Security

Rootkits: Is removing them even possible?

The people developing rootkits are smart and financially motivated to design rootkits that evade detection. So what’s the answer? Michael Kassner reviews some of the approaches you can try.

Throughout my series about rootkits and botnets, I've been impressed by the number and quality of member comments, especially the ones discussing how to remove rootkits. Thinking about this led to one of my ah-ha moments; fortuitously I decided to listen and consolidate those real-world tips along with what I have gleaned from security experts.

Why rootkits are hard to remove

To be honest, my research is showing rootkit removal to be a rather haphazard affair, with positive results not always the norm. The apparent reason for this is the increased sophistication of rootkits. Some examples of these improvements are:

  • The ability to install rootkits at increased privilege levels in the operating system, making them immune to malware scanners.
  • The use of advanced QoS parameters to reduce the amount of time required to get a proof of concept rootkit out in the wild, making it difficult to get workable signatures for malware scanners.
  • Built-in sophistication allowing rootkits to morph their signature at will, which totally negates any pattern recognition by scanners.

That's just a few reasons, but you get the picture. I'm happy to say there's hope though. I can confidently say that once it's determined a computer has an installed rootkit; it's entirely possible to remove it. It's the how that gets a bit complicated.

My mistakes

The next three points are now readily apparent to me, but I've had to learn the hard way. I see no sense in anyone repeating my mistakes, so please consider doing the following before you start troubleshooting:

  • It's been my experience that any kind of malware removal project takes longer and is more difficult than expected. So keep that in mind as you work through the various steps of troubleshooting. Doing so will allow you to make a more informed decision of whether it's easier and more cost effective to continue troubleshooting or more sensible to reformat and re-image the computer.
  • Make sure the computer operating system, drivers, and applications have all the latest patches and are using the newest version of software. This will go a long way in preventing a re-occurrence of the rootkit. For more information on the best ways to do this, please refer to my article, "Botnets: Keep Computers Up to Date or Else."
  • If possible, isolate the computer on its own sub-net with Internet access. Many suggest removing the computer from the network/Internet, but in many cases, scanners need to phone home to get the latest signature file. Also you may want to try some on-line scanners.
Let's get started

It seems like everyone has their favorite malware scanner, probably because it's worked for them in the past. Like you, I have my favorites. The problem is rootkits aren't generic, so a scanner that works for one occasion may not work another time.

I've used several scanners and have no problem recommending them. On the flip side, there are many scanners out there that I don't have any experience with, and I urge caution in their use. It seems that a certain percentage of rootkit developers also like to create rootkit scanners. So please be careful. I'd now like to discuss several of the generic scanners that have some success in removing user-mode and kernel-mode rootkits.

RUBotted by TrendMicro

RUBotted is a scanner that sits in the background and works quietly. This scanner would be a good first choice for many users who don't want to deal with scanner configurations or the details of removing a rootkit. It's my first choice when I suspect a problem, and I've successfully used RUBotted to remove user-mode rootkits on Windows XP computers.

rubotted.JPG

BlackLight by F-Secure

F-Secure's Security Center Web page is full of useful information, including information about their on-line scanner as well as the BlackLight scanner. BlackLight is a stand-alone scanner that requires very little user intervention, similar to RUBotted. The major difference between the two is that BlackLight only scans on demand. Another helpful link on the Web site references removal tools for many malicious programs.

blacklight.JPG

Rootkit Revealer

Rootkit Revealer is a well-known scanner written by Mark Russinovich and Bryce Cogswell, formerly of SysInternals and now with Microsoft. Rootkit Revealer works in the following way:

"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive."

rootkitrevealer.JPG

The difficult part comes once the scan is completed. Unlike RUBotted or BlackLight, RootkitRevealer requires user intervention to find and remove any malware. It usually requires searching online for information about the process in question and finding out how to remove it.

GMER

GMER is an excellent scanner that searches for hidden services, registry components, and files. Like Rootkit Revealer, it's not at all intuitive. To its advantage, GMER has the ability to delete malware, which conveniently shows up in red when the scan is completed. Many security experts agree with the following claims made on the GMER Web site:

"GMER is an application that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls and inline hooks. GMER also can monitor the following system functions: processes creating, drivers loading, libraries loading, file functions, registry entries, TCP/IP connections."

gmer.JPG

I found GMER requires getting used to. More to the point, if you aren't familiar with the anomaly GMER found, you either trust GMER to remove the process or research the process in question to make sure that it's not a false positive. Also, uninstalling GMER is a bit different; it requires you to run the following command:

  • Start C:\WINDOWS\gmer_uninstall.cmd script and reboot.
UnHackMe by Greatis

UnHackMe is a specialized rootkit removal tool that can detect and remove most of the simpler rootkits as well as several of the more sophisticated types. The user interface is very intuitive, and I like the fact that UnHackMe can easily be configured to run in the background. Sadly, UnHackMe isn't freeware. You can try it for a month, after which it requires a registration fee of $19.95 USD.

I've been using UnHackMe for several weeks now, and I'm still learning about the technical details of the application. Actually it consists of three individual applications:

  • UnHackMe4— Detects hidden services registry keys, processes, services, and drivers. It uses UnHackMedrv.sys kernel driver.

unhackme.JPG

  • Partizan— Watches the Windows boot process.

unhackme2.JPG

  • Reanimator— Detects and removes Trojans/Spyware/Adware using Greatis application and signature database.

unhackme3.JPG

In my opinion, UnHackMe seems like a scanner that would be very useful to people who want an application that requires little user interface yet still has the sophistication to do its job. The fact that UnHackMe is relatively unknown is of some concern, but CNET is offering it as a download.

The manual approach

As I mentioned earlier the use of canned programs to remove rootkits can be a hit-or-miss proposition. Several TechRepublic members have presented a manual process to remove rootkits that will have a better success rate, but it comes at a price. The method is labor intensive and requires more than a casual knowledge of the operating system and installed applications. Even if you don't try this process, it's a good study in what's required to locate and eventually remove a rootkit:

  1. Open Process Explorer to look for suspicious processes and suspend them, but don't delete them.
  2. Run a malware scanner of your chose; since the process in question is suspended, there's a good chance the scanner will see it.
  3. Use AutoRuns and check for unusual service, drivers, DLLs, and processes.
  4. Write down the name and location of anything that seems suspicious.
  5. Search the Internet for information about the process, and if it is indeed malware, try to find a permanent removal tool.

If one peeks under the hood, it becomes obvious that the manual and automated processes are very similar. Both try to capture two images of the operating system state — one initial image of what processes actually start and an image of what processes the operating system thinks started.

Final thoughts

Removing malware as sophisticated as rootkits is hard. I'm convinced of that now. Because of that, this article has been one of the most difficult for me to write, even after hours of research. It just seems wrong to not have a clear and concise answer for removing rootkits.

Maybe it would have been better if I would have written an entire article about removing just one variation of rootkit. Yet rootkits morph and developers change signatures, so it seems that there's little value in specifics. Hopefully I was able to raise general awareness about the subject to a point where you at least know where to start. If you have any thoughts, suggestions, or methods that work for you, please let me know.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks