Rootkits

K

kwmf

Well-Known Member
Joined
Nov 30, 2005
Messages
196
Reaction score
0
Location
Durban
At the request of Vodacom3G (did I mention he likes to bully me), here's a simple quick and dirty 1 pager on root-kits.


What is a Root-Kit?
The term root-kit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, anti-virus, security and system management utilities. When malware or spyware utilize a root-kit, it can make itself invisible to security systems, including anti-virus tools and system-diagnostic tools such as Task Manager. Usually, a root-kit will obscure its installation and attempt to prevent its removal through a subversion of standard system security, such as removing or disabling anti-virus and other security software. Root-kit commands replace original system command to run malicious commands chosen by the attacker and to hide the presence of the root-kit on the system by modifying the results returned, thereby suppressing all evidence of the presence of the root-kit. A root-kit is often used to hide other utilities, which are often used to abuse a compromised system. These may include so-called "backdoors" to help the attacker subsequently access and gain control of the system more easily, send out spam emails, launch attacks against other computers, pop up advertisements while using the internet, record internet usage, steal passwords or other personal information, or anything else of the attackers choosing.


How to detect
Root-kits are usually detected by UPDATED anti-virus or anti-spyware programs when the root-kit tries to infect a computer. Once a root-kit has infected a computer, detection becomes much more difficult and complex. The fundamental problem with root-kit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running programs or a list of all files and folders cannot be trusted to behave as intended, since a root-kit can modify the output of such requests. There is no surefire way to detect a root-kit from within a running system, since a root-kit is capable of controlling any aspect of the system. It is possible to look for signs of a possible infection so that one may look deeper for the cause.

A spyware/root-kit infestation can create significantly higher CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to or maintaining a connection to the Internet.

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis while others display ads in response to specific sites that the user visits. Pop-up ads commonly relate to pornography, pharmaceuticals, gambling or financial schemes. Links to these sites may be added to the browser window, history or search function.

Root-kits and spyware often attempt to disable and/or remove existing firewalls, anti-virus, anti-spyware and other security software, often causing them to crash. You may also get errors when using normal Windows network utilities such as PING, TRACERT, NETSTAT, etc which would make it appear that TCP/IP and Winsock are corrupt.

If a computer is exhibiting such symptoms, the following actions can be done to try confirm if there is malware present…
  • Scan the computer with an updated anti-virus program
  • Scan the computer with an updated anti-spyware program (e.g. Spybot, Ad-Aware, AVG, etc)
  • Connect to the internet but do nothing for at least 30 minutes. If your computer is uploading or downloading a lot of data during this time, it’s a good sign there is an infection.
  • Get an IT support specialist to look and see what processes are running (e.g. SysInternals Process Explorer), what connections are being made on the Internet (e.g. SysInternals TCP View) and what programs start automatically (e.g. SysInternals AutoRuns). They can analyze the data from such exercises to determine if something is wrong.
  • Get an IT specialist to use specialized tools such as SysInternals Root-kit Revealer, Trend Micro HijackThis, AVG Anti-Rootkit, WireShark, etc do analyze the system activity.
  • Take the OS offline (via hard drive removal or Live CD) and perform malware scans.


How to recover
Due to the nature of infections, recovery is often tricky and requires a lot of time and effort. Because a root-kit renders an operating system untrustworthy, the only way to return it to a trustworthy state is to reformat and reinstall the system. No removal can render a system trustworthy again. Often removal attempts can result in further system instabilities or total system crashes, even in safe mode. The recommended action is to contact your IT support to backup your information and reinstall the operating system and all applications and data.
 
kwmf said:
At the request of Vodacom3G (did I mention he likes to bully me), here's a simple quick and dirty 1 pager on root-kits.


What is a Root-Kit?
The term root-kit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, anti-virus, security and system management utilities. When malware or spyware utilize a root-kit, it can make itself invisible to security systems, including anti-virus tools and system-diagnostic tools such as Task Manager. Usually, a root-kit will obscure its installation and attempt to prevent its removal through a subversion of standard system security, such as removing or disabling anti-virus and other security software. Root-kit commands replace original system command to run malicious commands chosen by the attacker and to hide the presence of the root-kit on the system by modifying the results returned, thereby suppressing all evidence of the presence of the root-kit. A root-kit is often used to hide other utilities, which are often used to abuse a compromised system. These may include so-called "backdoors" to help the attacker subsequently access and gain control of the system more easily, send out spam emails, launch attacks against other computers, pop up advertisements while using the internet, record internet usage, steal passwords or other personal information, or anything else of the attackers choosing.


