AntiOnline Spotlight: Rootkits Lie in Wait
By Enterprise IT Planet Staff
September 29, 2005
Virus and spyware coders are not amused.
They are finding that security vendors are keeping pace and firing off timely signatures, sometimes mere hours after a new bug surfaces. They also have to contend with a populace that's growing somewhat smarter about security coupled with a certain software behemoth that has taken to releasing updated malware cleaners nearly every Patch Tuesday.
Rootkits leave the backdoor wide open, granting an attacker full control over your PC including the ability to capture every last keystroke.
Tough times for virus writers indeed.
So some are starting to turn to rootkits, sneaky code to that puts viruses and spyware to shame.
Rootkits differ from most malware in some fundamental ways. However, what really has security professionals on edge is that they are virtually undetectable. Moreover, if history is any guide, the rootkits of today can morph into tomorrows spyware.
Unlike viruses with their meager bag of tricks, rootkits carry some pretty nasty capabilities, not the least of which can include total "ownership" over a system.
And you can forget about running a virus scan (although some vendors are on the lookout). Rootkits come in many flavors but most don't play by the same rules as regular malware, so you can give up on looking for suspect entries under the processes tab to hunt down the particularly troublesome ones.
Lately, security sites have been buzzing about the upswing in rootkits. Is this a precursor to a wave of dangerous new threats?
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
This Week's Spotlight Threads:
New security threats: be afraid, be very afraid.
Initial investigation of suspected compromised Windows system
An unsolved case raises the specter of a possible rootkit. sec_ware gives us a run-down of what the culprit may look like...
Just to remember: In general, one classifies two levels of rootkits: user-land and kernel-land rootkits. If you download tools, as provided in the excellent links by catch, you will defeat user-land rootkits - as you already know. But the links also provide you with detailed information, such as the detection of the AFX rootkit, and further reading material.
Anyway, your question seems to be: What can I do if the machine is compromised with a kernel-land rootkit? Although there are a couple of rookit revealers out there (e.g. RootkitRevelear, modGreper, Strider, and check rootkit.com for Klister, Patchfinder2 and VICE) it is, in principle, possible to even hide from these detectors. And to complicate things, false positives often occur. However, most of the above detectors will identify standard rootkits used, such as Vanquish and HackerDefender.
What options are left?
One possibility is to compare md5 hashes of system files on the compromised machine (a tool is given in catch's first link) with md5-hashes of trustworthy system files. Tedious work.
Another possibility (unfortunately you will be in a passive state) is to capture and analyze the traffic from and to the compromised machine, using an external "sniffer". Port-scanning is not a final mean to reveal possible "active" ports (portknocking-like approaches).
This older post from The Duck alerts the community to the growing threat with this snippet from SNPX.com:
"In particular, some newer rootkits are able to intercept queries or 'system calls' that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools."