Getting Rid Of Windows Rootkits

Getting Rid Of Windows Rootkits



Windows rootkits like the popular open-source "Hacker Defender" are malicious applications which help an attacker to disguise trojans and other kinds of malware. Rootkits can be compared to a "cloak of invisibility": After a rootkit gets activated any files designated by the attacker will vanish. This will most likely include the rootkit itself and, for example, an additionally installed backdoor. An AV/AT scanner will be unable to detect the invisible files. A rootkit can also hide registry entries. In particular, it will hide its own autostart entries. Some rootkits can even cloak open ports on which a trojan server is listening ...

The following paper will show you how to detect and remove such nasties.


Background: The Art of Concealment -- API Hooking

An Application Programming Interface (API) is a set of definitions of the ways in which one piece of computer software communicates with another. It is a method of achieving abstraction, usually (but not necessarily) between lower-level and higher-level software. One of the primary purposes of an API is to provide a set of commonly-used functions. Programmers can then take advantage of the API by making use of its functionality, saving them the task of programming everything from scratch. APIs themselves are abstract: software which provides a certain API is often called the implementation of that API.

If let's say explorer.exe or an AV/AT scanner want to access a file they will communicate with the operating system via certain Windows API functions. A rootkit will try to prevent this. For example, Hacker Defender has "hooked" (intercepts) the following API functions ...

Kernel32.ReadFile
Ntdll.NtQuerySystemInformation
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtQueryVolumeInformationFile
Ntdll.NtDeviceIoControlFile
Ntdll.NtLdrLoadDll
Ntdll.NtOpenProcess
Ntdll.NtCreateFile
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA

In consequence, if explorer.exe or a virus scanner tries to communicate with the Windows Operating System Hacker Defender will "sit in between" and can decide whether it will grant access to certain files. The same applies if an application tries to read the registry etc. For further information regarding API hooking see http://www.codeproject.com/system/hooksys.asp .


1. RegdatXP 1.3

Heinz Ulbrich has developed a raw-mode registry viewer called RegdatXP which is not affected by the registry cloaking techniques currently employed by Windows rootkits. The latest version of RegdatXP allows you to search for cloaked registry entries in a comfortable manner. In the help file it says:

"Compare Selected Keys

...

By using Rootkit techniques an application can hide its registry keys from Regedit or other Registry editors, see for example the security forum www.wilderssecurity.com. RegdatXP can display such keys in backup files. When the Hiddens option is checked RegdatXP tries to detect such keys by the use of additional backup files having an “.hd” extension. "

The following screenshot demonstrates how it works ...

.

Since most rootkits require an autostart entry in order to get activated RegdatXP provides for an easy way to detect them. If any cloaked registry keys are found you should start your system from a boot CD like ERD Commander 2003, edit the registry and remove the hidden autostart entries. If you do not know how to do this you may ask for help in a security forum.



2. TaskInfo 2003

TaskInfo is a powerful utility featuring an advanced task monitor which informs you about all running processes and threads including ring0 VxD threads. Kernel driver rootkits like Hacker Defender will get detected despite their process cloaking capabilities. The following screenshot shows a Hacker Defender rootkit (and another hidden driver which is part of a security tool called Process Guard) running in memory.

Please note, however, that a rootkit driver is not bound to a specific name. Therefore, a system administrator must exactly know which drivers can be expected to run on a non-compromised system.


3. Rootkit Detector from 3W Design

RKDetector is a Spanish command-line utility which is specifically designed to detect Windows rootkits. RKDetector describes itself as "a diagnostic tool that provides information about hidden process and services hooked by an NT rootkit such as Hacker Defender. After hidden handles are identified, rootkit detector will try to kill those hidden tasks and rescan the service database in order to detect hidden services installed by hackers and hidden regkeys (Run, Runonce...)."


4. Winternals ERD Commander 2003

ERD Commander 2003 boots a dead or compromised system directly from an emergency CD into a Windows-like environment. You will have full access to the system's volumes, so you can diagnose and repair problems using tools located on the ERD Commander 2003 CD. Inter alia ERD Commander 2003 includes a registry editor and a driver & services manager. Any cloaking techniques used by a rootkit will become ineffective if you start your system from a boot CD.


5. DiamondCS Process Guard

DiamondCS Process Guard is a useful security tool that protects both system and security processes (as well as user-defined processes) from certain attacks by malicious processes, services, drivers, etc. Process Guard will warn you if a rootkit tries to install a kernel-mode driver or attempts to inject a malicious DLL into a windows process. Process Guard will also protect you from dynamically injected DLL trojans and so-called AV/AT & firewall killers. It should be noted, however, that Process Guard will generally not help you once you are infected with a rootkit. Therefore, it is mandatory to not allow the installation of a kernel mode driver unless you are confident that it relates to a harmless application.

See here for an example.



ntl, 24 February 2004