Rootkit detector - another must have for windows users.

Capt'n Midnight

Many people still seem to think that antivirus software is all you need. :rolleyes: I've posted elsewhere that XP SP1 has been taken over within 30 seconds of being conected to the internet.

Recommended types of security apps - you need at least one of each.
Anitivirus
Browser - with secure settings (and/or alternative browser in case one hijacked)
Firewall
Malware/Spyware
Script blockers
Patches & service packs
Root kit revealer NEW !

www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!
...
You can perform scans of remote systems by executing it with the Sysinternals PsExec utility using a command-line like the following:

psexec \\remote -c rootkitrealer.exe -a c:\windows\system32\rootkit.log

http://www.sysinternals.com/files/rootkitrevealer.zip - 190KB

TimTim

IMO Root kits aren't major problem for windows, unless its properly secured its easy enough to get into it.

Then you have your sneaky trojans and what not.

Capt'n Midnight

The point was that there are many types of threat and being protected from one doesn't mean you are safe from the others. Since malware is now a business that people are making a living from they will be looking to stay one step ahead and if a technology bypasses most existing scanners it will be adopted sooner rather than later.

Increased security in windows may mean more attention is directed to other OS's but I'd reckon windows would still be a more attractive target - how many Linux users bite when presented with pop-ups ? not to mention that if there is a generic fix for *nix it can be applied to MAC's too. User demographics mean that windows is still the best bet for commercial malware.

Martyr

Its a good idea to have a utility like this, but with time, its only going to require updates much like a virus scanner does, and doesn't really solve the problem.

Gavin

That's not necessarily true. At Hivercon, 03 there was an interesting presentation on windows root kits. It should extend to root kits for any OS though.

The rough concept was to build timing & instruction count statistics for the execution paths of various system calls. If a root kit is installed, obviously enough, more instructions will be executed than the norm, allowing a user to detect something out of the ordinary.

http://www.redbrick.dcu.ie/~biteme/hivercon/html/talk-rutkowski.htm

Gav

Martyr

Sounds like good idea, but one arguement: if its possible to patch the kernel in the first place, then theoritically it would be possible to also patch the system or software that is in place to detect any abnormal execution in routines.

I thought about calculating checksums on routines and comparing with a table, but the table could be manipulated just the same as the routines themselves.

Maybe the actual design of an operating system should take into consideration the threat of malicious code being run on it.

But this takes away ease of use, or functionality and performance.
There is a way, i'm sure.

Gavin

Tripwire seem to be able to do a good job of maintaining integrity of their code/database. Same sort of problem.

http://www.linuxjournal.com/node/2160/print

As regards OS design, there has been a huge amount of work done on such topics. Have a read(or glance over) of Computer Security, Art & Science by Matt Bishop if you are interested.

A lot of it is rather dry theory, but most of the models demonstrated in the book are implemented in real life. SELinux for example.

Gav

scojones

You guys should check out grsecurity

Martyr

Are there any programs which can read NTFS and analyse files.?

If Tripwire relies on windows api to fingerprint files then it wouldn't
really be any good for kernel mode rootkits because they are
usually device drivers.

an easy way to check for user mode hooks on api is to test the entry point
of the routine you call, you can do this with length disassembler..

usually, most WIN32API entry points have stack frame created first, like:

push ebp
mov ebp, esp

majority of hooks replace this code with relative jump to malicious code.
thats why i had idea of having checksum of each routine that is
called, checking before if has been modified in any way.

it is possible to bypass some debugger breakpoints and hooks also
by simply calculating the return address of code with the stack frame
already created..you jump directly into the routine, rather than call it.
it works fine in practice.

i think custom NTFS reader and some other forms of analysis would
easily detect all rootkits.