How to detect
Root-kits are usually detected by UPDATED anti-virus or anti-spyware programs when the root-kit tries to infect a computer. Once a root-kit has infected a computer, detection becomes much more difficult and complex. The fundamental problem with root-kit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running programs or a list of all files and folders cannot be trusted to behave as intended, since a root-kit can modify the output of such requests. There is no surefire way to detect a root-kit from within a running system, since a root-kit is capable of controlling any aspect of the system. It is possible to look for signs of a possible infection so that one may look deeper for the cause.

A spyware/root-kit infestation can create significantly higher CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to or maintaining a connection to the Internet.

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis while others display ads in response to specific sites that the user visits. Pop-up ads commonly relate to pornography, pharmaceuticals, gambling or financial schemes. Links to these sites may be added to the browser window, history or search function.

Root-kits and spyware often attempt to disable and/or remove existing firewalls, anti-virus, anti-spyware and other security software, often causing them to crash. You may also get errors when using normal Windows network utilities such as PING, TRACERT, NETSTAT, etc which would make it appear that TCP/IP and Winsock are corrupt.

If a computer is exhibiting such symptoms, the following actions can be done to try confirm if there is malware present…
  • Scan the computer with an updated anti-virus program
  • Scan the computer with an updated anti-spyware program (e.g. Spybot, Ad-Aware, AVG, etc)
  • Connect to the internet but do nothing for at least 30 minutes. If your computer is uploading or downloading a lot of data during this time, it’s a good sign there is an infection.
  • Get an IT support specialist to look and see what processes are running (e.g. SysInternals Process Explorer), what connections are being made on the Internet (e.g. SysInternals TCP View) and what programs start automatically (e.g. SysInternals AutoRuns). They can analyze the data from such exercises to determine if something is wrong.
  • Get an IT specialist to use specialized tools such as SysInternals Root-kit Revealer, Trend Micro HijackThis, AVG Anti-Rootkit, WireShark, etc do analyze the system activity.
  • Take the OS offline (via hard drive removal or Live CD) and perform malware scans.


How to recover
Due to the nature of infections, recovery is often tricky and requires a lot of time and effort. Because a root-kit renders an operating system untrustworthy, the only way to return it to a trustworthy state is to reformat and reinstall the system. No removal can render a system trustworthy again. Often removal attempts can result in further system instabilities or total system crashes, even in safe mode. The recommended action is to contact your IT support to backup your information and reinstall the operating system and all applications and data.
Click to expand...

Oh that i now from first hand experience... :rolleyes:

Also note that not all Root-Kits are detectable by Anti-Virus Apps(even updated), AFAIK.

And if detected, not easily removed.

There are also specialised root-kit detectors and root-kit removers to help. Quite tricky if you dont know what to look for. Had to use a few in my previous job.
 
Well the reason V3G asked me to put this together was because malware is getting rather agressive these days and we're going to see an increase in the use of rootkits.

This was prompted by a case with a 3G client with very high data usage. If you don't have a background in this kind of thing you're not going to see it. I actually had to go teach the clients IT company about it because they couldn't find a thing and assumed they were looking for a polymorphic virus.

These things are going to be big problems for any usage based billing systems, and a little education goes a long way.

One of the most useful tools to me is the SysInternals Rootkit Revealer. Takes a while to run (when it's doing the low level file scan portion of it's scans) and requires an IT person skilled in this field to interpret the results ... but shows up almost any rootkit. Well, with the exception of those not attempting to hide from API calls, but then those get picked up by Spybot, AVG, etc.

General rule of thumb ... if it's suspect - then it IS ... reformat !!!
 
rootkits drive me blerry mad,

I've had to deal with my fair share of them in my current company, and when I was a field-technician it took up easily 70% of any given day for me.
 
Oh, as far as removal goes...
As far as I am concerned, you cannot turn something untrustworthy into something trustworthy. Removal is to hold the system together long enough to backup your data (which you shall submit to a full intensive malware scan on a clean system), reformat and reload the OS and then reload said (scanned) data.

Right royal pain in the .......
 
Yeah.

