Five tips for dealing with rootkits

.

It's often like the blog is the "opening remark" of a brainstorm or freethink session - superficial, but enough to get people to home in on what's going on - bringing with them the real meat.

I've got mod-security on my plate here first though.

of a rootkit, but Avast uses GMER technology to root them out. I'm not saying any one thing is good for nasty rootkits, but at least those can be on the machine in the first place. Many live CDs require you have the brand name of the AV already installed or the CD will leave you a message that it can't help you.

I don't have imaging yet, but rootkits are a good reason to get it. I'll wait until I have a certifiably clean system to image though.

In no way did I mean NUKE THE RECOVERY PARTITION (and I never said nor indicated that)! Heck no! Often times, that partition, since it often sits on like a "D:" partition, has not been touched, and you can copy/slipsteam the o/s off there, to a new ISO or new CD to re-create your system. Some vendors even have made a 'cd generator' exe that will make the cds/dvds from that partition. Please understand that I meant the OTHER "system restore" - i.e., that feature of Windows XP and higher, under Computer Properties, where it says "System Restore" (i.e. "Restore Points") - I'm sleepy right now, but NOW you know what I mean - that part that allows you to "roll back" any recent updates and config changes, to a point in time BEFORE those changes took effect - THAT 'System Restore' - not the OEM/Vendor 'System Recovery / Restore Partition.' Please don't confuse those two - or you get in BIG trouble - ;-) BOTTOM LINE: The REALLY smart viruses and rootkits hide in that 'system restore' area, and, even if you wipe them off the system, as soon as you reboot, the "mothership" call them OUT of that 'restore point' area and back into action - I have had to kill several of those types - nasty buggers!

about System volume Information I wouldn't touch two files: - MountPointManagerRemoteDatabase - tracking.log they're some weird NTFS stuff - MountPointManagerRemoteDatabase holds the list of Junction / Mount Points, it will be 0 bytes if there are no drives mounted in NTFS folders - tracking.log I haven't bothered to find out what exactly this one is or does, but on all my systems it's 20KB (20,480Bytes)

I'll have to try that on the test machine at work. If it's simply file permissions that can be changed, I'll call it user error in my case.

I get access to that folder within the first 20 minutes of a windows install / setup it's easy, from within an admin. account: - right click on it (system volume information) - select the security tab - click the advanced button - click the "allow inheritable permissions ... - now all admin. accounts can look in and modify the contents

One of the things that first got me using a liveCD for scanning and cleanup was an XP machine where not even user Administrator can delete files from the system recovery tree owned by user System. Popped in a liveCD for something that didn't have absolute respect for NTFS permissions and away went the offending files. (unfortunately, not a system I was free to nuke and pave)

As an alternative, I've had system restore rescue systems that I couldn't fix any other way. Note: This is on other people's systems, and they nearly always don't have the cds to reinstall all (or any) of their software, so a complete reinstall is the last option.

The first reply to your comment sums it up pretty nicely. My last job was as a computer tech, so I dealt with this stuff all the time. Our shop changed our process due to malware. We used to pick a machine up, boot into Windows, look around and confirm the problem etc. I played around with rootkit scanners but quickly realised they were a poor idea. You are running a tool in an already compromised environment. Sure, they might pick up the infection. There's every chance they won't, and they take too long anyway. So we changed our process so that 30 mins before the end of the day we would pull the drives out of all the machines on the "Jobs Waiting" shelf and plug them into spare machines. The machines were set up with Windows and four A/V and malware scanners. I also wrote a script that loaded the slave drives registry offline so that could be scanned, and another tool to read the common startup locations offline ("Autoruns offline"). Finally, another script would delete temp files, and common files that we knew belonged to infections. The guy who came after me automated this even more. They now press a button, and the registry is read offline, the four scanners all load and run, when finished the results are automatically put into the job tracking system and the temp files are deleted. This cut our time down hugely. We would come in the next day, put the drives back in their original machines and boot up. Half the time the job was as good as done. Occassionally we had other effects that needed tidying. For jobs that weren't fixed it meant we could discount viruses as the likely cause. This saved countless hours. And every time we ran into something this process didn't fix, we added it to the script to manually search for and find it (things like .exe files in C:\Windows\Fonts directory). Suer, you can fight the good fight within the compromised environment, but you shouldn't be very confident when you give the machine back to the client, and you certainly haven't done them any favours in terms of time charged.

neon, try MBAM i've been cleaning desktops for many years using boot images (e.g. UBCD4W) running six (and more) different malware scanners - to me that was the ONLY way to clean properly, almost a religion started using MBAM about a year ago and it just seems to collectively catch almost (AND Clean) everything in my own comparative testing (boot image & offline scans vs MBAM whilst in windows) the difference between the two methods is about 0.9% detection (wise spectrum), but the hands-on time involved decreases by about 80% there are occasions where i still (after MBAM) go through my full routine, but in retrospect it has not been necessary now for at least the last 250+ systems (almost a year) if/when i have any uncertainty and a particular system is mission-critical i kill and rebuild (but only after a dban on the drive) give it a shot !

