Detection and Removal of Rootkits!
- 0 Comments
Today viruses and Spyware on the internet are widespread and the problem is only getting worse daily! Not only do we have to worry about Viruses, Spyware, Trojans, Malware, Spam but also rootkits and keyloggers stealing your personal information or worse your BANK account. Below are some great tips on how to detect and remove rootkits. A rootkit is a set of tools or a program that is designed to hide activity on a computer (legitimate or otherwise). A rootkit in itself is not malicious – many antivirus programs and some games (for example, nProtect GameGuard) use rootkit-like technology to hide or protect themselves. A Rootkit can keep itself, other files, registry keys and network connections hidden from detection and this is why they are so dangerous.
How do I know if I have a rootkit?
- Run a system scan using several rootkit detectors, and send the logs to an expert for analysis. Some good resources are the forums at Sysinternals here, and the GeeksToGo forums here. If you are unsure if something is a rootkit, DO NOT DELETE IT!
Where Rootkits Hide:
- The SSDT is a table that stores addresses of functions that are used by Windows. Whenever a certain type of function is called, Windows looks in this table to find the address for it. However, a lot of rootkits and some legitimate software hooks this table, redirecting these requests. This type of hooking can be used to hide just about anything on Windows.
- System services are a type of program that starts whenever Windows does. Most rootkits are started as a system service. Some rootkits attempt to hide these services so that a user cannot see them.
- See this post for more information about rootkits and where they hide and more.
Scanning and Removal:
Gmer is a hidden service, hidden registry, hidden file system scanner and remover with many features. It is an excellent piece of software and has a very nice user interface which makes it very easy for non technical people to use. Also from Gmer is the Master Boot Record detection of the Sinowal/Meboot and other BotNet variants. A very severe and highly undetectable by most signature type virus detectors on the market today! Read more here: Fsecure Primer.
- Download http://www2.gmer.net/mbr/mbr.exe
- Turn off your antivirus and cut the connection.
- Double-click mbr.exe.
- A report will be generated: mbr.log
- In cases of infection, this message MBR rootkit code detected will appear in the report.
- In the Start Menu> Run, type:
“%userprofile%Bureaumbr” -f
- In mbr.log this line appears: the original MBR restored successfully!
- You can post the report to get some help on the Forum.
Restart mbr.exe to check that the infection is no longer present and the new report should no longer find rootkit.
Example report uninfected:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK
IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn’t a “click-here-to-delete-rootkits” product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine. Hacker Defender is a strong rootkit, and the Gold and Silver Hacker Defender packages are more potent. Many antirootkit programs, such as Rootkit Revealer and BlackLight, can’t detect Hacker Defender and others although updates are happening all the time. (Such statements can be found on the Web site of the author of Hacker Defender.) I haven’t got the Gold and Silver packages. But on the author’s home page, it is stated that Hacker Defender cannot evade IceSword. And IceSword is continually improving.
System internals RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at Rootkit.com including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys).
Prevention of Rootkits:
DefenseWall HIPS (Host Intrusion Prevention System) is the simplest and easiest way to protect yourself from malicious software (spyware, adware, keyloggers, rootkits, etc.) when you surf the Internet! Using the next generation proactive protection technologies, sandboxing and virtualization, DefenseWall HIPS helps you achieve a maximum level of protection against malicious software, while not demanding any special knowledge or ongoing online signature updates. Threatfire is another good one.
ProcessGuard is a powerful cutting-edge program that greatly increases the security of your computer by preventing processes from being able to attack each other. It is considered by experts to be a must-have program for all users of Windows, and is the only program available that can prevent the infection of all known rootkit trojans.
One of the best sites that I have found on the web that has all rootkit information in one place is Antirootkit.com. I would also recommend Wilders Security forum for information on all security software and how to’s with any problems or questions you may have. Wilders Security Forum is very informative and a lot of the Wilders fans list there security setups after there posts. Some are very paranoid setups, so depending on what you do on the internet and where you go will be a factor in choosing your security solutions.
Web of Trust plugin - for your browser to keep you save from untrustworthy sites against malware driveby’s and other nasties.
McAfee Site advisor – Like Web of Trust this is software to block untrustworthy sites.
Avg Linkscanner – New Avg link scanner analyzing every website behind every link you click or type into your internet browser.
One other site that comes to mind is Matousec proactive security software grading system. It was founded by David Matoušek in March 2006 with a small group of young people, mostly university students, who were interested in the Internet, security and other computer related topics. The group’s focus was on security related projects and providing specific services to software vendors. Matousec lists security products like firewalls,virus software, and other security suites using a custom set of leaktest and autoruns that are also available for download on the Matousec site.
This post was meant to be a short primer on rootkits, I hope it was informative, I try to keep it short and simple, for there is a huge amount of information on rootkits on the web.
The very BEST post I’ve seen on the web on security software to protect your computer is at wilders security forums on this post.
Other Rootkit Information:
