Rootkits have been around for many years on a wide variety of platforms. NT Rootkit, the first known Windows rootkit, was published in 1999 by Greg Hoglund, founder of www.rootkit.com. Since then many more capable rootkits have been developed.
One of the most frequently encountered is Hacker Defender, created by an Eastern European who calls himself Holy Father. The latest free version was published early in 2004 and, more recently, premium and customized versions of this malware became available for a fee.
While support personnel at various organizations have struggled to find and eradicate rootkits for years, this class of malware was not getting much attention in the IT trade press until this year. On Feb. 17, Bruce Schneier, founder and CTO of Counterpane Internet Security Inc., published an article in his blog about a paper by Microsoft Research. It described how Strider Ghostbuster can be used to detect persistent rootkits. That same day, my colleague Mike Danseglio, program manager in Microsoft's Security Solutions group, and I presented a talk at the RSA Conference on rootkits in Windows. Our session generated a surprising amount of interest in the press. Combine that interest with Schneier's blog and many people suddenly sat up and paid attention to the potential damage rootkits pose to Windows networks.
Within a week Bryce Cogswell and Mark Russinovich, founders of the freeware site Sysinternals, released the first version of their rootkit detection tool, Rootkit Revealer. By comparing high-level and low-level scans of several object types, the tool could identify a wide variety of persistent rootkits and malware behaving like rootkits.
Kurt DillardProgram Manager, Microsoft
A Holy Father fan then posted instructions on how to modify the configuration file for Hacker Defender so its files would no longer be hidden from Rootkit Revealer or be tagged as potentially dangerous by the detection tool. Russinovich and Cogswell quickly responded by publishing an updated version of Rootkit Revealer that could defeat the simple countermeasure.
Other vendors released detection and removal tools soon afterwards. For example, the April version of Microsoft's Malicious Software Removal Tool added rootkit detection and removal to its capabilities. The battle of wits and wills was truly joined when Holy Father himself posted an entry in his blog bragging that he had new versions of Hacker Defender that could defeat Rootkit Revealer and many other antimalware tools. He dubbed these the Silver and Gold editions and declared that it would only be available for 300 and 450 Euros (approximately $360 and $540) respectively. He claims that the Gold version will evade almost all known malware detection technologies. (What is it unable to evade? Icesword is a promising tool developed in China, currently not available in English. More on Icesword in a future tip.)
Rootkit Revealer version 1.55 was released on July 12. How it detects software that tries to hide itself is relatively straightforward: It compares the results of scanning the registry and file system at the highest level and the lowest level. APIs included with Windows provide a high-level view that is filtered by stealthy rootkits. In the low-level scan, Rootkit Revealer examines raw data directly from each storage volume and registry hive. To overcome some of the countermeasures implemented by Holy Father and other rootkit authors, the latest version creates a randomly named copy of itself that runs as a Windows service. This approach is effective, but Russinovich and Cogswell acknowledge, "It is theoretically possible for a rootkit to hide from Rootkit Revealer. However, this would require a level of sophistication not seen in rootkits to date."
Holy Father promises that a new version of his rootkit will be finished in August but, like Hacker Defender Gold, it will not be available for free. I would like to get my hands on the latest versions of that malware so I could examine it for myself and see how it performs against the latest automated tools. I would also like to investigate whether any of the manual approaches are effective when dealing with Holy Father's best rootkit. On the other hand I'm not inclined to support the creation of such destructive malware by sending its author cold, hard cash.
About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.
More information on rootkits
- Prevention Guide: Detecting and removing rootkits in Windows
- Q&A: Getting a handle on rootkit detection