rootkits

Dear all
I am trying to get my mind round Rootkits.
I think i know what they are.Thanks to Wikipedia.
What i really want to know is.
Are the blocked by a firewall,such as Comodo or by an Anti-Virus such as AVG or CAVS
I have tried running Rootkit Revealer but have not yet learnt to interpret the results.
I don’t think for one moment that i have a Rootkit problem.I just wanted to learn all about them,having read about the Sony debacle.
If anybody has a view,please let me know.
Regards

Can I move this to “learn all about security/HIPS” section?

I’m not sure if HIPS prevents this.
If it doesn’t, Comodo has a new tool to develop… :wink:

Please do,if you think appropiate

I would also like to know… ;D
I haven’t done much research about rootkits…

Thanks,we shall see very shortly i suspect

I have moved Rambo’s question here, because I don’t think that a firewall or AV can do anything about rootkit’s, but I’m not sure.
Read the first post.

Can HIPS do anything about them?

Good! ;D

Maybe it’s getting rid of them that’s hard…

I have searched the helpfile in NOD, but couldn’t find any info…
I can look at the website.

I found this very interesting article on a Microsoft Site.Serious thought is required.

Rootkits: The Obscure Hacker Attack
Published: October 6, 2005
By Mike Danseglio and Tony Bailey

See other Security Tip of the Month columns

A rootkit is a special type of malware (malicious software). Rootkits are special because you don’t know what they’re doing. Rootkits are nearly undetectable and they’re almost impossible to remove. Although detection tools are proliferating, malware developers are constantly finding new ways to cover their tracks.

A rootkit’s purpose is to hide itself and other software from view. This is done to prevent a user from identifying and potentially removing an attacker’s software. A rootkit can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and thus enable an attacker to store many files on your computer invisibly.

Rootkits do not infect computers by themselves like viruses or worms do. Instead, an attacker identifies an existing vulnerability in a target system. Vulnerabilities may include an open network port, an unpatched system, or a system with a weak administrator password. After gaining access to a vulnerable system, the attacker can install a rootkit manually. This type of stealthy directed attack does not usually trigger automated network security controls such as intrusion detection systems.

Identifying rootkits can be difficult. There are several software packages that detect rootkits. These software packages fall into two categories: signature-based and behavior-based detectors. Signature-based detectors, such as most virus scanners, look for specific binary files that are known to be rootkits. Behavior-based detectors attempt to identify rootkits by looking for hidden elements, which is the primary behavior of rootkits. One popular behavior-based rootkit detector is Rootkit Revealer.

Once you’ve identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they’ve been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.

Preventing rootkits from getting onto your system is the best strategy you can use. This is done with the same defense-in-depth strategy that you should use to prevent all malware from attacking your computer. Elements of defense-in-depth include virus scanners, regular software updates, a firewall on the host and the network, and a strong password strategy.

For more information on rootkits, see the excellent webcast Rootkits in Windows.

In addition, the Microsoft Solutions for Security and Compliance (MSSC) team has produced the Antivirus Defense-in-Depth Guide, which provides an easy-to-understand overview of different types of malware, including information about the risks they pose. The guide also discusses malware characteristics, means of replication, and payloads.

You can also find other MSSC guidance on the TechNet Web site.

Rootkit Revealer is great at finding rootkits on your pc but does not help with removal. F-secure Blacklight, I think, can help with removal and detection. The free trial of the latter products is available until April but after this will be bundled with their new security suite.

:SMLR

IceSword is a rootkit tool as well…

Comodo should make one… :wink:

Thanks.
This is where it gets interesting
Regards

IceSword seems to be generally recognized as one of the best at detection, and also has removal capabilities.

Then you have others such as GMER, and as already mentioned, RKR. RKR is nice because it has some very detailed instructions available from Sysinternals (now a part of Microsoft Technet), discussing the various types of results that are returned. Here’s the big problem - even on a clean system you can get a lot of false positives, so it is not recommended to try to remove things that show up on a scan, unless you absolutely know what you’re doing (and I think there’s very few that do, when it comes to rootkits!).

I think this is where a HIPS type of program comes in, to prevent them in the first place.

Melih has stated that the HIPS being developed for inclusion with CFP will stop rootkits. I’m guessing that they’re building off of the ABA currently in CFP, combined with a safelist of apps (based on some of his comments).

The most recent FULL (paid) version of CyberHawk by Novatix has a rootkit scanner (I don’t know if it’s supposed to stop before infection, or find & remove).

