Rooting Out Rootkits
How to scan and detect stealth malware using RootkitRevealer.
November 7, 2005
One critical aspect of system building is staying on top of the latest security threats. Another is having the best detection tools available to keep those threats at bay. The last thing you need is to deliver an infected Windows system to a customer—or to become susceptible yourself to some new form of highly undetectable, "stealth," malware.
One of the newest threats in the wild—what security mavens mean by "loose on the net"—is called a "rootkit," or RK for short. While a rootkit by itself causes no damage, it attempts to hide the presence of other malware, such as key-logging Trojans, viruses, and worms.
A rootkit differs from a virus in that it doesn’t seek to reproduce itself. Still, some modern viruses incorporate rootkits into their code libraries, very often to take advantage of a rootkit’s ability to remain hidden and elude detection. Also, rootkits borrow a page from typical virus behavior, in that they may seek to avoid detection by taking over for one or more specific system component files—in essence, adding their own agenda to whatever purpose the original files they replace may have served.
Rootkits often include components to open back doors on systems. Often they do so by incorporating stealthy remote access software that opens a system to unwanted, uninvited outside operations, much as many pieces of spyware do. But here's another way that rootkits differ from most spyware and viruses: They hide everything that might reveal their presence and activity on a system, including logins, processes, files, and logs. So little or no evidence of a rootkit's presence is ever available.
Also, rootkits can insinuate themselves into an operating system’s core components, so they run as part of the kernel with the same unlimited rights and privileges typically granted to such code. Though many rootkits also often include user mode components (necessary for any kind of user interaction or information display), it’s their kernel capabilities combined with their profound stealth that makes them such a nasty species of malware.The Trouble With Rootkits
What make rootkits truly insidious is that typical anti-virus and anti-spyware packages have great difficulty identifying them. That's because a rootkit can establish itself as part of the Windows boot-up code, an area frequently unchecked by detection programs.
To make matters worse, there aren’t any automated cleanup tools available—at least for now—that can remove a rootkit once it takes up residence on a PC. In fact, security experts Mark Russinovich and Bryce Cogswell, principals at Sysinternals Freeware and Winternals Software (and the creators of the RootkitRevealer utility I feature in this Recipe), both agree that once a rootkit is contracted, the only way to get rid of it is to wipe the hard disk and reinstall everything. Woe betides those who come down with a rootkit infection and don’t have a recent backup to restore!
The only exception to this is the Sony rootkit that Russinovich discovered recently. It originates from Sony Music CDs as an undocumented part of their digital rights management (DRM) software. In response to widespread consumer outrage, Sony released this patch to permit users to remove this rootkit from their computers; it does so by uninstalling a driver named "MediaJam" that makes this stealth monitor work.
As this Recipe goes to press, none of the major security suites offer a rootkit detection tool. But at least one suite vendor does plan to include such a tool in its next planned release. F-Secure plans to include a rootkit-detection tool called BlackLight in its forthcoming Internet Security 2006 suite. A free beta version of this tool is available until January 1, 2006, at the BlackLight beta page.I didn’t cover the F-Secure tool for this TechBuilder Recipe because in my opinion, Sysinternals' RootkitRevealer makes a better choice for system builder security toolkits. That's not only because it’s free and because Windows kernel gurus Russinovich and Cogswell wrote and recommend it. It's also because the pair's Sysinternals RootkitRevealer page offers the download, up-to-date information, and a populated forum.
One caveat: When deploying RootkitRevealer, remember to research any anomalies the utility finds before concluding that a system has a rootkit running. As I explain later in this Recipe, false positives—or apparent anomalies that are benign rather than overt signs of rootkit presence—are fairly common when using the RootkitRevealer tool.
Ingredients
Here's all you'll need on hand before starting this Recipe:
A working PC running 32-bit Windows (Windows NT or newer versions). The examples here use Windows XP SP2 with all current security updates installed.
An Internet connection. RootkitRevealer comes in a 182 KB Zip file, so any speed connection will do, even dial-up.
While you can pick any 32-bit Windows-based system for this Recipe, I chose my standard test machine, and then used the tool on every system I own. Rootkits are potentially insidious. So even though finding one necessitates a “wipe and reinstall” maneuver, you’re better off knowing you’ve got one on a system, rather than proceeding along in not-so-blissful ignorance.
