Malware

Rootkits: Is removing them even possible?

The people developing rootkits are smart and financially motivated to design rootkits that evade detection. So what’s the answer? Michael Kassner reviews some of the approaches you can try.

Throughout my series about rootkits and botnets, I've been impressed by the number and quality of member comments, especially the ones discussing how to remove rootkits. Thinking about this led to one of my ah-ha moments; fortuitously I decided to listen and consolidate those real-world tips along with what I have gleaned from security experts.

Why rootkits are hard to remove

To be honest, my research is showing rootkit removal to be a rather haphazard affair, with positive results not always the norm. The apparent reason for this is the increased sophistication of rootkits. Some examples of these improvements are:

  • The ability to install rootkits at increased privilege levels in the operating system, making them immune to malware scanners.
  • The use of advanced QoS parameters to reduce the amount of time required to get a proof of concept rootkit out in the wild, making it difficult to get workable signatures for malware scanners.
  • Built-in sophistication allowing rootkits to morph their signature at will, which totally negates any pattern recognition by scanners.

That's just a few reasons, but you get the picture. I'm happy to say there's hope though. I can confidently say that once it's determined a computer has an installed rootkit; it's entirely possible to remove it. It's the how that gets a bit complicated.

My mistakes

The next three points are now readily apparent to me, but I've had to learn the hard way. I see no sense in anyone repeating my mistakes, so please consider doing the following before you start troubleshooting:

  • It's been my experience that any kind of malware removal project takes longer and is more difficult than expected. So keep that in mind as you work through the various steps of troubleshooting. Doing so will allow you to make a more informed decision of whether it's easier and more cost effective to continue troubleshooting or more sensible to reformat and re-image the computer.
  • Make sure the computer operating system, drivers, and applications have all the latest patches and are using the newest version of software. This will go a long way in preventing a re-occurrence of the rootkit. For more information on the best ways to do this, please refer to my article, "Botnets: Keep Computers Up to Date or Else."
  • If possible, isolate the computer on its own sub-net with Internet access. Many suggest removing the computer from the network/Internet, but in many cases, scanners need to phone home to get the latest signature file. Also you may want to try some on-line scanners.
Let's get started

It seems like everyone has their favorite malware scanner, probably because it's worked for them in the past. Like you, I have my favorites. The problem is rootkits aren't generic, so a scanner that works for one occasion may not work another time.

I've used several scanners and have no problem recommending them. On the flip side, there are many scanners out there that I don't have any experience with, and I urge caution in their use. It seems that a certain percentage of rootkit developers also like to create rootkit scanners. So please be careful. I'd now like to discuss several of the generic scanners that have some success in removing user-mode and kernel-mode rootkits.

RUBotted by TrendMicro

RUBotted is a scanner that sits in the background and works quietly. This scanner would be a good first choice for many users who don't want to deal with scanner configurations or the details of removing a rootkit. It's my first choice when I suspect a problem, and I've successfully used RUBotted to remove user-mode rootkits on Windows XP computers.

rubotted.JPG

BlackLight by F-Secure

F-Secure's Security Center Web page is full of useful information, including information about their on-line scanner as well as the BlackLight scanner. BlackLight is a stand-alone scanner that requires very little user intervention, similar to RUBotted. The major difference between the two is that BlackLight only scans on demand. Another helpful link on the Web site references removal tools for many malicious programs.

blacklight.JPG

Rootkit Revealer

Rootkit Revealer is a well-known scanner written by Mark Russinovich and Bryce Cogswell, formerly of SysInternals and now with Microsoft. Rootkit Revealer works in the following way:

"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive."

rootkitrevealer.JPG

The difficult part comes once the scan is completed. Unlike RUBotted or BlackLight, RootkitRevealer requires user intervention to find and remove any malware. It usually requires searching online for information about the process in question and finding out how to remove it.