ProcessGuard by DiamondCS is an entire behavior analysis program (like CFP’s current ABA, and a lot more), for the FULL (paid) version, at least. The free version protects from Execution, Reading, Modification/Injection and Termination, which is quite a bit; the full version is supposed to do that plus Block New/Changed Programs, Protect Physical Memory, Block Global Hooks, Block Unwanted Drivers/Services, Block Registry DLL Injection, Secure Message Handling, and have an Interface (GUI) Lock. They have a very good explanation of what it does and why, and provide a very in-depth level of control over what applications are “protected,” how they’re protected, so that the user can undo decisions that are made. The downside: Just like with CFP’s ABA, the user is required to respond to the prompt to allow or deny. Since many safe applications do at times violate these rules, there will be alerts on safe applications (but the popup only shows the executable/component/etc, and doesn’t necessarily refer to the application question); on the plus side, their log entries do show what the application is, so it’s easy to go back and make changes.

From what I understand, that article is dead-on about the difficulties of dealing with rootkits. It seems that the best thing to do is not just a reformat, but a secure wipe of the drive, to over-write all sectors so as to make sure you’re not leaving anything behind (even a full format does not do this).

LM

Just to report
I have run Blacklight
Scan takes about 15 minutes.
All very simple,but do be advised this is still a Beta but it does have the F Secure name behind it.
The Result 0000000 Nothing Found .
I am not really surprised.
Thanks to All for your help and guidance.
Best Regards
Philip

A full format removes access to the information; in other words, there are no reference points left, so Windows won’t run. However, the information still exists. This is the same as if you delete a file; it still exists until those sectors are over-written.

That’s why it is possible to restore deleted files, and where forensic tools come into play to examine HD contents even if it’s been formatted or physically damaged in some way. Data can still be recovered.

In the case of a rootkit, they are apparently able to “survive” in this fashion until they are overwritten. Since data is not written in such a way that you know that old information/rootkits have been overwritten, the only viable solution is to use a utility that will do a secure wipe of the HD, then reformat and reinstall the OS.

What happens with the secure wipe is that the software will do multiple passes of the HD. Each pass writes to each sector of the drive in a different way, so that the old data is not only erased, but overwritten, thus ensuring that it cannot remain.

Most cleaners (like ccleaner, etc) have an option to enable secure deletion, usually referencing DOD specs, and 3 or 7 passes. This rewrites the sectors while the system is active, but only those sectors. The HD wipe occurs outside of the system, and completely removes & overwrites all data. Thus, you can have confidence that the rootkit is gone.

LM

Thank’s Littls Mac for the info.

I’ve used IceSword now, and it didn’t find anything.
I have scanned/used Gmer as well… there are a lot of files that you don’t know that they exist, until you use tools like these… 88)

I still think that Comodo should make a tool for rootkits… ;D

It’s only what I’ve read from the “experts.” I do not know it first-hand, but then, I’m no expert! ;D On the other hand, if I thought I had one, I’d want to make absolutely sure I got rid of it; I wouldn’t take any chances of survival. There are free apps available to create a bootable CD and run the secure wipe utility from there; if you’re going to do a full format anyway…

From what I’ve read, rootkits have a way of avoiding removal by applications even as strong/thorough as IceSword, but creating a sort of “virtual” environment where they hide while IS is scanning. Given the reputation of IS for detection & removal of rootkits, I would consider it unlikely that nod32 (as good of an AV as it is) would be very successful in that way… Unless it is supposed to stop the rootkit before it starts… That’s not a slam on nod32, just that definition-based AVs don’t seem to be very effective against rootkits, even if they say they are. Just the nature of the it…

LM

Most AVs have a heuristic aspect; without it they’d be complete toast, no doubt! However, if that worked, there’d be no rootkits, would there… :wink: Back to the “nothing’s 100%” thing.

My understanding is that with a rootkit, there would not be anything for you to notice. No system errors, no slowdowns, nothing for AV to warn you about. An antispyware might notice a dll change or a global hook, but apparently that’s not very likely. A firewall won’t even know it’s getting out, as it appears to be a legitimate part of the system.

Kinda scary, yes. Some keyloggers also embed themselves in the kernel as well (rather than a global hook), and act just like a rootkit, evading capture, and sending all your keystrokes (and even screenshots, in some cases) back to their source. How do you know it’s there? Well, if you have a HIPS it might alert you (then again, it might not); from there, you have to try to track it down, and that is the really hard part (from my perspective), as it seems you have a snowballs chance in a fire of finding it unless you’re a very high-level tech.

LM

PS: As to how much I know… well, look at the tagline in my signature… ;D

LM

The more one learns and gets into all this security talk (:NRD), the more one might become paranoid. Let’s not forget about that (:TNG). Sure, 100% protection doesn’t exist, but as long as my computer is still perfectly useable in my eyes, that’s all that matters. Isn’t this what the average user thinks? I don’t know.

You’re probably right there - if it works, there’s nothing wrong, LOL. If only that were true all the time… Then there are the people that when something goes wrong, they blame everything BUT the actual problem (which is, they’ve got malware and don’t even know it…).

Paranoia is the only answer! It’s all a conspiracy, and the machines are taking over the world! (:KWL)