Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Scanners & Prevention


  • Please log in to reply
2 replies to this topic

#1 smak451

smak451

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 15 July 2010 - 11:37 PM

Since these things can be so damn hard to find are there any recommended rootkit tools/scanners to use for regular checkups as part of ongoing system maintenance/prevention?

There are heuristic based scanners like BotHunter, any thoughts on these? Also, does anyone have any stats as to the form these take? For example, how common are "firmware" rootkits that seek to evade a clean install through imprinting on the BIOS? What are best practices for early detection of these pests? Thanks for any advice, -- S

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:27 PM

Posted 16 July 2010 - 02:36 AM

Unlike other malware tools like antivirus scanners, rootkit scanners are not recommended as part of your regularly scheduled maintenance schedule. The reason being that rootkit scanners do not differentiate between what is good and what is bad. They only report what is found. Even on a completely clean system there will be a number of things that exhibit rootkit-like behavior, many of them being critical core components of the operating system itself. It takes an analysis of the scan results by someone trained in rootkit detection or with advanced knowledge of the internal structures of the operating system in question to determine if a particular scan result is malicious, benign, or system critical. Running a rootkit scanner without knowing how to tell the difference between these is a waste of time at best, and terminally dangerous to the operating system at worst.

Firmware-based malware is extremely rare. This is due to several impediments that prevent a malware author from spreading such threats on any major scale. The first barrier is the potential victim's operating system itself since it generally interdicts direct access to hardware by userland programs. This is the easiest barrier to overcome, but it's still a barrier. The second barrier is the real kicker: PC hardware is extremely diverse. If a malware author were to write something to infect a particular model DVD drive, for example, it would be very unlikely that the same malware would be able to infect a different model DVD drive even from the same manufacturer. So the number of potential victims would be limited only to those computers which have that specific model of hardware, whereas malware authors want to infect the largest possible number of computers they can. A malware author could write some malware for widest infection or for infecting a particular device, but not both.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 16 July 2010 - 06:30 AM

There are many free anti-rootkit (ARK) tools but some require a certain level of expertise and investigative ability to use so they are intended for advanced users or to be used under the guidance of an expert. Arks are powerful tools and using them incorrectly could lead to disastrous problems with your operating system. Most of the more effective ARK tools should only be utilized by advanced users as they generate logs which must be interpreted and investigated before taking any removal action.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

Some files are locked by the operating system or running programs during use for protection, so scanners cannot access them. When the scanner finds such a file, it makes a note and then just skips to the next one. API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer.

In most cases further investigation is required after the initial ARK scan to analyze and identify the files which were detected so they can be removed during a subsequent scan (or with other specialized tools) if found to be malicious.

These are a few of the easier ARKS for novice users:Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users