Used to drive my boss mad because I would do enough to backup the data and then promptly start formatting and reinstalling. Usually the machines I worked on stayed clean for longer than the ones he just removed the rootkits etc from. That also used to drive him mad as well but hey.. :)
 
ToxicBunny said:
it took up easily 70% of any given day for me.
Click to expand...

Oh absolutely, and you need to be reasonably skilled to deal with these sort of things.

Scary thing is, even updated preventative measures won't always stop these things. Not so long ago my brother got hit by a nasty piece of malware, and he's been around PCs as long as I have (altho not as technically, but he's no dunce).

The attack vector was actually via an older piece of java that had been superceeded by an updated version ... but that you were manually expected to remove yourself.

Even once I identified it, I couldn't kill it via simple (within 20 minute) methods. Once we got to the point where we decided to reformat and he had backed things up, I got a little more agressive in my tactics. Almost thought I had it after a reboot showed all clear and no activity, unfortunately a second reboot just to prove the point resulted in the OS failing to start up again - even in safe mode.

These damn things are getting more and more agressive and more widespread. There's going to be a lot of finger pointing, hair pulling and head scratching in the future because of these things.

Your first line techs are not going to be able to spot this in the short time they have with clients. At the rate with which people get hit by simple spyware, I fear the damage rootkits will do.

As always, the weakest link is always a case of PEBKAC.
 
kwmf said:
Oh, as far as removal goes...
As far as I am concerned, you cannot turn something untrustworthy into something trustworthy. Removal is to hold the system together long enough to backup your data (which you shall submit to a full intensive malware scan on a clean system), reformat and reload the OS and then reload said (scanned) data.

Right royal pain in the .......
Click to expand...
Yep, once a system is compromised and subsequently cleaned up by anti-malware s/w, there is still a chance that some malware remains, and even if all malware is removed there are still likely to be settings and data that have been changed by the malware that has been removed - e.g. in the registry, which can subsequently make it easy to again compromise the system - not that that is difficult in Windoze.

However, I recommend ditching Windoze and installing a different OS, e.g. Ubuntu Linux...
 
I've had my fair share of, well... the whole lot of them.

Once i sat from 7pm to 7pm to get rid of a very aggressive piece of spyware. Eventually i gave up and opted for format and re-install, and (as usual what happens when i give up) i got it off, but by then my PC had already suffered tremendously from the attack.

And i agree, they are getting more and more aggressive by the day.

With my old PC(which i left at home after i moved back here) i was a security nut. I had a little bit of everything, and did regular scans and security checks, data backup, etc.

Today i am more laid back, as i know what to look for, and when i see something suspicious, i act quick before it gets the better of my machine.

ATM i'm using ESET's NOD32 Smart Security, and it works like a charm.
 
ic said:
However, I recommend ditching Windoze and installing a different OS, e.g. Ubuntu Linux...
Click to expand...

Kinda goes to the question of which OS is the most secure, which is where I have a different answer - depends which one you know how to secure. :D

While I'm not afraid of command prompt (I come from pre DOS 3 days) and have worked within a *nix environment, there's no way I could secure it as well as a M$ environment - therefore, if I were the admin, Micro$oft would be the most secure OS.

I guess, if a user is equally illiterate then it doesn't matter :rolleyes:

All jokes aside though, once you're a little educated it's FAR easier to avoid the whole situation. One of my clients actually put it really well when they said "oh ... so it's like AIDS, it's easier to prevent than cure" - I thought that was priceless :D
 
kwmf said:
Kinda goes to the question of which OS is the most secure, which is where I have a different answer - depends which one you know how to secure. :D

While I'm not afraid of command prompt (I come from pre DOS 3 days) and have worked within a *nix environment, there's no way I could secure it as well as a M$ environment - therefore, if I were the admin, Micro would be the most secure OS.

I guess, if a user is equally illiterate then it doesn't matter :rolleyes:

All jokes aside though, once you're a little educated it's FAR easier to avoid the whole situation. One of my clients actually put it really well when they said "oh ... so it's like AIDS, it's easier to prevent than cure" - I thought that was priceless :D
Click to expand...
There are a bunch of things one can do to make Windoze more secure, and while I've been down that road over the years, I've found that there is simply too much that one has to change on an out-of-the-box Windoze installation to make it more secure, also I have better things to do than continuously running Windoze Update to ensure that Windoze PCs have all the latest hotfixes - the amount of data transferred is also problematic in SA where Telkodemonopolies tries to convince the average ADSL user that 3GB is more than enough to get by with every month.