Five Steps to Installing RootkitRevealer
Let's get started. Once you have your components assembled, follow these easy steps:
Download a copy of RootkitRevealer. It's available on this RootkitRevealer page at the Sysinternals Freeware site. Scroll all the way to the bottom of the page to find the latest version.
A standard file download window should appear, as shown here:
Click the Save button, then stash the file in a directory where you'd like it to reside. For example, I have a Download folder on my hard disk where I stash all downloads, and I put experimental stuff in a sub-folder named Testing until I decide whether to trash it or move it into the Installed subfolder. In this case, I was pretty sure I wanted to keep this file, so I stashed it in my Installed subfolder.
No installer is required to use this software. Simply unzip the archive, and then extract the files into a well-chosen target directory. I put mine on my C: drive in a directory named RootkitRevealer. WinXP includes a built-in unzip utility, so simply double-clicking on the icon will do the trick. But if you're using an older version of Windows, grab a copy of good old Winzip, double-click the zip archive, and you’ll see a window like this:
Click the Extract icon on the icon bar near the top of the window. You’ll get a window that looks like this (screenshots made with WinZip 9.0 SR-1):
Navigate to the directory where you’d like to put the readme (.txt) file, the help (.chm) file, and the executable (.exe) file supplied for this tool. If you like, use the new folder icon in the upper-right corner of the program window to create a new directory. When you’re ready to put this stuff where you can find and use it, click the Extract button to unzip the files, so they’ll be ready for use.
That’s all there is to it. Because there’s no installer to run, the entire process should take less than a minute, or less than time than it took you to read my instructions! This concludes the download and installation process for RootkitRevealer. Let's now start using the tool to detect rootkits on your systems.
Five Steps to Running Rootkit Revealer
As soon as RootkitRevealer is unzipped, the program (rootkitrevealer.exe) is ready to use. Follow these steps:
Open Windows Explorer, and navigate to RootkitRevealer’s home directory. On our test machine, that window looks like this:
Double-click the file named rootkitrevealer.exe, and you’ll launch the program. This opens its program window, as shown here:
Check the system's CD and DVD drives. If you find any discs, remove them. RootkitRevealer checks any drives it can find, including CD and DVD drives. But for now, we want to check only the system's hard drive. Also, be sure to close all other applications while running the scan, and don't try to use the system for any other work until the scan is complete.
To get the tool working, click the Scan button. The program will report on its activities in the status line at the bottom of the program window. Here's a shot of RootkitRevealer dumping the system hive, one of the major components of the Windows Registry, a key data collection area that this tool scans when looking for evidence of rootkit presence:
This tool not only scans your Registry from top to bottom, but also scans all the drives it can find. (That's why I recommended earlier that you remove any CDs or DVDs you may have mounted.) Completion time for the scanning process depends on both the size of the system's Windows Registry and the number of files (and drives) the program must chunk through. For example, on an Athlon 64 X2 machine with three hard disks and a total of roughly 65 GB of data, a complete scan took nearly 10 minutes.
Once the scan is complete, youll get a report. Ideally, the window will report no discrepancies, as depicted here:
This is the desired outcome of using the tool, because it indicates nothing was found that could potentially indicate the presence of a rootkit on the PC.As I mentioned earlier, the best results occur when you close all applications before running the scan and leave the machine alone while RootkitRevealer is running. Otherwise, you might see a Windows that looks something like this:
I happened to get bored the first time I used the tool and ran my Web browser to Google a few items while waiting for the scan to complete. That’s what produced the temporary internet files that ended in …search[*].htm. Google creates these files to present search results for viewing, then deletes them when the search window is closed. But because the RootkitRevealer scan found them on the drive while they were open (even though they were gone by the time the scan was completed), the utility flagged them as potentially questionable. I was able to produce the results shown in the preceding figure (“…no discrepancies found”) for the same machine by shutting down all other applications and leaving the machine alone while the scan was running. You should do the same.
You have a choice of two ways to close the program. Either click Exit in the File menu. Or click the close box (red X) in the upper-right corner of the program window.
