Detecting Rootkits

[Gnosis]

There are several methods to detect rootkits, all of which can be circumvented if the rootkit itself is aware of the trick. Patched memory can be detected by reading the call tables or functions and checking their values. Instructions can be counted during runtime and compared with a baseline. Any sort of behavior changes can, in theory, be detected. The key weakness is when the code that performs this sort of check lives on the same machine that performs the check. And interesting trick to detect a rootkit is discussed in Phrack Magazine, Issue 59, Article 10, "Execution Path Analysis: Finding Kernel Based Rootkits" by Jan K. Rutkowski. A tool to detect rootkits in the Solaris kernel can be downloaded from http://www.immunitysec.com.

The ultimate end to most software exploits involves the installation of a rootkit. Rootkits provide a way for attackers to return at will to machines that they "own". Thus rootkits, like the one we discuss in this chapter, are extremely powerful. Ultimately, rootkits can be used to control every aspect of a machine. They do this by installing themselves deep in the heart of a system.

Rootkits may be run locally ofr they may arrive via some other vector like a worm or a virus. Like other kinds of malicious code, rootkits thrive on using hooks, trampolines, and patches to get their work done.

Excerpt from: "Exploiting Software, How to Break Code"

 

[Acenyc]

what is patched memory? I can't find a definition online.

 

[Ramblin]

Zou, nice articles about rootkits.

Using Sandboxie prevents the installation of rootkits as SBIE does not allow the installation of drivers. If a program running in a sandbox try to install a rootkit, Sandboxie issues message 2103.

http://www.sandboxie.com/index.php?SBIE2103

If anyone whose not using Sandboxie would like to be worry free about rootkits, the solution is easy, install Sandboxie.

Bo

 

[Gnosis]

I like what you said. In light of that, as far as what I have read, the most stealthy, thus dangerous rootkits are a result of direct injected kernel binary (executable malicious code) being spread across several drivers, not just one (which tends to cause BSOD and other obvious symptoms of infection). "Trampoline" exploits (multiple buffer overrun address attempts corresponding within the same "backdoor attack" to map the trampoline or buff address pathway) help to make that possible. Ultimately patching Ring 0 (Kernel) (runtime patching in conjunction with low-level hardware manipulation) can help a clandestine hacker completely disguise a rootkit to the point of making it all but impossible to detect even with the help of a computer forensics expert via reverse engineering.

Yes my friend; Sandboxie is very, very good in light of this knowledge. It is also why I have chosen a radically tweaked behavior blocker in Threatfire.

I believe that we will always have a lot of on-demand scanners out there, but eventually I think we will see sandboxes evolve with only HIDS, HIPS, or behavior blockers as real-time security. I don't think "real-time AV signatures" are going to cut it much longer for defense purposes. There are simply too many government hackers and private sector hackers out there injecting malicious code.

http://classes.soe.ucsc.edu/cmps223/Spring09/Pincus%2004.pdf

 

[Gnosis]

what is patched memory? I can't find a definition online.

Modified data that is stored in memory when software executes, to manipulate said software. It is what advanced gamers do when they want to make their gaming software more "user friendly".

 

[kuttus]

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Different type Root Kits are

• 
  1. Persistent Rootkits
  2. Memory-Based Rootkits
  3. User-mode Rootkits
  4. Kernel-mode Rootkits

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.


Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.



User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.



Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

The Latest Root Kit's that infected most of the users are Trojan.ZeroAccess OR Global Root OR Siref

This one is infecting in 2 way now a days.
1. Infecting c:\WINDOWS\system32\services.exe
2. Infecting c:\WINDOWS\system32\services.exe and Boot Sector of the computer.

If it is infecting c:\WINDOWS\system32\services.exe only then we can fix it manually by replacing the c:\WINDOWS\system32\services.exe with a good one from a reinstalling CD or from a back up files...:angel:

If it is 2nd case then we need a help of any Boot Fix Tools.....

We can Identify it's presence in our computer by trying to reset the WINSOCK.


In the Command Prompt type NETSH WINSOCK RESET and hit on enter.

If we got a message
"Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset." then we are safe to go form this infection.


If we got any error message with
"Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset." then there is some problems in our computer. :huh::huh:

 

[Prorootect]

To kill ZeroAccess use eg RogueKiller by Tigzy, scan too with XueTr or PowerTool etc anti-rootkits on demand.

 

[MalwareVirus]

Threatfire.

Are threatfire works with EAM ?
Thanx

 

[MalwareVirus]

To kill ZeroAccess use eg RogueKiller by Tigzy,

Whenever i try to execute roguekiller ,Antivirus(kaspersky,webroot) shows its a threat & block it.I know it is safe but why antivirus shows its a threat.

 

[Deleted member 178]

some repair/cleaning tools especially removers are coded like malwares or manipulate system areas that are usually infected by them.

 

[Gnosis]

"We can Identify it's presence in our computer by trying to reset the WINSOCK."

I wondered what that tool was for. I have WINSOCK Fix, or some such thing on my USB Stick Kit.

Good stuff up above.

EDIT: "To kill ZeroAccess use eg RogueKiller by Tigzy"

Got a link for the latest version of that anyone?

I have blown that off until I just now saw that it is supposed to kill Rootkit Zero Access.

 

[Gnosis]

"Are threatfire works with EAM ?
Thanx"

I would assume that actions related to an EAM are very noisy, especially when it is time to extract intel from the host machine. While Threatfire seems to fail to completely shut down around 6% of the malicious behaviors on two reviews I have seen, I would be shocked if it did not throw a fit in that kind of environment. While a behavior blocker might not stop everything, it would definitely let you know something is VERY WRONG in an EAM environment on your PC that you were not initially aware of.

I am getting ready to try Online Armor, minus the firewall, for HIPS. Biozfear is eventually doing a review to show how to set it up. This program looks to be very promising.

 

[icorino]

Malware is busy with their anti-rootkit program, looks promising...

http://malwaretips.com/Thread-Malwarebytes-Anti-Rootkit-BETA-Released

 

[jamescv7]

The most painful type of vector for rootkits are those affecting MBR (Master Boot Record) since its a pretty vital for the every day booting of the Operating System and the removal process isn't easy to remove as it could pose damage too.

 

[kuttus]

The most painful type of vector for rootkits are those affecting MBR (Master Boot Record) since its a pretty vital for the every day booting of the Operating System and the removal process isn't easy to remove as it could pose damage too.

MBR infection is fine we can remove it using TdssKiller ,ComboFix,using recovery console or using Windows Bootable CD's..... If the Rootkit is infecting the Kernal then it will be very difficult to remove.

 

[Gnosis]

https://encrypted.google.com/#hl=en&output=search&sclient=psy-ab&q=malicious+binary+in+memory&oq=malicious+binary+in+memory&gs_l=hp.3..33i29i30.957.7218.0.7382.30.23.4.3.3.1.373.3569.3j16j3j1.23.0...0.0...1c.1.8.psy-ab.brJLmTmj0ZU&pbx=1&bav=on.2,or.r_qf.&bvm=bv.44770516,d.aWM&fp=22880450af22a6af&biw=1024&bih=671


Open the first (top) link and use Foxit or Adobe to view the text. It should help answer your question per memory patching.