Tuesday, February 21, 2006

Detecting Rootkits using "normal" tools

Most of the Rootkits hide their processes, files and folders using API hooking techniques. Normal system tools like Windows Task Manager, Windows Explorer etc. use some Windows APIs to get the list of running processes or to show the files and folders in the system, respectively. Rootkits hook these APIs and manipulate the results so as to hide themselves. As a result, Windows Task Manager, Windows Explorer and similar tools don't "see" the rooted files.

But, there's an ingenious tool called AntiHookExec, which runs a specified program with all the hooks removed. AntiHookExec tries to find out the API hooks present in the system and if it finds any, then it "restores" the original APIs. So, the program which is started from AntiHookExec will not be affected by the API hooks of the Rootkit. AntiHookExec is an easy to use command line tool. The syntax is as shown below:

AntiHookExec ProgramName

where ProgramName is the name of the program (with its path) which needs to be started through AntiHookExec.

For example, to start Windows Task Manager through AnitHookExec, the command would be:

AntiHookExec Taskmgr.exe

Similarly, to start HijackThis through AntiHookExec, the command would be:

AntiHookExec C:\HJT\HijackThis.exe

assuming that HijackThis.exe is present in the folder C:\HJT\.

Below screenshots show the HackerDefender Rootkit's process and files visible in Windows Task Manager and Agent Ransack, a search tool, both of which started through AntiHookExec.

Friday, February 17, 2006

Rootkit detection, removal and prevention!

Here's a Wiki definition for Rootkit:
A Rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

Rootkits use various techniques ranging from API hooking to DKOM (Direct Kernel Object Modification) to hide their files, folders and processes. Most of the security software (like Antivirus, Antispyware etc.) aren't designed to handle these type of threats. Hence they don't "see" the rooted files. Rootkit detection and removal needs some specialized tools. Let's see how we can detect, remove and prevent Rootkits in subsequent sections.

Rootkit detection:
Since most of the Rootkits hide themselves using API hooking, the first step would be, to check whether there are any API hooks. There are quite a few tools which do this job. One of the easiest tools to check for API hooks is APIHookCheck. This is a command line tool, just type:

APIHookCheck > result.html

at Command Prompt from the directory where the executable is present. It generates a HTML file with the results. Here's a screenshot of result generated by APIHookCheck in system with HackerDefender in it:

As you can see from the aboce screenshot, the export addresses of APIs in the NTdll.dll are pointing to some other module which is outside the Ntdll.dll's address space. This could indicate a Rootkit activity.
VICE, IATHookAnalyzer and Rootkit Hook Analyzer are similar tools, which scan for API hooks. (Unfortunately, Rootkit Hook Analyzer and IATHookAnalyzer missed the HackerDefender!)

Another interesting tool is DeviceTree. It lists all the drivers present in the system. DeviceTree is not technically a Rootkit detector, but can be used as one, because most of the Rootkits will have a driver to operate in kernel mode. Since this driver is hidden, this can not be located by a search. DeviceTree is so powerful that even Rootkit drivers are listed by it! Here's a screenshot showing DeviceTree detecting HackerDefender Rootkit:

Rootkit removal:
Above mentioned tools are quick ways to check for Rootkits, and if any hooks are found, then the next task is to search all the Rootkit related processes, services (drivers) and files to remove them. Following are some of the tools which can be used:
Rootkit Revealer is one of the popular Rootkit scanners. I don’t need to say anything about it ;-). But it doesn't provide any method to remove the detected files. The detected files can be deleted using the "Delete on reboot" option in KillBox ("Standard file kill" will NOT work). Here's a screenshot showing Rootkit Revealer scan results:

As of now, IceSword is treated as one of the most advanced Rootkit detection and removal tool, and moreover it's free! It provides the facility to kill/stop the hidden Rootkit processes and services. Once these processes are stopped, the Rootkit files become visible and they can be deleted in conventional way. Here's a screenshot showing the IceSword in action:

F-Secure BlackLight and Greatis UnHackMe are some of the tools which can detect and remove Rootkits. UnHackMe is a commercial software and BlackLight will become one from march, 2006. Latest versions of Webroot SpySweeper and PC Tools Spyware Doctor are also able to handle Rootkits!

Rootkit prevention:
Most of the Rootkits use drivers to work in kernel mode. In Windows NT based systems, the drivers can be loaded/unloaded using techniques similar to the creation/termination of a service. Most of the Rootkits use these techniques to load their driver into memory. In Windows NT based systems, only users with Admin rights are allowed to install program which have drivers or which create services. The same rule holds for a Rootkit too, if the user doesn't have Admin rights, then it can't start and hence it can't hide itself! So, the first step in prevention of Rootkit is to run in less privileged user mode.

Another simple method is make use of the sc command in Windows XP. Just run the command sc lock at Command Prompt. This locks up the Windows Service database. Due to this, new services can not be created or initiated! This prevents the Rootkit from installing! The disadvantage (if it can be called as one) is that the Command Prompt window in which the sc is executed, should no be closed. If it's closed, then the service lock is released.

Another approach is to use HIPS (Host based Intrusion Prevention System) tool like AntiHook. This tool actively monitors the system and alerts the user if some programs attempts to hook APIs.

And lastly, there's one interesting tool called Sandboxie, as the name says it creates a sand box like environment within which we can run any program. Most of the malware which use Rootkit technology come to the system through the exploits in the web browser.If the browsers are sandboxed, then there is no way a malware can enter into the system, as Sandboxie intercepts all the data flow from the browser and stores in its transient storage area. Both AntiHook and Sandboxie are available for free, so give them a try!