GMER

GMER is an excellent scanner that searches for hidden services, registry components, and files. Like Rootkit Revealer, it's not at all intuitive. To its advantage, GMER has the ability to delete malware, which conveniently shows up in red when the scan is completed. Many security experts agree with the following claims made on the GMER Web site:

"GMER is an application that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls and inline hooks. GMER also can monitor the following system functions: processes creating, drivers loading, libraries loading, file functions, registry entries, TCP/IP connections."

gmer.JPG

I found GMER requires getting used to. More to the point, if you aren't familiar with the anomaly GMER found, you either trust GMER to remove the process or research the process in question to make sure that it's not a false positive. Also, uninstalling GMER is a bit different; it requires you to run the following command:

  • Start C:\WINDOWS\gmer_uninstall.cmd script and reboot.
UnHackMe by Greatis

UnHackMe is a specialized rootkit removal tool that can detect and remove most of the simpler rootkits as well as several of the more sophisticated types. The user interface is very intuitive, and I like the fact that UnHackMe can easily be configured to run in the background. Sadly, UnHackMe isn't freeware. You can try it for a month, after which it requires a registration fee of $19.95 USD.

I've been using UnHackMe for several weeks now, and I'm still learning about the technical details of the application. Actually it consists of three individual applications:

  • UnHackMe4-- Detects hidden services registry keys, processes, services, and drivers. It uses UnHackMedrv.sys kernel driver.

unhackme.JPG

  • Partizan-- Watches the Windows boot process.

unhackme2.JPG

  • Reanimator-- Detects and removes Trojans/Spyware/Adware using Greatis application and signature database.

unhackme3.JPG

In my opinion, UnHackMe seems like a scanner that would be very useful to people who want an application that requires little user interface yet still has the sophistication to do its job. The fact that UnHackMe is relatively unknown is of some concern, but CNET is offering it as a download.

The manual approach

As I mentioned earlier the use of canned programs to remove rootkits can be a hit-or-miss proposition. Several TechRepublic members have presented a manual process to remove rootkits that will have a better success rate, but it comes at a price. The method is labor intensive and requires more than a casual knowledge of the operating system and installed applications. Even if you don't try this process, it's a good study in what's required to locate and eventually remove a rootkit:

  1. Open Process Explorer to look for suspicious processes and suspend them, but don't delete them.
  2. Run a malware scanner of your chose; since the process in question is suspended, there's a good chance the scanner will see it.
  3. Use AutoRuns and check for unusual service, drivers, DLLs, and processes.
  4. Write down the name and location of anything that seems suspicious.
  5. Search the Internet for information about the process, and if it is indeed malware, try to find a permanent removal tool.

If one peeks under the hood, it becomes obvious that the manual and automated processes are very similar. Both try to capture two images of the operating system state -- one initial image of what processes actually start and an image of what processes the operating system thinks started.

Final thoughts

Removing malware as sophisticated as rootkits is hard. I'm convinced of that now. Because of that, this article has been one of the most difficult for me to write, even after hours of research. It just seems wrong to not have a clear and concise answer for removing rootkits.

Maybe it would have been better if I would have written an entire article about removing just one variation of rootkit. Yet rootkits morph and developers change signatures, so it seems that there's little value in specifics. Hopefully I was able to raise general awareness about the subject to a point where you at least know where to start. If you have any thoughts, suggestions, or methods that work for you, please let me know.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

