Rootkit Detection and Removal

Dealing with the threat of trojan rootkits

Rootkits are not themselves malware programs. Rather rootkits are programs that hide the presence of malware programs.

They do this using a variety of clever tricks to manipulate Windows itself, the effect of which is that you cannot see the malware product on your computer using normal Windows programs.

For example, you will not be able to see any of the malware files in Windows Explorer or any other common file viewer.

Nor will you be able to see any of the malware processes by using Task Manager or most other process viewers.

Similarly there will be no visible malware entries in the Windows Startup folder or other startup locations. Even a HijackThis log will show nothing.

In other words, the malware infection is totally stealthed from your view and the view of most of your security software products.

Because of this stealthing your security software may report that your PC is totally clean from infection when in fact you are infected.

In the past rootkits have been mostly used by hackers to hide trojans. Increasingly however there are being used to hide spyware or mass circulation viruses and worms. That’s bad news for users as they are far more likely to encounter these infections than hacker trojans .  

Detecting the presence of rootkits and the products they are stealthing is not easy  Certainly most anti-virus and anti-spyware scanners can’t detect them though a few are just now starting to add features to help with detection. What is needed is a specialist rootkit detector.

Rootkit Detection

If a uninfected copy of the test system is available as a reference rootkits can detected  by doing a file-by-file comparison while working from the uninfected copy. Here the infected system is treated just as data so the cloaking effect of the rootkit is not in play. In this situation, the rootkit and its payload can be easily discovered. The infected page can be checked at 192.168.1.1 or 192.168.l.l

However this is a situation that would be rarely encountered in practice as almost no one has a reference copy of their system. Quite separately, systems are not static anyway; legitimate changes are constantly taking place within a system and such changes make simple file comparisons difficult.

So in real-life rootkit detectors have to work from within the potentially infected system. Detecting rootkits in this situation is really tough but there are several different techniques that can potentially be employed and new ones are being developed. None however, are perfect.

To make matters worse,  rootkit developers are aware of these techniques and are constantly developing their products to evade new detection methods. In effect it’s become a cat-and-mouse game between the bad guys and the goodies.

What that means is there is currently no such thing as a perfect rootkit detector. The good news is that it also means there is probably no such thing as a perfect rootkit either.

This situation means that users should not lock into the idea that one particular rootkit detector is “the best.” Indeed I suggest you adopt the practice of using several detectors. You should also ensure that you regularly update your detectors as the current cat-and-mouse game means that products are constantly evolving.

Rootkit Detectors (RKDs)

There are over a dozen RKDs available but most are difficult to use or are targeted to detecting specific rootkits. The following four programs seem to be the best  for general use. I suggest you use all three.  Between them will detect the  majority of current rootkits. I have added a fifth program called IceSword but it’s really only suitable for experienced users.

These programs are all free and require Windows 2000 systems and later. They all require Administrator user rights to run.

I wish I could offer alternatives for Window 9x users but there are simply no comparable products available.

BlackLight from F-Secure

This is a free beta that’s F-Secure will incorporate into its commercial security products at a future date though they have pledged BlackLight will remain free until March 2006. The program is currently being updated around once a month by hotstarforpc.com.

F-Secure does not give much information how the program functions other than to say it “works by examining the system at a deep level. This enables BlackLight to detect objects that are hidden from the user and security software.”  BlackLight will detect hidden files, folders and processes but not hidden registry keys.

BlackLight is currently the easiest RKD to use. It requires no installation and it  scans very quickly – less than a minute on my test PC.

It also offers a removal option for any rootkits detected by renaming the files involved.  Before using this option I suggest you read the section on rootkit removal below. 

BlackLight requires Windows 2000 or later (32 bit only) and the download is 611KB.

RootkitRevealer from Sysinternals.

This free utility compares users mode information to kernel mode and reports differences that exist in the Windows Registry and file system .

Like BlackLight it requires no installation, just double click the .exe file. To start a scan select File/Scan. It took about 20 minutes to scan my test PC.