Ubuntu Linux also requires regular updating, but IMO consumes far less data compared to Windoze Updates, and there's very little that one has to change on an out-of-the-box Linux installation to prevent most malware from taking over - in particular the lack of Intranet Exploder makes Linux a much more secure OS environment...
 
Granted, but the situation is what it is, and most people are not going to give up on their M$ products.

I say use whatever product serves your needs, just be sure to ensure you are safe.
 
kwmf said:
Granted, but the situation is what it is, and most people are not going to give up on their M$ products.

I say use whatever product serves your needs, just be sure to ensure you are safe.
Click to expand...
Sure, but using M$ products kinda implies an inherent lack of safety :p.

One of the reasons I use Linux, is that I can do what I used to do in Windoze, having said that, I am not a gamer - which basically still does require Windoze due to a lack of gaming apps etc for Linux, and then there's the whole DirectX debate as well...
 
kwmf said:
Connect to the internet but do nothing for at least 30 minutes. If your computer is uploading or downloading a lot of data during this time, it’s a good sign there is an infection.
Click to expand...

Not necessarily. Windows Update, Acrobat Reader, Firefox and a number of other applications (including anti-virus programs) have auto-updates that start in the background. Auto-updates are one cause of high volume data transfer when there is not user activity.

The trouble with some of these applications is that some of them will download the update and only inform you after the update has been downloaded.

I would like to see some stats on the average 3G cost of keeping a Windows XP and Vista system up to date with the latest patches (assuming 3G is your primary Internet connection).

WireFree
 
Absolutely correct.

The context in which this (really) short piece was written was that of a user who suddenly experiences a high usage bill - often repeatedly. In that context the updates are usually done by the time someone starts looking at it.

The problem needs to be attacked with a number of tools, with things like the SysInternals Process Explorer and TCPView been standard issue.

Seeing network activity such as this is merely a sign that you need to look and see what is going on.
 
WireFree said:
Not necessarily. Windows Update, Acrobat Reader, Firefox and a number of other applications (including anti-virus programs) have auto-updates that start in the background. Auto-updates are one cause of high volume data transfer when there is not user activity.

The trouble with some of these applications is that some of them will download the update and only inform you after the update has been downloaded.

I would like to see some stats on the average 3G cost of keeping a Windows XP and Vista system up to date with the latest patches (assuming 3G is your primary Internet connection).

WireFree
Click to expand...

Customer. Last week. Came to me querying her data usage. She said she hardly used it, just for emails. She wanted to know how it could just beall gone becoz she got the SMS "Your data bundle has been depleted. Please refer to your monthly bill for final data charges".

She was being billed prorata, as she took it out about in the middle of the month, so she had about 250Megs to use.

I thought to myself that it cant be Windows update, coz the last time i checked it was about a 30Meg download.

I go into control panel, checked under Windows Update, and 217Megs worth of Windows update WAS downloaded. This was on Windows Vista Basic.

I recently installed Windows Vista Ultimate on my machine, checked windows to inform me of the what updates are available. There was about 100Megs of Updates.
 
Iam3G said:
I go into control panel, checked under Windows Update, and 217Megs worth of Windows update WAS downloaded. This was on Windows Vista Basic.

I recently installed Windows Vista Ultimate on my machine, checked windows to inform me of the what updates are available. There was about 100Megs of Updates.
Click to expand...

I bet the viruses, spyware, rootkits, etc. are a fraction of the size.

WireFree
 
vodacom3g said:
Malware will create a lower data rate but will be more continuous. Even at 40Kb/s, it adds up quickly.
Click to expand...
That generally depends on what the malware is attempting to use the connection for, and usually where there is one type of malware one finds other malware as well - collectively all the malware using the connection at the same time, can max out the connection and make browsing even lightweight sites difficult.

Example: malware that scans a PC for files that it believes might contain private & confidential info [think account numbers & passwords etc], might stumble across a relatively large file and decide to transfer that large file using any available connection with a route to the internet - here the size of the file(s) being transferred can max out the connection.

More intelligent malware attempts to hide its presence by limiting the transfer rate to avoid detection.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X