292 comments
dietyhawk
dietyhawk

I am not finished with school as of yet but I know enough I set up my own IT business a little while ago. I'm an on-call technician. Most of my client's are residential customers. My biggest concern I have with rootkits and maybe the biggest reason they exist, is users being uniformed and completely trusting anyone they talk to in a computer store about their IT issues. Geek Squad at Best Buy isn't. I'm actually shocked at the lack of knowledge of "IT professionals" who work at the big chain stores like Best Buy, Staples, and Office Max. I've spoken with some of those techs who believe if you have a rootkit all you need to do is reformat the HD and reinstall the OS. From my experience rootkits can and do infest hardware components. They can infest the firmware of hard drives, graphics cards, CD and DVD drives, network cards and devices, and even the BIOS on your motherboard. Those pieces of hardware,excluding the motherboard, have software already installed on them called firmware when you buy them in the store. They are of course not infected when purchased, unless you buy stuff from shady vendors. When you do a firmware update you are updating the software on a device. Most antivirus scanners do not scan firmware of computer components. The big problem if firmware is infected is you can reformat and reinstall the OS and get infected again as soon as you boot the computer. And this isn't just a PC problem. Macs need antivirus and firewall protection. I don't intend to be offensive in any way towards Mac owners but their fanaticism of how Macs can not get infected seems to linger close to a cult mentality and they're wrong. One such virus that attacks PC's and Mac's indiscriminately are Boot Sector viruses. Boot Sector Viruses will spread over the network in a home or office and they infect Mac's and PC's. The nasty ones will upload themselves in the firmware of the hard drive. A hard drive is a hard drive. A hard drive doesn't change just because a different OS is installed on it. I'm trying to fix one particularly nasty rootkit on a pc computer lately. This one is so bad the firmware on the computer components has been infected. The BIOS needs to be flashed and the HD needs to be replaced and so does the graphics card. That conclusion has been reached after much scanning and working on the machine in question. I even called in two individuals seperatly who do what I do for a living and have finished school. They have worked on it to no avail. And this particular problem computer was maliciously and criminally hacked with a unkind message waiting for the user. The owner needs to decide if they want all that work on it done or if they would rather buy another computer. If the work gets done and the problem persists it would have been cost effective to just have bought a new computer. The sad part of this story is the owner backed up their data and the backup was infected as well. Most of the scanning and removal of infected files done thus far on the computer has been done for free because it's such a horrendous problem. My rules concerning rootkits: 1. Trust your instincts. That goes for anything IT. If you're unsure do research, don't just take someone's word for it. 2. Don't download pirated movies or music or any pirated software, (that includes games) on your computer. Just accept if you do that you are infected. If you, or your kids, have done that you are infected. Almost all of my money has come from fixing family computers because people are either impatient and don't want to wait till they have money to buy a movie or game, or they just pirate it because they can. 3. And malware doesn't have to make your computer slow. Some malware exists only to send back sensitive information, like bank account numbers. 4. If you have a MacBook of any kind and start bragging around me you don't need protection because it's not a PC then I'll get out my Netbook and right then and there hack into your MacBook with nothing else but what came with Windows. And I'll erase all your pictures and iTune files and then tell you to go buy security software for your MacBook. Yes I did that before to my little brother and his friend while visiting their college apartment. No special software was required. Their OS gave no warning while I took my time messing up their systems. Apple has free antivirus software any Mac user can download and it is updated regularly. They also come with a firewall like windows firewall and is better than nothing. Just turn it on. But seriously this "I don't have to worry about viruses and hacking because I have a Mac" is wishful thinking. You can say it if you want but don't say it around me. And yes I use Macs and PCs. All of them have protection.

dayen
dayen

I for one search for rootkits if found even if I remove it I recover data and then Wipe Drive the machine then I put in a New HDD and reload windows the old HDD go to a local high school for students to dissemble in shop class to learn about motors. This is what I learn from the people at Tech Republic if in doubt (it could be still infected) replace ! better then spending 3 days cleaning a network of virus or malware. P. S. Thank to all of you

Microtoss
Microtoss

I've been pulling out my hair since Dec 2009 when one of the crackheads at Avast sent out the wrong definitions...as payment for using their free tool, I now have a / few? malicious rootkits I cant get rid of The problem is that most of the good anti rootkits are developed by people who cant speak English (Russians), and generally most of them dont have any ritten instructions on how to use them or or how to interpet them properly. I found Unhack me to be an excellent tool, but again bad english translation, and again few instructions...and time to untangle and figure what the the different part of the grams do- as its actually 2/3 programs within the one

hydrodane
hydrodane

Aloha Michael K, terrific article..very good on the details. I encourage and request that you produce an article about a subject that is common with most IT-geeks. how to PROPERLY reinstall the os...and what procedures are best to ensure that any malware, including rootkits are completely cleaned in the process of making the hdd a clean slate, and then reinstalling the os. If you would detail the procedures in detail, would allow many IT people to learn the best strategies.. what is the worst scenario is probably occuring each day...the IT guy decides to reimage the machine and unwittingly reinstall the OS and the rootkit/malware. It would be a treasure to know if a procedure strategy is known that works when any other "cleaning" may yield "iffie" results. Aloha tm

dixon
dixon

...is a combination of a bootable CD, Ice Sword, Rootkit Revealer, and ComboFix.

leslie-lavender
leslie-lavender

Disappointed with RUBotted.....downloaded & installed to try out..couple of days later it flashed up that I had a rootkit. When I started up RUBotted to remove the rootkit, it was just an advert to buy another program belonging to the same company. Hope this is not now a difficult to remove!!!!

seanferd
seanferd

I have some email alerts for this thread, but I cannot find the linked content. Not even in user profiles pages. They do not convert to forum pst link format when clicked, but call the error page instead, as the posts are not present. _______________________ Discussion - Rootkits: Is removing them even possible rootkits download Posted by sandeep376@... | 12/07/2008 @ 05:58 AM (PST) http://ct.techrepublic.com.com/clicks?t=72900421-88ca23ab9796c34802bedd86b6fcd243-bf&brand=TECHREPUBLIC&s=5 Great site Posted by Michael Kassner | 12/07/2008 @ 06:06 AM (PST) http://ct.techrepublic.com.com/clicks?t=72900424-88ca23ab9796c34802bedd86b6fcd243-bf&brand=TECHREPUBLIC&s=5 I'd agree, except Posted by Palmetto | 12/07/2008 @ 07:35 AM (PST) http://ct.techrepublic.com.com/clicks?t=72900426-88ca23ab9796c34802bedd86b6fcd243-bf&brand=TECHREPUBLIC&s=5

oberon
oberon

Enjoy reading your articles .... look in this article in last paragraph for "if I would have"....following Strunk & White, you should have said "if I had..." and not used "would have" in a clause commencing with "if"....just trying to be helpful.

barbara230
barbara230

While i am dumb when it comes to software and the system. I put in my XP disk (with updates) at the first question Do i want to continue i press R for repair. when i get to the c: prompt i type Help bringing up the index after which i rewrite the Root directory which deletes all added information. I then reboot the XP disk and wait for the second question of do I want to continue and i press R for repair and let windows repair Rebuild my operating system. Then i am done.

harrylal
harrylal

It is all well and good to have a way to clean up the mess malware authors make but that doesn't stop them from doing it. I'm all for finding these malcontents and letting them feel the full weight of the law. Since at least some profit from their illicit activities the penalties should be no less than say perhaps robbing a bank or at least burglary. If you want to minimize malware, minimize the existence of it's authors (perhaps a televised hanging may be in order, but that is just one person's opinion).

carlosk2005
carlosk2005

What about WINDOWS DEFENDER ?... Does it protect my machine from anything at all ?

Photogenic Memory
Photogenic Memory

I've used this app for a little while. It's screen out put looks something like this: [root@localhost chkrootkit-0.47]# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/firefox-3.0.4/.autoreg /usr/lib/gtk-2.0/immodules/.relocation-tag Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... /usr/lib/security /usr/lib/security/classpath.security Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3133 tty4 /sbin/mingetty tty4 ! root 3135 tty5 /sbin/mingetty tty5 ! root 3136 tty6 /sbin/mingetty tty6 ! root 4455 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 ! nx 6383 pts/1 ssh -2 -x -l "someguy" 127.0.0.1 -o NumberOfPasswordPrompts 1 -p 22 /usr/bin/nxnode --slave chkutmp: nothing deleted [root@localhost chkrootkit-0.47]# This is an example of this application run on my system remotely. I've seen this app run on customers systems at work and sometimes you'll find BASH as the application that's corrupted or "replaced". You can't trust it now! For the most part; using linux, back up your data and re-install the OS. It's always the customers who don't update their servers that get taken over.

JCitizen
JCitizen

I just wished I could trust the author of Ice Sword; not quite yet.

Michael Kassner
Michael Kassner

I will definitely refer your comments to Trend Micro and see what they say.

seanferd
seanferd

Did the scanner have a name for the rootkit?

Michael Kassner
Michael Kassner

Thank you, that is an oops. Ironically I was just reading about that and there I go and use it. Strunk and White are always by my side. I bet they would have been upset. Even Grammar Girl has a podcast about that, guess it didn't stick.

Michael Kassner
Michael Kassner

If you have a second, could you explain why you were repairing the OS? I'd like to know what was the problem was, so as to correlate the cure with the malware.

Michael Kassner
Michael Kassner

In many cases the botmasters are located in regions of the world that have no laws in place for this type of activity.

Michael Kassner
Michael Kassner

I feel that it's a valuable addition as MS knows how its OS works and the price is right. Multiple applications are always a good way to go. Kind of like added insurance.

Michael Kassner
Michael Kassner

Thanks for sharing that information. I'm not a Linux person so this is valuable.

Michael Kassner
Michael Kassner

I've looked at it and it's impressive. I just haven't seen it in action. That's why I left it out. Have you an actual encounter? If so can you share the experiences with us? Especially the rootkit or malware type and name. Thanks

dixon
dixon

I approached Ice Sword with alot of trepidation, due to the generally creepy atmosphere surrounding it. I first ran it on a test box that was loaded with all sorts of security software, contained no data of interest, and was not connected to a LAN or the internet. No tests or scans showed anything funky going on. I then connected that machine to the internet, ran IS, and checked port activity. Still nothing weird. In researching it, I stumbled onto this at Symantec: "Fix ID: 1238015 Symptoms: When trying to launch the Ice Sword software with Symantec Endpoint Protection installed, an initialization error appears. Solution: Application and Device Control was modified to allow the application to launch properly." So I guess they must have determined it's ok. Kaspersky AV grumbles about it, but those folks have declared that to be a false positive as well. In any event, I've found that it detects rootkits that are missed by all of the other programs mentioned in this thread, with the exception of Sysinternals' Rootkit Revealer. The reason I use both is that RR accurately detects rootkits but can't do anything about them, while IS has the opposite problem: it can remove absolutely anything, displays both hidden and nonhidden registry items, but gives no hint as to what's legitimate and what's not. Maybe the somewhat mysterious Chinese fellow should come out of the shadows and join the Sysinternals team. If we had a tool that combined the functionality of both RR and IS, we'd have a real winner.

Michael Kassner
Michael Kassner

Your concern is a valid one. It appears that many of the scanners are being written by the same people that create the problem originally.

leslie-lavender
leslie-lavender

Popped up again today saying I had a rootkit, (or words to that effect). It asked me to scan with Housecall which I did. At end of scan, it stated 'no rootkits found', but would I like to buy Trend Internet Security.

leslie-lavender
leslie-lavender

No nothing, just wanted me to buy some software from Trend. Hasn't popped up since.

barbara230
barbara230

Actually the system had crashed due to a battery backup failure. Not knowing that it was the battery i rebuilt the system from the ground up to get it running, then found the battery problem. reset the bios settings ,all of this work did cure number of problems that had plagued the system. There was probably a Root problem but i did not look in every nook and cranny to find it. I had used a root kit survey tool and it did not locate it even though i knew a probem had been downloaded from the internet, I had blocked it off but could not find the exact location where the last of it had been hidden. A rebuild of the system seems to have removed the last of it. barbara

seanferd
seanferd

"rewrite the root directory"? Regardless, my advice to those who are reinstalling due to malware is to completely reformat the drive first, deleting all partitions and the MBR. For those who have no optical media, but just a recovery partition, is to back up that partition to optical media, preferably when the system is brand new, before connecting to any network.

