Rootkits are the crème de la crème of malware, operating in a manner not unlike elite Special Forces units: sneak in, establish communications with headquarters, recon defenses, and tip the odds in favor of the soon-to-arrive main-attack force.
Rootkits are similar to Special Forces in another way, if found and attempts are made to remove them, all hell breaks loose. Every rootkit remover worth its salt warns that removing the rootkit could cause problems for the operating system, to the point of where it may not boot.
That's because the rootkit buries itself deep in the operating system, replacing critical files with those under the rootkit's control. And when the replaced files associated with the rootkit are removed, the operating system could be rendered inoperable.
It's a pretty safe bet IT professionals, who deal with malware including rootkits, have a copy of Malwarebytes Anti-Malware (MBAM) at their disposal. I know several who say they owe their sanity and good customer rapport to MBAM. Another safe bet: the people at Malwarebytes are doing something right, particularly when bad guys add code to their malware installers to prevent MBAM from installing, or if already installed, from running. (More on this later.)
Back in 2009, I met the team at Malwarebytes when writing "Malware scanners: MBAM is best of breed." I knew, being the snoopy journalist, I needed to keep in touch with this energetic bunch. About a year ago, the crew started beta testing Malwarebytes Anti-Rootkit (MBAR), a tool targeting rootkits -- going right at the beast.
I had to know more so I contacted Marcin Kleczynski, CEO, founder, and the one who put the magic in MBAM. Marcin mentioned:
We at Malwarebytes go to great lengths to release fast, effective, and safe software. This mission extends to our anti-rootkit technology that is currently in beta.
Marcin offers the following details about MBAR:
With MBAR we have been running the open beta now for almost a year successfully, and while there is a small chance specific configurations could pose issues; we are confident for most users MBAR will be extremely effective against any rootkit infections they encounter.
My first question for Marcus was why the sudden interest in rootkits? Marcus pointed out that rootkits are becoming the cornerstone on which all malware exploits are built. Rootkits have always greased the skids for other malware to be installed.
What's new is the programming of rootkits to redirect web browsers to look-alike malicious websites just waiting to install more malware on vulnerable computers, or redirecting web browsers to websites advertising goods just to increase click count, making advertisers happy.
I mentioned to Marcus that I thought MBAM removed rootkits, why then is MBAR needed? Marcus pointed out it's all about reaction time. Rootkit developers have become adept at quickly morphing their code when they learn rootkit removers recognize their handiwork. Using a separate tool, MBAR's developers can react just as fast without any concern of damaging a larger, more complex program like MBAM, and avoid the logistics of rolling out a new version of MBAM.
Marcus then mentioned another advantage:
The bad guys have the edge when it comes to rootkits, they aren't too worried about breaking the host computer, but we are, very much so. Having a separate tool allows us to make absolutely sure we minimize the risk of breaking the host computer.
I had an ah-ha moment when Marcus alluded to their need to react quickly, now understanding why their other tool, Chameleon was separate, and not embedded in MBAM.
If you aren't familiar with Chameleon, it is Malwarebytes's answer when malware prevents MBAM from installing, or running if already installed. Chameleon disguises MBAM, allowing it to start and destroy malware.
Something I did not know until Marcus mentioned it is that MBAM has Chameleon in the installed MBAM folder, and it's worth trying. If it doesn't help, Marcus reminded me that like MBAR, Chameleon (website version) is also a separate tool, giving Malwarebytes the option of quickly altering Chameleon to improve the odds of fooling rootkits.
How MBAR works
It's time to get to work; if you suspect a rootkit, and MBAM comes up empty, you may want to try MBAR. The first thing to do is read this link. It explains everything: A to Z. Still, I want to touch on a few of the more important aspects. First, here's the list of rootkits the guys at Malwarebytes have tested MBAR against, and successfully removed:
- Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
- Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
- Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
- Volume Boot Record/OS Bootstrap infectors like Cidox.
- Disk Partition table infectors like SST/Elureon.
- User mode patchers/infectors like ZeroAccess.
Once you have unpacked the MBAR zip file, go to the MBAR folder. It should be similar to the following screenshot.
I circled the three files that I wanted to mention. I was happy the MBAR team included the ReadMe.rtf -- it answered many of my questions. I didn't notice any mention of it, but before anything else, I would back up all data to a remote source. I asked Marcus about setting a restore point and he said doing so is not recommended -- creating a restore point will allow the rootkit to be restored as well.
Once you are confident, start the ball rolling by double-clicking on mbar.exe. If MBAR finds something, you will get a screen like the one below.
Similar to MBAM, just follow the instructions, and MBAR will get rid of the captured rootkits. In the process of removing any located rootkits, MBAR will also try to repair or restore the rootkit-corrupted files. After the ensuing reboot and rescan to make sure MBAR caught everything, Marcus recommended running Fixdamage.exe (circled in the slide showing the MBAR folder) as a "belt and suspenders" operation just to make absolutely sure all critical files are as they should be.
Marcus was adamant that I make sure to tell everyone that MBAR is in beta. I promised and here is the disclaimer they post on the website:
All Beta versions are non-final products. Malwarebytes does not guarantee the absence of errors which might lead to interruption in normal computer operations or data loss. Precautions should be taken. The types of infections targeted by Malwarebytes Anti-Rootkit can be very difficult to remove. Please be sure you have any valued data backed up before proceeding, just as a precaution. While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their own risk. Malwarebytes bears no responsibility for issues that may arise during use of this tool, however all reasonable efforts will be made by Malwarebytes to assist in recovery should the need arise.
I guess I never gave it much thought, but after talking to Marcin and Marcus, I came away wondering if rootkit coders intentionally replace critical files to make it that much harder to remove the rootkit, or is it fallout from controlling critical processes to prevent detection, and allow the rootkit to do its thing.
Thank you Marcin and Marcus for your explanations, and here's to continued success for MBAR -- we can use the help.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.