analyzing rootkit-like malware. Follow the link for more screen shots and to download a copy.

DarkSpy - Free - I haven't tried this one out.

RKDetector - Free - Really nice and improved GUI interface now from the older command-line version I used to depend on. RKDetector is released in two independent "modules"; the FILESYSTEM Module and the "IAT Analysis Module". Download and play with both applications.

Found via the ISC-SANS Behavioral Analysis of Rootkit Malware diary post.

Stay Tuned,
--Claus

No comments: