Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Offline rootkit detection.


  • Please log in to reply
3 replies to this topic

#1 Pockets

Pockets

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 24 May 2011 - 09:42 AM

I had a question about what a rootkit would look like to an offline system. They way i understand it once a computer has a rootkit you really cant trust what your seeing. However what if you boot off of USB or CD they should just be files sitting there like any other.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 24 May 2011 - 01:19 PM

Rootkits are powerful system-monitoring programs that are almost impossible to detect. Rootkits are not an infection in and of themselves. They are used by backdoor Trojans, Botnets, and IRCBots to conceal their presence. Thus a rootkit's purpose is to hide itself from view in order to prevent detection of an attacker's software and make removal more difficult. Rootkits are especially dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult.

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of it will be removed as they may not find all the remnants.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Keep in mind that not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

To learn more about Rootkits, please refer to:To learn more about the TDSS rootkit, please refer to:These are .pdf documents with more comprehensive information.

Edited by quietman7, 24 May 2011 - 01:19 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Pockets

Pockets
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 24 May 2011 - 02:00 PM

A lot of good information there. However it didn't really answer my question about offline systems. Is it easier to scan offline systems when looking for rootkits?

In addition i am looking for a command line scanner. That could maybe be run remotely.

Edited by Pockets, 24 May 2011 - 02:01 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 PM

Posted 24 May 2011 - 02:20 PM

IMO it's not a matter of whether its easier but in some cases you may have to. For example, sometimes we need to see an offline dump of the computer's MBR to check for a possible infected Master Boot Record (MBR). Depends on what you are dealing with, what you are finding/not finding and reported symptoms. Rootkits are not something you can take a simplistic approach with...that's why tools & techniques to detect and combat them are constantly changing.


How to Perform an Offline Virus Scan with a bootable flash drive or rescue CD
Make an Anti Virus Bootable USB Thumb Drive


These are links to Anti-virus vendors that offer free LiveCD/Rescue CD utilities that are used to boot from in order to repair unbootable or damaged systems, rescue data, and scan the system for malware infections. Keep in mind there is no guarantee the repair will be successful and you may need to try more than one. Burn it as an image to a CD disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

-- Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computerís BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:

Edited by quietman7, 24 May 2011 - 03:05 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users