True that you don't necessarily "need" a 2nd system, nor a 2nd O/S for that matter, but both are recommended for added speed, copying off the data from the infected drive, etc. Actually 2nd O/S is not really needed, if you are not 'booting' the infected drive, and not ever having any chance of accidently clicking/running anything on the 'slaved' infected drive. I use 2nd computer so I can copy off the user's data (doing that now, as we speak), then format the drive, set it up to be ready for new o/s install, etc. Saves a bunch of booting/rebooting, etc. I can even copy the o/s install files to a partition on the newly-formatted hd, then I'm ready to slide it back into the other system, and boot/build.

In Washington DC, at the Pentagon and at a "Tempest" PC outfit (which must remain nameless for now - Google 'Tempest' if you don't know what it means - basically RF-sheilded & EMP-shielded computers - and they are *HEAVY*) we definitely were required to physically destroy the drives via 4 methods (not all at once - we typically would use one or two) 1) Sledgehammer! Not perfect, but makes 90% plus of the data non-recoverable 2) Thermite and/or Frog-in-a-blender methods - melt it down or grind it to bits - both are effectively 100% non-recoverable 3) HUGE UBER-STRONG magnet multi-wipe - we had massive industrial electromagnets, just for this purpose, and they were incredibly intriguing! Just don't wear a lot of loose metal jewelry when you hit the degauss button! 4) Multi-wipe with a low-level zero-fill utility. You are right - triple-wipe should not be needed for SSD. You also are right that there is no hard evidence that triple-wipe on a magnetic drive gains a typical non-terrorist any great advantage. FBI, NSA and CIA probably already have copies of your drive via proximity-based magnetic resonance leeching technology, which effectively does a "live Ghost" copy of your drive over the air (OOPS! was that still 'classified?' ouch, I'm in deep trouble now!), without them ever having to come into your house and physically touch your drive - IF you are a terrorist, I mean - but if you are Joe User, who is not counterfeiting 100 dollar bills, and not threatening to blow up the world, then a single wipe is adequate and is better than just delete or shift-delete.

SSDs should just need one write to the entire drive since they don't have issues that magnetic drives have with track wandering. Quite often even the simplest option of overwriting the first and last segments of the drive with 0's is sufficient for any drive. If you are worried about someone with the proper tools recovering your data from a magnetic drive, the multipass overwrite is good. Of course, if you are that worried, taking the drive out and using thermite to melt it down might be a faster and better option.

Avira detected 26 files but I only use it to identify. It didn't have much luck cleaning and I'm not ready to let it delete when I can still boot Backtrack or similar and know what I'm deleting. Bitdefender detected 4 files and was not able to clean them. Knowing what the files where, I chose to delete which it had no trouble doing. Fsecure detected 36 (beyond the 4 already deleted) and cleaned or renamed. Kaspersky is on deck but I'm going to risk a Windows safe mode boot once I get win32 tools collected on a CD. F'ing Fake AV!! I hate that guy..

The Linux live CD has been a game changer. Thanks Tomas M. for inventing the underlying scripts: http://www.linux-live.org/ there's goo reason that site looks like this one: http://www.slax.org/ one and the same developer. Slax is my first go-to for system recoveries, it's highly hardware compatible. And you are quite correct about commercial AV being tight with 'proprietary' information. Their loss. Open source is definitely the model for successfully pushing back against the mayhem. As closed source products go, I have been setting folks up with windows defender lately. It gets high reviews, you'd have to imagine the insiders would have an easier go at getting this sort of thing right. It also gets me off the hook with licensing. First thing it does is verify the license as valid. If it isn't it won't install. (at least I haven't tried to end run it) It probably hooks something back to Redmond a little more closely than my personal tastes could tolerate. But I don't run windows for anything but testing, and on isolated networks. For my clients, though, Win Defender seems to be an excellent choice. It doesn't bog the system down as much as the other commercial products and it's alleged to be near the top in detection and prevention, according to 'independent' testing.

Almost all viruses can be removed without having to take down the machine, but any rootkit written by someone who knows what they are doing will not be removed unless the source is offline. You may be able to detect the rootkit on the machine, but removal while it is running will be exceedingly difficult, if not impossible. You do not need a second machine either, just a clean boot source (liveCD, WinPE/BartPE, flash drive, etc). All you need to do is prevent the rootkit from starting so self-hiding is impossilbe and removal becomes possible.

32 writes on the drive. That would burn Flash memory out quick with it's write limit and would noticeably shorten the life of a platter drive if your doing it regularly.

3 passes is way more than enough to hide from local police. 5 is way more than enough for FBI. If You are in such deep shit Russia is scanning your drives, you might shoot for 7 max. No point going further. 32 passes is like Martians running cloud servers trying to crack your info, and IMHO, they could read your mind easier than trying to read after 32 passes.

