Malware

Windows rootkits 101


When administrators and security professionals hear the word rootkit, most think first of a UNIX-based system. Unfortunately, this only leads to a false sense of security for Windows-based systems. The fact is that Windows rootkits do exist, and you need to be able to detect them.

What is a rootkit?

To clarify, a rootkit is not an exploit -- it's the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit's existence if they have a signature file.

On the other hand, a kernel-mode rootkit is remarkably different -- and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system's Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit's files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

  • Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a "fingerprint" that's unique to a particular rootkit. However, the rootkit's tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.
  • Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs -- some free and from reputable companies such as F-Secure and Sysinternals -- to help you detect their presence on your systems. Microsoft has even stepped up to the plate with its Malicious Software Removal Tool, designed to detect and remove Windows rootkits.

Final thoughts

If you discover someone has compromised your machine, it's vital that you take the necessary steps to find out if the attacker has installed a rootkit -- and then eliminate the threat. Applying vulnerability patches after someone has installed a rootkit on your machine won't close the security holes that already exist on your network.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

15 comments
s.y.n
s.y.n

Good article. What do you think about Gmer, this excellent free software ?

BobKat519
BobKat519

Question... if my data is backed up to a slave drive, is it safe from rootkits and viruses etc.? Can I re-install my software, then restore my data from my slave drive? My data being copies of MS Word docs and MS Excel etc. Thanks!

SmilingSheep
SmilingSheep

I'm not sure what you're using the slave drive for (just back-ups)? Safer would be periodic back-ups to an external drive (FireWire or USB2). Also, don't just save the last back-up, as it may also be compromised. Depending upon the size of the data, a DVD burner is a good option for data back-ups. You should be able to find an external enclosure for the slave drive for < $50.

robtec88
robtec88

So, if I back-up my important data to a DVD with the (suspected) infected PC, the data on the DVD won't be affected? Does it have to be an external drive - I mean, if the infected PC is sending the data to a DVD drive, it shouldn't matter if the data travels through the IDE cables or Firewire/USB shouldn't it??? I don't know, I'm asking.

apotheon
apotheon

Data on write-once media cannot be changed once it's recorded there. That means that a computer that has been compromised cannot (yet) affect the data already on that write-once media. That [b]doesn't[/b] mean that saving data to optical media magically cleans up the data, though.

apotheon
apotheon

To the extent that it is accessible to you while using the computer, it is accessible to someone that has gained administrative access on that same computer. Period. Once someone is putting rootkits on your computer, everything is accessible. That doesn't necessarily mean that everything is compromised, in terms of data. The danger of keeping something after getting rootkits installed on your system is proportional to how executable it is. In other words, a .exe file you have is most suspect, a data file that can carry macros (based on the file type) that are executed by the application that is used to access the files is somewhat less suspect but can still be dangerous (may redownload/reinstall trojans and rootkits, et cetera), and a plain text file is pretty much entirely trustworthy (as long as you check to make sure it's still just a plain text file). As much as possible, you should ensure that you have text backups of all your important data. That way, you're covered in case of getting compromised -- you can restore from backups, and you'll be sure that the text-only data is not going to endanger you when it's restored.

Julien Thomas
Julien Thomas

As said by apotheon and others, root-level rootkit may affect everything available on your computer (PC is to restrictive :D). So, even data on slave disk may be corrupted. The only things your can trust is hardware write-protected data (ie not software/OS -dependant) or backups that could not been access by the infected computer. You may also rely on data if you have comparison (hash) databases that were protected, and if you compare them using a trusted tool (ie not running on the infected computer). May be the book "Rootkits: Subverting the Windows Kernel", from which I learned a lot, would be an interresting introduction !

apotheon
apotheon

You bring up a good point -- integrity verification via snapshots and/or hashes can ensure your data (and even software) is still good. That assumes, of course, that your integrity verifying software and snapshots/hashes are safe from modification (similarly to backups inaccessible from compromised systems).

cgircapo
cgircapo

I didn't learn something new. I need to know what to do, the possible symptom of rootkit presence and how realy remove it. Not just go on F-secure , etc.

brian.pirkey@nefcocorp.
brian.pirkey@nefcocorp.

Sorry, for that information you'll need to enroll in Windows rootkits 201. Down the hall, second room on the right.

apotheon
apotheon

Luckily, the Windows Rootkits 201 class is mercifully short. It consists of nothing more than this: 0. You should already have backups of all your data. 1. Wipe the system. 2. Reinstall the OS (or restore it from a pre-rootkit image, if you're positive it wasn't compromised at that time). 3. Restore important data from backups, making sure to check it for malicious code as you go. Once a system has been compromised by a rootkit, you can never trust it again, because there's no reasonable way to be certain you've found out about all the changes that have been made. Sad but true. edit: Actually, that's just Rootkits 201 (rather than Windows Rootkits 201), and isn't OS-specific, since the same applies to any OS that has been compromised by a rootkit.

jlumley
jlumley

A well thought out step by step guide ,and works. Recently being a victim of a "Rootkit" my only option was to use "System restore" which wasnt the right choice ,I then had to use the "System recovery" and start over. It was a inconvience ,but the only cure.

AcesKaraoke
AcesKaraoke

I am an IT student right now and always remember the words of one of my favorite instructors when a system we're working on gets hosed. (sung to the tune of Camptown Ladies) "FDISK, Format, Re-install... Do dah Do dah" repeated at least once or twice with a smiling and knowing visage of one who's been there many times. Sometimes it's the only way to regain system trust.

jim
jim

The problem, when, using something like Rootkit Revealer, one has a list of possible anomalies is to know what can be removed and what needs to be left alone because it is needed by installed applications or even by AV products @?

Editor's Picks