Spyware Warrior

[suzi]

Since rootkits are in the news recently, and a lot of people don't know much, if anything, about rootkits, I thought I'd post some info and a list of rootkit detection apps.

Basic Information

[BillB]

Great consolidated reference, Suzi - Thanks.

[hornet777]

I'll second that on both counts, suzi.

[BillB]

Here is Slashdot.org's list of affected Sony/BMG disks.

[Nick]

Updated link on Sony Rootkit from The sysinternal main blog page to the 1st blog post on it

Added disclaimer to Computer Associates removal of rootkit. According to Mark R all of the AV companies that remove the XCP rootkit don't actually remove it but only decloak the Aries.sys driver. the method of removal is not recommended by him.

[Munch]

Found this while digging. It's an excellent article and a must read for anyone interested in rootkits, it also compliments Suzi's article nicely.
It talks alot about how rootkits work, how not all rootkits are bad, how new ones are hiding, some of the tools available today and how they work against rootkits. I found it particularly interesting at the end of the article it discusses how new ones are attaching themselves to video memory. Never thought I would have to throw away a video card because it was infected with something.

The article is entitled "Why rootkits mean you must nuke your machine" from ZDNetUK Here is the article.
_________________
Munch

[suzi]

I've stated a series on rootkits at Spyware Confidential blog.

http://blogs.zdnet.com/Spyware/?p=706

Munch, I wrote some comments there about the article you refer to. I agree that its a good article but there's one thing I really disagree with in there.

You'll have to read my blog at ZDNet to see more...

Edit to add: This is good reading about the ZDNet article too.

http://sunbeltblog.blogspot.com/2005/11/rootkits-are-not-acceptable-under-any.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Munch]

I read your blog entry Suzi, as well as the article on Sunbelt and yes I do agree that if a rootkit is disclosed then by definition it really isn't a rootkit at all. I wasn't trying to downgrade the seriousness of the situation, but merely pointing out that the article on ZDNet.uk shows yet another opinion from a slightly obscure point of view. I think I might have been misunderstood. This is why in my post I said it compliments your article nicely (I meant your ZDNet blog entry) It does go a little more into depth on a rootkit which is why I posted it for people wanting to learn more, that was all.
Sorry for the confusion.

_________________
Munch

[suzi]

No problem, I probably wasn't clear on my last post. I think the ZDNet article is excellent, too, and has some great info.

But I still highly disagree with the thought that "a rookit isn't a rootkit if disclosed". The fact that it's disclosed doesn't change the the risk factors associated with it. I honestly can't think of a situation where the use of a rootkit would be acceptable even if disclosed. It brings up a lot if issues - what about consent? Do we want to de-sensitize users to the implications of using a rootkit?

I think this is a great topic for more discussion and I'd like to know what others think.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[Munch]

I agree no rootkit is acceptable, however I also think that catching Sony in the act was by chance, how many other companies have done something similiar that we don't know about? And what is stopping others or our own government from using the same technology to monitor us, if they haven't already.
Any government officials reading that last comment pay no attention to it and disregard it

Crap, now I have to do a scan for rootkits.
_________________
Munch

[FBJ]

Thank you suzi for making this fine resource. I still haven't read it all - you know, one link leads to another etc.

Can I suggest you add RootKitty to the list of tools. Strider Ghostbuster is mentioned in one of your links (http://research.microsoft.com/rootkit/) and especially the technic of comparing scans from inside and outside the box is explained and highlighted as the way ahead. Rootkitty is part of UBCD4Win and using this you are able to do exactly the same - do a windows scan from inside the box, do a PE-scan from outside the box and compare the two. Rootkitty only scans for files (not registry) since the author finds that deleting the files will bring the rest out in the open but still it does a good job. Rootkitty is a work in progress as I understand it - version is 1.x.

http://www.ubcd4win.com
http://tinyurl.com/93frf (the rootkitty forum)

I realize that it's somewhat cumbersome to build a UBCD4Win and that it's doesn't provide a one-click solution from inside Windows, but it seems to be a relevant technic.

Cheers

[suzi]

Blogged here:

http://blogs.zdnet.com/Spyware/?p=717

Hint - it's a trick question.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[suzi]

Another blog post on rootkits:

http://blogs.zdnet.com/Spyware/index.php?p=725
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[physics223]

Now Sony's rootkit is evil. Not only is it insidious, it also can't be uninstalled the easy way. To go this far to prevent piracy? To use subterfuge to protect its money?

Damn. This HAS gone too far.

