BleepingComputer.com: Offline rootkit detection.

I had a question about what a rootkit would look like to an offline system. They way i understand it once a computer has a rootkit you really cant trust what your seeing. However what if you boot off of USB or CD they should just be files sitting there like any other.

Rootkits are powerful system-monitoring programs that are almost impossible to detect. Rootkits are not an infection in and of themselves. They are used by backdoor Trojans, Botnets, and IRCBots to conceal their presence. Thus a rootkit's purpose is to hide itself from view in order to prevent detection of an attacker's software and make removal more difficult. Rootkits are especially dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult.

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of it will be removed as they may not find all the remnants.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Keep in mind that not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

To learn more about Rootkits, please refer to:

• r00tkit Analysis
  
• Rootkits: almost invisible malware
  
• Windows Rootkit Overview: User Mode Rootkits/Kernel Mode Rootkits
  
• Rootkits and how to combat them
  
• Windows rootkits in 2005, Part 1 of 3
  
• Windows rootkits of 2005, Part 2 of 3
  
• Windows rootkits of 2005, Part 3 of 3

To learn more about the TDSS rootkit, please refer to:

• TDSS: Rootkit technologies from the beginning
  
• TDSS part 1 - TDSS part 2: Ifs and Bots
  
• Memory Forging Attempt by a Rootkit: TDL4 variants
  
• Bootkit: the challenge - TDL4 Rootkit

These are .pdf documents with more comprehensive information.

• TDL3: The Rootkit of All Evil?
  
• Backdoor.Tdss.565
  
• TDL3: Part I A detailed analysis of TDL rootkit 3rd generation

This post has been edited by quietman7: 24 May 2011 - 01:19 PM

A lot of good information there. However it didn't really answer my question about offline systems. Is it easier to scan offline systems when looking for rootkits?

In addition i am looking for a command line scanner. That could maybe be run remotely.

This post has been edited by Pockets: 24 May 2011 - 02:01 PM

IMO it's not a matter of whether its easier but in some cases you may have to. For example, sometimes we need to see an offline dump of the computer's MBR to check for a possible infected Master Boot Record (MBR). Depends on what you are dealing with, what you are finding/not finding and reported symptoms. Rootkits are not something you can take a simplistic approach with...that's why tools & techniques to detect and combat them are constantly changing.


How to Perform an Offline Virus Scan with a bootable flash drive or rescue CD
Make an Anti Virus Bootable USB Thumb Drive


These are links to Anti-virus vendors that offer free LiveCD/Rescue CD utilities that are used to boot from in order to repair unbootable or damaged systems, rescue data, and scan the system for malware infections. Keep in mind there is no guarantee the repair will be successful and you may need to try more than one. Burn it as an image to a CD disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
  
• Dr.Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
  
• F-Secure Rescue CD - How to create F-Secure Rescue CD.
  Video: How to Remove Malware with F-Secure Rescue CD
  If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
  
• BitDefender LiveCD - Index of /rescue_cd
  If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
  
• Kaspersky RescueDisk - alternate download
  
  • How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
    How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.
  
• Panda SafeCD for Panda users consists of an ISO that you can either burn to a CD/DVD or create a more convenient Boot USB stick.
  If you encounter problems running SafeCD, you can get further assistance at the Panda Support Forum.
  
• AVG Rescue CD

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

-- Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer’s BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:

• Changing Your Computers Boot Order
  
• How to Set AmiBios to Boot from CDROM.

This post has been edited by quietman7: 24 May 2011 - 03:05 PM