MoMusings

Rootkits have been around for *NIX systems for many years, however they are now a growing problem for Windows systems. This entry will cover what a rootkit is, how they work and more importantly how to detect and remove them.

What is a rootkit?
A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access, usually via hacking into the box manually or by getting the a user to execute a Trojan or Worm which will install a backdoor for them to slither onto the system in the first place. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities. There is however another type which don’t tend to replace system files, these are: Kernel [LKM] rootkits which subvert the system by attaching themselves to, or by otherwise modifying the kernel of the targeted operating system.

Some examples of such kernel rootkits on Linux include: Knark, Adore, and Rtkit.

Although *NIX rootkits have been around for many years and are generally considered the major threat to *NIX security, there are also a growing number of Windows rootkits. This ‘rootkit’ scenario is a complete about-face when compared to other classes of malware, where DOS/Windows is the most targeted and *NIX is little more than a drop in the malware ocean.

Some examples of Wintel rootkits include: Hacker Defender, FU and Vanquish.

One of the rootkits mentioned above [Hacker Defender] was originally released about a year ago, and as mentioned in a previous posting has been recently updated to be even more stealthy, uses encryption to protect outbound communications [phone-home and remote control communications].

So, in conclusion there are two currently known classes of rootkits; application level and kernel level.

How do they work?
The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access trojan [daemon or application aka a RAT].

Application level rootkits come with modified system binaries that replace the existing ones on the target system. Why do they use modified system binaries? To hide their presence and the actions of those that are using the rootkit of course. In other words, to cover their tracks…..out of sight is out of mind!

How do I detect and remove them?
Most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not [and has never been] sufficient. The best way to make an inventory of system file information that can be used to identify suspicious activities on the system [server or workstation] is to calculate the cryptographic checksums [effectively ‘electronic fingerprints’ using strong hash-functions such as MD5, SHA1 or better] of these files and store this information in a safe location, such as on a CD.

These ‘electronic fingerprints’ can then be compared to the recomputed ‘electronic fingerprints’ of files on a regular schedule. This would then highlight files that have been changed as they would no longer have the same ‘electronic fingerprint’. In other words, the replaced files would be unmasked and the game would be over for the rootkit!

Suitable tools are listed below, along with the OS that they are suitable for:

Tripwire [*NIX GPL]
Tripwire [*NIX, Wintel, Commercial]
AIDE [*NIX]
AFICK [*NIX, Wintel]
GFI LANguard [Wintel]
ADinf [Wintel, Commercial]
Integrity Master [Wintel, Commercial]

There are a number of tools available that claim to be able to detect and remove rootkits, these are listed below, along with the OS that they are suitable for:

ChkRootkit [*NIX]
Rootkit Hunter [*NIX]
RootkitRevealer [Wintel]
UnHackme [Wintel]
Blacklight [Wintel]

Links to pages with more details on rootkits:
http://en.wikipedia.org/wiki/Rootkit
http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html
http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html