Interpreting RootkitRevealer ResultsIn the vast majority of cases, the Description field for discrepancies in RootkitRevealer will report either "Visible in Windows API, but not in MFT or directory index" or "Hidden from Windows API," as shown in another set of results I provoked from my test machine by running the tool. Note that the result looks different from previous screenshots because I stretched the display to list most directories and all descriptions in full:
After carefully inspecting all of these entries, I found they’re mostly temp files, or links to temp files. The jpeg file was opened and closed while the scan was running, which apparently resulted in having it reported as "Hidden from Windows API." Talk about thorough!
The RootkitRevealer home page devotes most of its coverage to explaining how to interpret the output. It lists the following possible descriptions:
Hidden from Windows API: While this result is common for rootkit-related items, it’s also common for NTFS metadata files (which the file system routinely hides), and for temp files that may have been in use or deleted while the scan is underway. As I've already discussed, it’s best if no other applications are running on the system while the scan is underway.
Access is Denied:
Visible in Windows API, directory index, but not in MFT.
Visible in Windows API, but not in MFT or directory index.
Visible in Windows API, MFT, but not in directory index.
Note: Though the software’s authors claim you should never see this string, they list it anyway. It never came up during my testing.
Visible in directory index, but not Windows API or MFT: A complete file scan checks all three of these types of components: the Windows API, the master file table (MFT), and on-disk directory structures associated with NTFS. Discrepancies are reported when a file shows up in one or two scan passes (but not all three), and they occur most commonly when files are created or deleted while a scan is underway. Again, it's best to not run other apps while RootkitRevealer is scanning.
Windows API length not consistent with raw hive data: Rootkits sometimes disguise themselves by misreporting the length of a Registry value to make its contents inaccessible to the Windows API. This is worth a closer look, even though it may simply indicate a Registry value that changed during a scan.
Type mismatch between Windows API and raw hive data: Rootkits can deliberately misrepresent data types to make Registry entries inaccessible to the Windows API. Should this occur, investigate thoroughly.
Key name contains embedded nulls: Where the kernel treats key names as counted (fixed-length) strings, the Windows API treats them as null-terminated strings. This makes it possible to create Registry keys that are fully visible to the kernel, yet only partially visible to the Windows API. Sysinternals offers a "Reghide" code example that demonstrates this technique, which is used by both rootkits and other forms of malware.
Data mismatch between Windows API and raw hive data: This occurs when a Registry value gets updated while a scan is underway. It often relates to things like MS SQL Server uptime or virus scanner "last scan" values. But if you see any such entries, investigate them to make sure they’re legitimate.
To further interpret RootkitRevealer's results, you'll need to determine the origin or cause of what’s been reported. Googling the name of the Registry key or the file for which a discrepancy is discovered is a good place to start. This will often help to illuminate whether the symptom is benign or malign. Happily, most cases will turn out to be benign, as explained earlier. But if not, the Sysinternals RootkitRevealer Forum is a great source of potential help. Also, the forums at Rootkit.com are a valuable information resource on this topic.If you do find reports from RootkitRevealer that suggest the possible presence of a rootkit, remember that no tools currently exist that can clean up a rootkit infestation. Thus, the only remedy is to format the drive, then reinstall Windows and all necessary applications. Of course, if you don’t have a current backup of that system, you’ll want to obtain one before proceeding with wipe and restore maneuvers. And I strongly urge you to boot from a repair CD to run the backup. Then back up only those data files outside the OS folder hierarchy, to make certain you’re not backing up the rootkit along with everything else.
Bottom line: System builders who build and maintain Windows systems should make RootkitRevealer a standard part of their security toolkit. I liked it so much, I've even created weekly Task Scheduler jobs on all my machines to run RootkitRevealer as part of my ongoing security maintenance routine.
Finally, for even more information on the latest developments on rootkits, visit anti-malware sites like Kaspersky Lab, Symantec's informative site Security Response, and the aforementioned Rookit.com.
ED TITTEL is a freelance writer who specializes in markup languages, PCs, and networking topics. He's contributed to more than 130 books, including titles on spyware and IT certification. His upcoming book is Build The Ultimate Home Theater PC (John Wiley, November 2005). Ed has no commercial interest in any of the products, companies, or sites mentioned in this TechBuilder Recipe.0
You May Also Like