Lost Cause?
Lost Cause?

does not seem to detect or remove anything that has popped up in our school district. We are always using MalwareBytes or SuperAntiSpyware. These do most of our heavy duty stuff.

pgit
pgit

chkrootkit can send you off to google to figure out if what it's telling you is ok or not! Especially if you're running apache, you'll get a slew of messages. Various message boards are filled with panicked queries as to whether this-or-that is a compromise or not. Usually not, leading us again into that complacency that will eventually bite us, like my windows user that's getting the reinstall today. Another great Linux tool is rkhunter. It's similar to chkrootkit, but it stops after scans in various categories are complete. You really should use both, as each one has a few thins the other doesn't cover. They both write a log file of the results, which comes in handy... cut-n-paste in the search window. =D

dixon
dixon

...he's a rare blend of brilliance and humility. Did you ever use his ERD Commander? Saved my bacon more than once. Nowadays I mostly use a customized version of UBCD for the same sorts of purposes, but I'm still grateful for the many times Russinovich's product solved the unsolveable.

Michael Kassner
Michael Kassner

That's great information again. I'm impressed that Rootkit Revealer is identifying the malware. Mark Russinovich is one of my heros and I'm really glad that MS is not stifling him or his work. I read his MS blog religiously: http://blogs.technet.com/markrussinovich/

Michael Kassner
Michael Kassner

I love the back and forth. We all learn from it, especially me.

Michael Kassner
Michael Kassner

How about the waiters, cashers and others that you give your credit/debit card information to. It is scary when one considers all the people we don't know and still have to trust. I guess the fact that there isn't more crime in area is a good sign for humanity.

JCitizen
JCitizen

delusions about the rootkit problem Michael; quite the opposite. Some of us were simply arguing that they were not needed to maintain and grow the bot farm((so to speak) So many of my clients are so clueless they refuse to do the maintenance with the AV/AS ware that I install; then remove the very utilities that could have helped them when PC performance starts to slow down.

JCitizen
JCitizen

Yes it is very dangerous to leave certain white hat programs in peoples/business PCs. If one did - they could potentially be used against the host computer by invading malware. One such handy utility is Indentity Finder; while not being free it can find any personally identifiable information on the host computer in seconds. I use it to clean such information from my computer, and I use it to [b]scare the beejesus out of my clients[/b] that think just by using anti-keyloggers, they are putting up enough of a defense. I always uninstall the utility immediately afterward and cleanup with CCleaner. I might as well carry it in a USB drive as that way I never have to leave it installed anywhere.

dixon
dixon

All of those worries are valid. I guess just about anything can be used for nefarious purposes, in theory. How about all of those "legitimate" employee monitoring and keylogging programs that claim to be undetectable by all AV software? Those products creep me out so much that I have flatly refused requests from corporate clients to install them. When I'm in an especially paranoid mood, I realize that I constantly use and trust products that come from people that I don't personally know. Why do I think that every single individual involved in managing online banking, antivirus software development, ISP services, online backup systems, and website shopping carts is trustworthy? It boggles the mind to ponder just how much blind faith actually enters into the world of IT. Like many of us here, I personally have total access and control over tons of other people's extremely sensitive information. It's simply a fortunate accident of fate for them that I happen to be an honorable, trustworthy person. But what if I wasn't? I certainly don't know the anonymous Chinese author of Ice Sword. I hope he or she is a decent person, and that the Chinese government doesn't find some way of using that person's talent for harmful purposes. None of the extensive testing I've done has demonstrated any evidence of maliciousness, but that's not the same as 100% certainty. Can there ever be such a thing?