I see the reaction with extreme hostility as erring on the side of caution. When presented with something new, the state of the art in malicious software, consider the potential outcomes. One can say "I have 20 years of experience so therefore any new malware I see must obviously behave the same as what I've seen in the past." The positive outcome may be a quick AV scan that manages to catch any lingering malware. The negative outcome is missing a trick you haven't seen before resulting in data loss or wasted time revisiting the same infestation. One can also say "I have 20 years of experience and have learned that software is ever evolving. This may be something new or something old with new tricks. I should treat it with the assumption of being state of the malware art." The positive outcome is that you catch all of it and discover that it is something new and interesting; you learn something. The negative outcome is that you spend more time than expected to find out it's only something old and nearly harmless now like Slammer. In one case, your making the choice to be surprised by a negative because you ignore the possibility of it being something new or ignored the possibility of using a specific tool due to OS religion or whatever rationalization you gave yourself. In the other case, your making the choice to be surprised by a positive outcome by assuming the worst and taking appropriate steps for that worst case scenario. If I'm going to assume, I'd really like the be surprised by a good outcome; better for the user I'm supporting and more opportunities for happy surprises. These days, pulling the drive as a first reaction may be over the top unless you have pre-imaged replacement drives to slap back in (and assuming that kind of uptime requirements). It's not like the days before easily bootable OS on removable media where getting at a drive through a secondary OS did usually mean a second workstation. Also, I wouldn't hold Norton up too proudly. No AV catches everything and Norton isn't ranking as high as others for detection. It used to be back and forth between Norton and McAfee but both have been outclassed. Even given an AV ranking at the top of the list, I'd still confirm with two or three different scanners. Things may be different if AV companies where sharing signature data but with the scanning engine and signature data both being considered competitive advantage, it's not as simple as picking a single brand name.

Only twice have I actually had to slave a drive on a different PC because the kit had really dug itself in. Both times I ran a virus scan (Norton) which found and removed it. Seriously, I've done PC support for nearly 20 years and I see such reactionary statements being made in these posts.

You don't even need the external HDD box anymore, get a drive doc with IDE and SATA slots unless your regularily dealing with a different connector. There is also the three in one HDD to USB connectors but for this type of thing, you probably want eSATA when your ripping the drive down to an image or otherwise reading over the full size of the platters.

With SSDs (Solid State Drives) coming down in price, you should probably just overwrite the drive with zeroes, as from what I understand, filling the drive with random garbage can cause havoc with most SSD write speeds. (Writing zeroes should be fine against anything but an attack by the CIA or KGB.)

Indeed most of the rootkits I have dealt with were in the MBR. But I trusted all those drives for a reinstall after using "Darik's boot-n-nuke." It can do a number of different wipe techniques, but all of them start with sector zero, i.e it wipes the MBR. On occasion one pass isn't enough to do so, however. What I do for the persistent ones is start another wipe with DBAN and let it go for a minute or two, it starts at sector zero so a minute is enough that it wiped the MBR. (in this case again) I shut off DBAN and start it up again and repeat, running for a minute or two. I have never had to do this more than twice, meaning one complete run of DBAN and 2 one to two minute scans afterward. http://www.dban.org/

Quite often, only one computer is needed. There are quite a few bootable CDs (either downloadable or how to on rolling you own) that will allow you to clean a computer by booting from an optical drive so no files on the hard need to be accessed. I've also used similar tools from a bootable USB drive but more systems will boot from an optical disk and less worries about it being written to. If I have the time, my personal preference is stuffing the drive into an external holder, scanning with several tools and then copying data. After that, I use SDD (Secure Data Destruction) or it's cousins to overwrite the entire drive with random garbage before doing a re-install. Bit time consuming but safest. As usual, YMMV.

Bitdoctor is spot on. Having spent a good piece of yesterday trying to clean up a rootkit using multiple tools (ComboFix, AVG, MalwareBytes, etc.), the bugger could not be fully removed. Step 4 says it all "reformat and start from scratch" because that is the ONLY way you can be sure it is really cleaned. Good thing I alway partition the drive and instruct users to put personal data on the D drive; makes a re-install a bit less painful.

You are not "sticking it in" another comptuer, per se, you are [using] another computer, with this 'rootkit-infected drive' as a 'slave' via USB or other secondary adapter (key is "secondary") - you are not "booting" a 2nd computer with this infected drive - it is passive and can then be scanned, dissected, etc. Granted, you need some 'rootkit discovery and eradication' tools to run against the secondary drive. So, you are using the infected drive in a "non-boot" mode, thus the rootkit cannot harm you. And this is the method I've used to clean a large number of rootkits - of course, ones that cannot be cleaned require full format - but the gist of this is, 1) CONNECT the drive, as a [slave], to a 2nd computer 2) Get your data IMMEDIATELY off the drive 3) Attempt cleaning measures 4) Ignore step 3, because you really should reformat and start from scratch 5) Put your data back on the newly formatted drive 6) Stay away from places where you get infected with rootkits 7) Have a drink and hope your identity wasn't stolen

Assuming its dropper did not restart your computer most I've seen only got noticed long after multiple restarts. If you have concealed folders and registry hives its already past that point. I'd never trust a drive again, without a full partition format and reinstall, given the possibility of it modifying the MBR.

are the mac daddy of malicious software because virus scans don't catch them, it takes a specialized rootkit scanner to find them.