Manually detecting rootkits

Sometimes tools come up short. When they do it is just you against the hacker. Find out what techniques to use to manually track down rootkits in this article from Microsoft program manager Kurt Dillard.

Detecting stealthy malware requires time, patience, perseverance and expertise. Even with plenty of each of those

traits, you might still overlook backdoors left by an attacker who has compromised your computer. With that in mind, the only reliable way to regain control of a compromised system is to reinstall the operating system and applications from known good media. Nevertheless, there is growing demand from systems administrators for tools and methods to find and remove rootkits and other types of hidden malware.

The simplest tool available today is Microsoft's Malicious Software Removal Tool (MSRT), which reliably eradicates a variety of common rootkits and other types of malicious software active on the Internet. Updates are published monthly, but malware authors are looking for ways to counter the MSRT and some of their latest efforts are able to evade it.

There are several approaches to manual detection: finding mistakes made by the malware's author, comparing the filtered view of the file system with an unfiltered view, and comparing the filtered view of the Registry with an unfiltered one. The freely available rootkit Hacker Defender has a serious flaw: When launched, the Service Control Manager (SCM) writes two events to the system event log:

  1. Event ID 7035 with the description "The HXD Service 100 was successfully sent a start control."
  2. Event ID 7036 with the description "The HXD Service 100 entered the running state."

I mentioned in previous articles in this series that the author of Hacker Defender offers advanced versions of his rootkit for sale, and presumably he has corrected this deficiency. Although it's interesting to find this sort of error, it's not a reliable way to track down unwelcome software on your computer.

File system comparisons are fairly straightforward:

  1. Run "dir /s /b /ah" and "dir /s /b /a-h" on the system drive from inside the suspect operating system.
  2. Save the results.
  3. Boot into a clean CD (such as WinPE).
  4. Run "dir /s /b /ah" and "dir /s /b /a-h" on the system drive of the suspect computer.
  5. Save the results.
  6. Launch WinDiff from the CD, compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).
  7. There will be some false positives -- for example, legitimate temporary files from the operating system and applications will show up.

Examining the Registry is a bit more complex:

  1. Run regedit.exe from inside the suspect operating system.
  2. Export HK_Local_Machine\Software and HK_Local_Machine\System hives in text file format.
  3. Boot into a clean CD (such as WinPE).
  4. Run regedit.exe.
  5. Create a new key such as HK_Local_Machine\Temp
  6. Load the Registry hives named Software and System from the suspect operating system. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system.
  7. Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.)
  8. Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).
  9. Once again, there will probably be some false positives.

Although it can be effective, manually examining the Registry and file system is very time consuming and requires a thorough understanding of which objects are probably legitimate temporary ones and which should be considered suspect. A couple of independent software vendors have recently published tools to automate scanning. SysInternals' RootkitRevealer looks for API discrepancies between high-level and low-level views of the Registry and file system. Detailed instructions for using Rootkit Revealer are provided at SysInternals' Web site and in the program's online help.

A trial version of BlackLight, good through Oct. 1, 2005, is also available. F-Secure Corp. announced plans to integrate its functionality into the F-Secure Internet Security 2006 suite soon. BlackLight is a wizard-based tool that walks you through a system scan. Suspect files can be renamed and, with a bit of luck, when the system reboots, they will not execute again. Full instructions at F-Secure.

Several other tools come from less well-known sources:

  • VICE is a tool for finding applications that are hooking APIs and operating system objects.
  • Patchfinder2 is designed to detect compromises of the kernel and system libraries.
  • Klister reads internal kernel data structures to see if malware is trying to hide processes and threads.

Finally, there is IceSword, a very promising tool that it is only available in Chinese. It was originally published at Xfocus but at the time of this writing the site is unavailable. Version 1.12 is available for download here.

There's very little information about IceSword that's published in English. It appears to be very comprehensive. Although the user interface is in Chinese, the scan results are in English and may be decipherable to you if you understand the details of Windows objects such as process, services, drivers, Browser Helper Objects and API hooks. For example, it displays the process and service that Hacker Defender tries to hide. You can also use IceSword to browse through the Registry and file system and see objects that Hacker Defender filters from built-in operating system utilities.

This article has presented several approaches to manual and automated detection of malware that hides itself. Unfortunately, none of these methods is foolproof and each requires time and a great deal of technical expertise on the Windows platform.

Things evolve quickly in this area of computer security, and undoubtedly we will see significant improvements in the tools available to combat this frustrating breed of malware. Unfortunately, rootkit creators will continue to look for ways to bypass each of the detection tools. This cat-and-mouse game seems likely to continue for years to come.

About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. He has also co-authored two books on computer software and operating systems.


More information from SearchWindowsSecurity.com

  • Security Clinic: Rooting out a rootkit
  • Q&A:Getting a handle on rootkits
  • Article: How does a hacker install a rootkit


  • This was first published in September 2005

    Dig deeper on Network intrusion detection and prevention and malware removal

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close