Club Officers
Dates and Times
Muggings
Lou's Views
About Spam
Member Pages
Membership Virus Info
About MUG Tech Support Free Stuff
Character Map Keyboard Shortcuts
Today is

Safety Links

Go Back
Homepage
Contact
Muggings...

Articles and Information
by Members for Members

Rootkits Revisited

by Nancy Cottrell

We first brought rootkits to your attention when Sony started using them to circumvent music copyright infringement.

Since then, virus writers have begun adding rootkit functionality as a component of commonplace malware such as MyDoom and Bagle. Rootkit technology is designed to hide the presence of malware on infected systems. Originally the technology appeared only as a component of more sophisticated and exotic forms of malware. Now the technology has moved into the mainstream, anti-virus firm F-secure reports.

For example, Bagle-GE incorporates rootkit features designed to hide the processes and registry keys of another Trojan of the same family, Bagle-GF. The development has raised particular concerns because of strong links between Bagle and the operations of numerous botnets, networks of compromised Windows PCs that are often used to either distribute spam or attack other systems.

"There appear to be bugs in these new Bagles. But if the Bagle authors have seriously decided to turn their attention to upgrading their malware suite with rootkits, then this first step appears to be a dangerous one and one worth keeping an eye on," F-Secure's techies comment in a posting on the firm's weblog.

Gurong-A, a new worm based on MyDoom code - possibly created by a copycat author with access to leaked copies of MyDoon's source code - which also features rootkit (stealth) technology designed to help malware to avoid detection by conventional anti-virus scanners.

The latest types of malware are so potent that organisations should forget about trying to cleanse infected systems, a top Microsoft security officer has advised. Mike Danseglio, a program manager in Microsoft's security group, said firms should think about establishing a
process for backup and recovering rather than relying on anti-virus tools as a way of recovering from malware infection.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, a program manager in Microsoft's security group,
told a security conference in Florida.

Now that Rootkits are becoming more commonplace. Danseglio argued that such tactics made it too difficult to ensure that infected systems were fully repaired. He cited the example of an unnamed US government agency that found itself trying to fix 2,000 infected machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio said, eWeek reports.

Even though anti-virus technology is improving, Danseglio conceded that traditional approaches are failing in the face of more sophisticated malware and highly-motivated profit-driven virus writers. The threat has moved on from network worms towards Trojans and other forms of more difficult to detect malware. "Detection is difficult, and remediation is often impossible," he said.

Danseglio's candid admission on the inadequacies of anti-virus technologies in cleansing infected systems is surprising given Microsoft's recent entry into the anti-virus market to say nothing of the fact that Windows PCs remain the principle malware battle ground.

However Danseglio laid the blame for the majority of malware infections on human stupidity in the face of social engineering attacks rather than the security shortcomings of Windows, as highlighted by an unpatched Internet Explorer flaw that's become the focus of exploitation by hackers over recent days.

Detecting Rootkits
There currently is no protection or detection software available for Windows 98 users of which I am aware. However, I am including information and links to four rootkit detectors for 32-bit NTFS Windows 2000, XP and 2003 server machines.

For more information on rootkits and to download Sysinternal's free Rootkit Revealer visit here.

You can also download FSecure's Backlight.  Currently beta software, it will be available for free use until May 1st.

Microsoft's Malicious Software Removal Tool is also designed to detect Rootkits.

If you use Internet Explorer, you can run an online scan by Microsoft.

Ice Sword, a free Chinese utility is arguably the biggest gun in the rootkit detection war. (original download site for English version:
http://xfocus.net/tools/200509/IceSword_en1.12.rar)   It's not really an automated rootkit detector in the manner of BlackLight but rather is a suite of tools that allow a skilled user to detect the presence of a rootkit. These tools include a process viewer, a startup analyzer, a port enumerator and more. These tools will reveal the presence of rootkits and the products they are stealthing but it's up to you to do the identification. In the hands of an skilled user, its an amazing tool. You can download an English version.

Removing Rootkits
Removing rootkits presents two quite separate problems. The first is the removal of the rootkit itself. The second is the removal of the malware that the rootkit was stealthing.

Because rootkits work by changing the Windows operating itself, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

Removing the malware hidden by the rootkit presents the normal problems of removing any malware. However you won't be able to do this until the rootkit is removed at which point the whole system may become unstable to the point that the malware can not be completely removed.

Restoring your drive from a drive image is another possibility providing you are sure the image was created before the rootkit infection and that your imaging program restores the boot sector on your disk.

Avoiding Rootkit Infection
The rules to avoid rootkit infection are for the most part the same as avoiding any malware infection however there are some special considerations:

Because rootkits meddle with the operating system itself they require full Administrator rights to install. Hence infection can be avoided by running Windows from an account with lesser privileges.

A more practical approach is to use security tools like Process Guard (http://www.diamondcs.com.au/processguard/) and Anti Hook (http://www.infoprocess.com.au/AntiHook.php) that have the capacity to prevent programs from installing global hooks. Most (but not all) rootkits rely on establishing global hooks for their stealthing. If this can be prevented then the rootkit cannot function. And it's not only a question of stopping hooks; both these programs have other features to prevent rootkits installing such as preventing process injection.

Process Guard is a $29.95 shareware product while Anti Hook is free. Process Guard is easier to use and provides a wider spectrum of defenses against attacks. However Anti Hook certainly has some impressive features and has the advantage of being free for personal use.

Not all users will need the level of protection afforded by these products but high risk users such as P2P users, users of cracked software and those who regularly download and install programs should regard them as mandatory.

back to top