[fcukdat]

IMO Once a Pc is suspected or confimed as having RK(s) installed then the only way to ever guarantee the PC's integrity again is to reformatt&reinstall.
Since it has been shown that even finding these nasty little cloaks and removing them runs the risk of borking your 'puter

IMO best way to deal with RK's is not to let them install in the first place inorder to have to deal with them and their potential payloads.Here are 2 softwares that are both very capable of stopping them dead in their tracks before they go live if used properly

BoClean>>>
http://www.nsclean.com/boclean.html

Process Guard>>>
http://www.diamondcs.com.au/processguard/
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[fcukdat]

With reguards to the sony BMG RK only and its uninstallation etc i've found this excellent writeup(Blogg entry) by the Lavasoft employee who wrote their "Aries" RK removal tool>>>
http://www.lavasoft.de/wordpress/?p=57

The researcher highlights the problem ahead when the malware authors start properly coding their RK's etc and also the risks involved when removing RK's
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Oldfrog]

A good set of articles on rootkits.

Windows rootkits of 2005, part one
This three-part article series looks at Windows rootkits indepth. Part one discusses what a rootkit is and what makes them so dangerous, by looking at various modes of execution and how they talk to the Windows kernel.
By: James Butler, Sherri Sparks 2005-11-04
http://www.securityfocus.com/infocus/1850


Windows rootkits of 2005, part two
This three-part article series looks at Windows rootkits indepth. Part two focuses on the latest cutting edge rootkit technologies that are used to hide malicious code from security scanners.
By: James Butler, Sherri Sparks 2005-11-17
http://www.securityfocus.com/infocus/1851


Windows rootkits of 2005, part three
The third and final article in this series explores five different rootkit detection techniques used to discover Windows rootkit deployments. Additionally, nine different tools designed for administrators are discussed.
By: James Butler, Sherri Sparks 2006-01-05
http://www.securityfocus.com/infocus/1854

[Moore]

A few more links

Rootkit evasiveness: malware's best friend, Windows' worst enemy :
http://www.agnitum.com/news/securityinsight/issues/july2006

What are user-mode vs. kernel-mode rootkits:
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1086469,00.html

http://www.antirootkit.com/

Bit more info in last post here :
http://www.spywarewarrior.com/viewtopic.php?t=10027
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[suzi]

CastleCops has a rootkit forum with a lot of information.

http://www.castlecops.com/f233-Rootkit_Revelations.html
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[fcukdat]

Rootkits for the bigginer article @CC

http://wiki.castlecops.com/Rooting_Out_the_Dangers:_Rootkit_Removal_for_Beginners

Now there's a contradiction in terms although the science is somewhat simplified in the article.

I'm still standing by the theory that if a RK is suspected then the system needs reinstalling to undo all possible issue's.

Its apparent that all the anti RK softwares are oin the same boat as the definition based vendors in the sense that everytime a new flavour(family) of rootkits are spawned there having to rewrite their software routines and release upgraded software inorder to keep up with emerging threats.

The best possible way to deal with rootkits is not to let them install in the first place(proactive prevention) as opposed to relying on software to undo damage once the rootkit has embedded on the 'puter.
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[kao321]

According to Mcafee Siteadvisor, The website you download IceSwords at has downloads that have adware or something in them.

Here is a description:

http://www.siteadvisor.com/sites/xfocus.net?ref=safesearch&aff_id=0&suite=false

I'm not sure if this is true, but Spywarewarrior Staff should check it out.

[suzi]

kao321,

I believe this comment on the page is correct:

[EASTER]

Nice informative heads up. Stealth programmers are pressing students to invent more methods yet to be passed around be it for study or confiscated from the web by the less scrupilous who take them and make a mix of malware they want to conceal for web/program releases.
_________________
*******************


THE FORCE IS VERY STRONG IN THIS FAMILY!

[nx42qr7]

The alarming nature that a rootkit conjures is not entirely mis-leading.There is a very capable explanation and presentation broadcast dated for October 13,2005-Series Entitled- Security Now! Episode: #9-"Rootkits" Speakers: Steve Gibson & Leo Laporte Source File: http://media.GRC.com/sn/SN-009.mp3 File Archive: http://www.GRC.com/securitynow.htm. This information was not only informative it allowed for the need to know that much more If any are interested there is a book entitled "Subverting the Windows Kernal-"Rootkits" by Greg Hoglund and James Butler published by Addison Wesley.A mild idea from chapter 3,The Hardware Connection- "One Ring to rule them all,One ring to find them,One ring to bring them all and in the darkness bind them."-The Fellowship of the Ring, J.R.R. Tolkien