What is a Rootkit?
A rootkit is a software program that enables attackers to gain administrator access to a system. On Unix/Linux system, this is called “root” access. Rootkits contain tools and code that help attackers hide their presence as well as give the attacker full control of the server or client machine continuously without being noticed. Sometimes they even cause typical malware type problems. I had a case where a browser hijack was being caused by a particular rootkit installed on the system. In this article, I will show you one way to remove a Rootkit from a Windows system.
“Rootkits are usually installed on systems when they have been successfully compromised and the highest level of access has been given (usually root) Some rootkits refuse to be installed until the attacker has root access, due to read and write permission to certain files. Once the system has been successfully compromised and the attacker has root, he\she may then install the rootkit, allowing them to cover their tracks and wipe the log files.”
A typical rootkit consists of the following utilities:
- Backdoor Programs – login backdoors, telnetd etc
- Packet Sniffers – Sniff network traffic such as FTP, TELNET,POP3
- Log-Wiping Utilities – Bash the logs to cover tracks
- DDoS Programs – Turn the box into a DDoS client (Remember trinoo?)
- IRC\Bots – Bots used to take over IRC channels (Lame and annoying)
- Miscellaneous programs – May contain exploit, log editor
Types of Rootkit
- Persistent Rootkits
A persistent rootkit activates each time the system boots. Normally these types of Rootkits are stored in the system registry.
- Memory-Based or non-Persistent Rootkits
Memory-based rootkits will not automatically run after a reboot; they are stored in memory and lost when the computer reboots.
- User-mode Rootkits
User-mode rootkits operate at the application layer and filter calls going from the system API (Application programming interface) to the kernel. These rootkits normally change the system binary files to malicious code that redirects control of the computer to the creator of the rootkit.
- Kernel-mode Rootkits
Kernel-mode rootkits hook to the system’s kernel API’s and modify data structure within the kernel itself. These are the most effective and dangerous types of rootkits. Kernal-mode rootkits are very difficult to detect and can hide on a system without any indication of being active.
Bootkits are variations of kernel-mode rootkits that infect the Master Boot Record (MBR). The malicious code can be executed before the computer actually boots.
A firmware rootkit infects a device or piece of hardware where code resides, such as a network card or the system BIOS.
Mebromi firmware rootkit http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
These are newer types of rootkits that are infecting the hypervisor layer of a virtual machine setup. The hypervisor is basically the layer between physical hardware (host systems) and the virtual system (guest), although a type II hypervisor can be installed on top of an OS in order to present a virtual layer to the virtual system. These rootkits can intercept hardware “calls” going to the original operating systems.
How to remove the Rootkit
This is where it gets fun! There are different approaches and really no single full-proof method, neither is it guaranteed that the rootkit will be fully removed. As a matter of fact, there are some computer security experts who simply recommend formatting the drive and completely re-installing the operating system.
The Manual Method
This may or may not be more time consuming than trying to search using an automatic tool. If you are familiar with legitimate Windows services and programs and can pick out suspicious files, then this could be the way to go. Many times, rootkit scanners will not detect rootkit infections, especially if they are new, so this may be the way to go if you don’t want to go straight to the nuke-and-pave solution.
Technibble has a video on using Process Explorer and AutoRuns to remove a virus. Finding a rootkit would be a similar process using these tools.
Read here for more on HijackThis and the HijackThis reader. Those tools can be used to find suspicious processes and files and, each have a unique form of analysis.
Here is a process for locating a rootkit via msconfig:
1. Open msconfig and enable bootlog.
- In XP, goto Start then Run. Type in “msconfig” (without quotes). Goto the “boot.ini” tab and tick “Boot log”
- In Vista and Windows 7, goto Start, type in “msconfig” (without quotes). Goto the “Boot” tab and tick “Boot log”
2. Restart the Computer
3. Open C:WINDOWS or C:WINNT and open ntbtlog and search for malicious files.
You can start by searching this short list from Computersight.com for the files starting with the following names. It may contain some random characters after it.
Get the path of the file name: \SystemRoot\system32\drivers\BadRootkit.sys
For an exhaustive list of rootkits that you can search for, check out this Rootkit List from Bleeping Computer.
4) Open up a command prompt and disable file permission using either the CACLS or ICACLS command.
For e.g., type cmd in the Run box (XP) or search box (Vista/7) with Admin privileges (in Vista and Windows 7 Hit Ctrl-Shift-Enter to enter the command prompt as an Admin) and type
cacls C:WINDOWS\system32\drivers\BadRootkit.SYS /d everyone or
Icacls C:WINDOWS\system32\drivers\BadRootkit.SYS /deny S-1-1-0:FMRXRW
(cacls /d everyone denies permission to the files for all users, Icacls /deny Sid:permission can deny Simple or Specific rights)
5) Restart the computer
6) Search for the file in the following location and remove it
C:\WINDOWS or C:WINNT
Clear the temp, %temp% and prefetch folders
The Automatic/ Semi-Automatic method
You can check out a list of rootkit removal tools here.
I would first fire up TDSSKiller from Kaspersky. It runs a fairly quick scan and TDSS variants are popular, so it may catch something on the first attempt.
If the TDSSKiller comes up empty then try out GMER, which is a powerful and exhaustive rootkit scanner.
From there I like to use AVG’s Rootkit Scanner. This tool has actually found quite a bit of rootkits for me. It’s also good to run it after you have removed the rootkit to be thorough, although you could do that with any of these tools. Another program worth mentioning at this point is the new Microsoft Standalone System Sweeper Beta. There has been some buzz that this tool has been fairly successful at finding hidden rootkits.
If these rootkit scanners are not finding anything, or they do find something but can’t delete it, then you may have to move to the manual method. You can also keep trying other tools but there does come a point when you have to evaluate if the time and effort is worth it or you should either try a manual method, or perform a full re-installation of the operating system.
There is more than one way to find and kill a rootkit. What is your process?