Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How can rootkits be detected


  • Please log in to reply
13 replies to this topic

#1 rp88

rp88

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:11 AM

Posted 23 March 2015 - 02:38 PM

I just wanted to ask, how does scanning for rootkits and other malware that digs deep into systems, and for example loads before the operating system (sort of "under" it) be done? Which tools are generally used and what are the principles that let this type of infection be detected? What are the usual symptoms of such attack types and how can these be distinguished from other causes? If malware exists at this deep a level in a machine what are the signs of it being there? Thanks
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 23 March 2015 - 04:02 PM

Moved to more appropriate forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RolandJS

RolandJS

  • Members
  • 4,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:12:11 AM

Posted 23 March 2015 - 04:06 PM

Quietman7, rootkits are unwanted-utilities that embed themselves right into Windows prime, correct?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:11 AM

Posted 23 March 2015 - 04:17 PM

From Wikipedia's article on rootkits...

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 23 March 2015 - 04:36 PM

Rootkits are powerful stealth system-monitoring programs that are almost impossible to detect. Rootkits are not a malware infection in and of themselves but are used by backdoor Trojans, Botnets and IRCBots to conceal their presence in order to prevent detection of the attacker's software and make removal more difficult. Rootkits can effectively hide its presence by intercepting and modifying low-level application programming interface (API) functions and can hide the presence of processes, folders, files and registry keys.

Not all rootkits/hidden components are malicious. Legitimate programs can use rootkits for legitimate reasons. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, some anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

When used for malicious reasons, a rootkit takes active measures to obscure its presence (hide itself from view) within the host system through subversion or evasion of standard operating system security tools and APIs used for diagnosis, scanning, and monitoring. Rootkits are able to do this by modifying the behavior of an operating system's core parts through loading code into other processes, the installation or modification of drivers, or kernel modules. Rootkits hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are bascially installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Anti-rootkit (ARK) scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden components may be detected when performing a scan to check for the presence of rootkits and you should not be alarmed if any hidden entries created by legitimate programs are detected. In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. Rootkits can be especially dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and other machines on the network. Rootkits can result in browser search redirects to malicious web pages, the downloading of additional malware, and the ability to receive commands from attackers. Some rootkits can disable anti-virus and security tools in order to prevent detection and even thwart attempts to terminate them.

To learn more about Rootkits, please refer to:I am a firm believer that if you're unsure how to use a particular security tool (ARK tool) or interpret any logs it generates, then you probably should not be using it. Folks often panic when they see log results they do not understand. Some security tools are intended for advanced users, those who are knowledgeable of the Windows registry or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Some security tools will show everything they find that is a possible problem but you need to know what to remove and what not to remove. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:11 AM

Posted 24 March 2015 - 01:30 AM

I am a firm believer that if you're unsure how to use a particular security tool (ARK tool) or interpret any logs it generates, then you probably should not be using it. Folks often panic when they see log results they do not understand. Some security tools are intended for advanced users, those who are knowledgeable of the Windows registry or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Some security tools will show everything they find that is a possible problem but you need to know what to remove and what not to remove. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.

 

 

+1. Which is why I don't (use ARK scanners) and leave it to the experts trained in such if I suspect as much (rootkit).

Knock wood, I haven't had to since 2009.



#7 RolandJS

RolandJS

  • Members
  • 4,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:12:11 AM

Posted 24 March 2015 - 09:31 AM

I've noticed several security packages such as Avast, Avira, Malwarebytes, just to name 3 of many, can scan for rootkits.  I let them scan and report -- however I let nothing get deleted until informed to do so by a security tech such as found here in BC.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 24 March 2015 - 11:04 AM

These are a few of the easier ARKS for novice users:

-- Note: Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well. Both of these scanners are easy enough for any novice to safely use.

 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 24 March 2015 - 02:13 PM

This is one method to detect a rootkit:

 

The rootkit detector wants to detect files hidden by the rootkit.

1) the detector enumerates all files and folders via the Windows API.

2) the detector enumerates all files and folders by accessing the filesystem on the disk directly and parsing the data structures

3) compares the list produced in step 1 and 2

 

If files are found with step 2 and not step 1, then it is assumed they are hidden by a rootkit.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 rp88

rp88
  • Topic Starter

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:11 AM

Posted 24 March 2015 - 03:31 PM

Thanks for all this detailed information. One of my questions still doesn't seem to be answered though, what are the main symptoms? Strange random changes in files on the machine? Anomalous high processor or RAM or harddrive usage? Slow boot and shut-down times? Or are only the active hacking and malware tools used later visible in any normal way, the rootkits themselves without deep and advanced scanning for hidden files? Are rootkits the ones which can survive a windows reinstall, restore, reimage, reset or refresh?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 24 March 2015 - 03:35 PM

If the rootkit is well designed, there will be no symptoms.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 24 March 2015 - 03:58 PM

Are rootkits the ones which can survive a windows reinstall, restore, reimage, reset or refresh?

Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Further, it is very rare.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 RolandJS

RolandJS

  • Members
  • 4,517 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:12:11 AM

Posted 24 March 2015 - 04:12 PM

quietman7, do you remember the earlier days in which MBR and/or FirstSector [Sector 0] was modified by malware or virus?  Sounds like early forerunners of rootkit-like behavior.


Edited by RolandJS, 24 March 2015 - 04:24 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:11 AM

Posted 24 March 2015 - 04:21 PM

Mebroot was one of the first...a Trojan horse that overwrites the Master Boot Record of the hard disk with its own code and stores a copy of the original master boot record at another sector (62) while using rootkit techniques to hide itself. Typically a bootkit alters the MBR of the system drive to ensure persistent execution of malicious code. In some cases a bootkit will also try to avoid detection by hiding its own code in the MB. TDL4/MaxSS creates a hidden partition by modifying a free partition table entry in the MBR partition table at the end of the bootable hard drive. Rather than overwriting the Windows MBR code as its predecessor did, this variant leaves the original MBR code fully intact and gains a foothold onto the system by creating a new, hidden partition where it stashes its malicious file system.

I have several links to articles about these infections in the Glossary of Malware Related Terms.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users