dixon
dixon

...but lately, I've been having situations where it has missed rootkits that are correctly identified by RR and IS. It seems that this rapidly evolving area of nastiness requires different tools for different situations. In any event, anyone who accuses you of delusional thinking in calling rootkits a major problem is plain nuts. They're here, they're generally not easy to fix, and they're definitely not a figment of anyone's imagination. Thank you for your very insightful and informative article.

Michael Kassner
Michael Kassner

I have complete faith in Rootkit Revealer, even though it's owned by MS now. Instead of IceSword, though I prefer GMER. Rootkit Revealer only effectively locates user-mode and some kernel-mode rootkits. GMER or IceSword takes over from there. Both GMER and IceSword also as you mentioned can actually remove the rootkit. Thanks for your insightful post about IceSword, I am definitely more willing to mention it to people now.

JCitizen
JCitizen

This is very interesting detail; I thank you for your input. Your idea sounds like the right combo with Sysinternals. Reminds me of how Avast and Trend Micro's Houscall free online scanner work so well together; for the budget minded client. Hopefully Ice Sword doen't supplant their own rootkit after removing others, but if Symantec and Sysinternals haven't flagged it by now it should hopefully be reputable. I always worry something like that could end up being the ultimate trojan horse if one day they all activated to do some nefarious Chinese government deed. However I admit to being highly paranoid and I don't even trust Kaspersky because he's Russian. This is not racism motivating me, it is past history. And like some have said, getting utilities from folks that might have been the original coders for nefarious programs gives me the yips. Even if the individuals doing the coding are legitimate fellows, their Governments are definitly not; and could bring great negative influence to bear on those originators. None the less, playing with it on a walled off lab machine is definitly safe, and could be repeatable with Sysinternals, a Knoppix CD, and some manual labor inside the perimeter.

Dumphrey
Dumphrey

after it "locked up" on several computers, and required a forced reboot to terminate the process, which was causing constant cpu usage. Never plugged the machines back into the network to check that traffic, so it could be that ice sword was being blocked by another process, or just being flakey. But better safer then sorry.

leslie-lavender
leslie-lavender

Looks like GMER is no longer available. It appears that the website has been shut down for some reason.

Michael Kassner
Michael Kassner

RUBotted is more of a generic scanner and it's intimately tied in with Trend Micro's on-line scanner. That's where I get a bit confused as to what the relationship is there. I still like GMER the best.

seanferd
seanferd

files, or registry entries. In other words, a false positive. I must say that I'm baffled by the lack of information the detector provides upon declaring the presence of a rootkit. If it can't identify a file, it should be able to say what process or code is "suspicious".

Michael Kassner
Michael Kassner

I have a message into Trend Micro. I wouldn't be as patient with this as you are. The other scanners that I mentioned appear to be non-intrusive and may be a better choice for you.

Dumphrey
Dumphrey

ive been trying the RUBoted beta for about 6 days now and nothing has poped up for me at all. i had even forgotten it was there until I read this post... How long have you had ruboted on your computer?

JCitizen
JCitizen

one utility to battle this problem. As the article indicates, not just one utility can cover all possibilites. GMER probably comes, closest; but I need to play with them all someday on my lab machine. Perhaps I can use Snoopfree Privacy Shield as a harmless file to look for, as it behaves a lot like a rootkit.

seanferd
seanferd

I'm glad you were successful in resolving them.

Michael Kassner
Michael Kassner

Interesting, you are able to compare applications? Can I beg a few examples from you, please?

Photogenic Memory
Photogenic Memory

Great tip! Is it an executable or a GUI suite? Never-mind. I'm a linux person. I'll configure it out, LOL!

Editor's Picks