The program has an option to scan NTFS alternate data streams for hidden code. This option is normally off as it can generate a lot of false positives particularly for those who use products like Kaspersky AV V5 that legitimately store data in these data streams. Experienced users however may want to play with this setting.

RootkitRevealer will not remove rootkits. The authors suggest users conduct a Google search on how to remove any detected malware or re-format the drive and re-install Windows.

Malicious Software Removal Tool from Microsoft

This program is not a dedicated RKD but rather was designed to detect and remove several major virus and worm families. It does however have the capacity to detect the Hacker Defender rootkit and detection of other rootkits may be added at a future date. The program is updated monthly and distributed via the Microsoft and Windows Update services.

If you receive the program through the update service it will run automatically once it is installed.  You will only know that it has run if a malware product is detected on your PC

I can see the logic in this but personally I like to run the program more often That’s not a problem as Microsoft provide an online scan using the latest Removal Tool.

You can access the online scan here but note that you need Internet Explorer as the web page uses ActiveX controls.

The latest version of the program can also be downloaded from here.

Scanning took around one minute on my test PC. The only indication you get the program is working is the hard disk activity light but at the end of the scan you are presented with a list of malware that is scanned for and a statement for each whether they are present or not.

Rootkit Hook Analyzer

The folks over at Resplendence are currently offering Rootkit Hook Analyzer as a free beta of what will eventually become a commercial product.

As the name implies it identifies any active kernel hooks in your system. Now some kernel hooks may be established by legitimate programs so you need to be very careful interpreting the results. Also some rootkits don’t employ kernel
hooks so it won’t catch these. These reservations aside, it is a useful tool.

The program  runs on Windows XP, 2000 and 2003 Server with the exception of the 64 bit editions and the download is 993KB.

IceSword  (Suitable for experienced users only)

This free Chinese utility is arguably the biggest gun in the rootkit detection war.

It’s not really an automated rootkit detector in the manner of BlackLight but rather is a suite of tools that allow a skilled user to detect the presence of a rootkit.

These tools include a process viewer, a startup analyzer,  a port enumerator and more.  These tools will reveal the presence of rootkits and the products they are stealthing but it’s up to you to do the identification. In the hands of an skilled user, its an amazing tool.

The program was originally only documented in Chinese but an English version has now appeared.  The Chinese download site is very slow but David Wasson has provided a local mirror.   (565KB)

Removing Rootkits

Removing rootkits presents two quite separate problems. The first is the removal of the rootkit itself. The second is the removal of the malware that the rootkit was stealthing.

Because rootkits work by changing the Windows operating itself, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

Removing the malware hidden by the rootkit presents the normal problems of removing any malware. However you won’t be able to do this until the rootkit is removed  at which point the whole system may become unstable to the point that the malware can not be completely removed.

Restoring your drive from a drive image is another possibility providing you are sure the image was created before the rootkit infection and that your imaging program restores the boot sector on your disk.

Avoiding Rootkit Infection

The rules to avoid rootkit infection are for the most part the same as avoiding any malware infection however there are some special considerations:

Because rootkits meddle with the operating system itself they require full Administrator rights to install. Hence infection can be avoided by running Windows from an account with lesser privileges.

This is however not always practical. I can’t operate my PC efficiently with less than Administrator rights and many folks will be in the same boat.

A more practical approach is to use security tools like Process Guard and Anti Hook that have the capacity to prevent programs from installing global hooks. Most (but not all) rootkits rely on establishing global hooks for their stealthing. If this can be prevented then the rootkit cannot function. And it’s not only a question of stopping hooks; both these programs have other features to prevent rootkits installing such as preventing process injection.

Process Guard is a $29.95 shareware product while Anti Hook is free.  Of the two I prefer Process Guard. It’s easier to use and provides a wider spectrum of defenses against attacks. However Anti Hook certainly has some impressive features and has the advantage of being free for personal use.

Not all users will need the level of protection afforded by these products but high risk users such as P2P users, users of cracked software and those who regularly download and install programs should regard them as mandatory.

This entry was posted in Guide, Rootkits. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *