A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.
Rootkits have become more common and their sources more surprising. In late October of 2005, security expert Mark Russinovich of Sysinternals discovered that he had a rootkit on his own computer that had been installed as part of the digital rights management (DRM) component on a Sony audio CD. Experts worry that the practice may be more widespread than the public suspects and that attackers could exploit existing rootkits. "This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."
Below are five questions about rootkits that have been answered by Windows security threat expert Kevin Beaver.
What are rootkit threats and how can I identify them in Windows?
Rootkits are applications hackers install (or social engineer you into installing) in order to obtain control of the computer and basically do anything they want to on it. Rootkits have their roots (pun intended) in UNIX but are becoming more popular in Windows with rootkits such as FU and the AFX Windows Rootkit 2003. The programs tie into the OS allowing hackers to modiy system environment variables, hide malicious code in commonly used system programs, hide system processes and more. There are a few basic ways to identify them:
- Use anti-spyware tools such as PestPatrol and SpyBot to detect the files loaded onto the system.
- Manually run MD5 hashes on system files and compare them to known good ones.
- Use host-based IDS software such as Tripwire to detect file changes.
- Use personal firewall software application protection to detect malicious network communications going out of the computer.
- Use a network analyzer and inspect protocols used, and even the packets entering or leaving the host for malicious behavior.
How can I check my system for rootkits? Is there a good tool I can use? Do they leave any signs, like running processes?
For additional information, check out this rootkit detection IT checklist.
As I understand, rootkits work by intercepting system calls and replacing them with their own, so they will be able to hide files and registry entries. The tool RootkitRevealer works by scanning the registry and the file system, then it compares the two to see if there is any mismatch, which might indicate the presence of rootkits. If rootkits can modify Windows API calls to hide files and registry entries, does that means RootkitRevealer will not work? There is no further explanation for the tools on the Sysinternal site. Could you tell me a little more about how this tool works?
Based on how I understand it, RootkitRevealer can detect registry modifications at the native API level (i.e., not the Windows level). However, it's technically possible for a rootkit to fly under the radar of RootkitRevealer at the file system and registry levels although there are no known occurrences (yet). Mark Russinovich of Sysinternals (the creators of RootkitRevealer) wrote a detailed article about this in the June 2005 issue of Windows IT Pro if you're interested in more details.
Click here for the article. (NOTE: It's for subscribers only.)
I read through Kurt Dillard's "Prevention Guide: Detecting and removing rootkits in Windows." On one of my PCs, I found rootkits with Sysinternals RootkitRevealer. I found no other rootkits on any other PCs even though an extensive number of software packages are installed. By doing a file search for date and time, I determined these were installed during the installation of Pinnacle Studio 9. Pinnacle tech support said these are not spyware and are needed for Studio to work. However, they are not removed during uninstall and I am not confident that Pinnacle understood my questions, nor rootkits, nor gave a reliable evaluation. I need a second opinion.
Based on what I've seen, it's actually very common for many Windows applications to leave junk in the registry such as this. I'm not a developer, but I can't imagine why it would be considered good practice to clog up someone's registry with entries that are no longer needed. I would recommend running another rootkit remover or process explorer such as UnHackMe, Process Explorer or Vision to see if anything looks malicious. Otherwise, backup your registry and delete those entries if you're uncomfortable with them, or contact Pinnacle and ask to speak to a level 2 support person who can help you with those entries.
After scanning with Sysinternal Rootkit Revealer, how do you remove the possible threats it located. There are no options to do that. Do you just go to the threat located path and delete the registry entry or should you use a Spyware removal tool?
Fortunately, I haven't had the need to remove a rootkit discovered by Rootkit Revealer. Mark Russinovich of Sysinternals (the creators of RootkitRevealer) wrote a detailed article about how it works in the June 2005 issue of Windows IT Pro if you're interested in more details. Click here for the article. (NOTE: It's for subscribers only.) If that doesn't help, I'd contact the authors directly.
Their e-mail addresses are listed here.
If these questions and answers do not help solve your particular rootkit dilemma, you can ask Kevin Beaver your own question here.
This was first published in May 2006