Anti Rootkit Blog

The great Rootkit debate has started up again. If you have a rootkit then you should wipe your PC and do a fresh windows installation! That is the advice from many of the security experts around the Internet. Others disagree saying that Antirootkit Software will remove the rootkit and Anti Virus or Anti Spyware software will remove what lies beneath the rootkit. I stand half way down the middle on this one.

Experts from Microsoft have recently said to wipe all the data from your hard drive and do a fresh install of the Operating System because you may never really find out what the rootkit was hiding. I tend to believe that most rootkit infections hide other well known malware such as viruses, keyloggers and spyware. Thus if you uncloak the rootkit and do a scan with any anti-virus or anti spyware it will show you what the rootkit was trying to hide.

I know plenty of people who would rather keep a rootkit on their PC than do a reinstall of the operating system. I then know other people who would jump straight away at doing a fresh install. There are people who use their PC for just browsing the internet and playing card games. To them the presence of a rootkit may manifest itself as popups by virtue of the underlying hidden spyware and this may not be enough for them to wipe their PC. Click on the X of the popup or wipe and reinstall the Operating System. To a newbie or a dontcarebie the thoughts of wiping and reinstalling is too big a job to handle and “sure, we’ll just get Uncle Steo to do it”.

Then you have the people who have to be overly sensitive to the data on PC’s. Banks, Institutions and other high profile companies need to have the upmost confidence in the fact their data is secure from both prying and criminal eyes. To them the cost of wiping and reinstallation of a PC’s OS is fine as long as their data is safe.

So when it comes to Rootkits and whether you should wipe your drive firstly scan your PC with some of the widely available anti rootkit scanners and see if it can uncover the rootkit. Then scan your drive with anti virus and anti spyware scanners and also keep an eye out for unusual files. If you think you have found an unusual file you can upload it onto one of the many online file scanners to check it for maliciousness.

Keep Safe

regards
Steo
www.antirootkit.com

Malicious Javascripts are being used to install rootkits in the latest web attacks according to Marco Giuliani an Italian Virus Researcher.
“In May, 2006, users started to report some strange behavior in Windows: strange crashes at boot up, unusual reports of antivirus software reporting heuristic detections of files they couldn’t clean, and odd files appearing on the hard drive. Italian users reported the URLs of suspicious websites. When users visited these websites, their CPUs spiked abnormally high and their systems slowed down.
After these first signs, people reported infections of rootkits on their computers, discovered by some rootkit scanners. Removing this infection, on the other hand, would turn out to be much more difficult than expected. In August 2006, three months later, this infection is still spreading widely - not only in Italy, but to other countries as well. No security company has released an update for their engine or found a solution which totally removes the infection.”

Visitors to malicious websites were given a quick check over to see if they were using a browser that had a vulnerability or hole that could be used to install the rootkit and malware. Users PC’s were also checked to see if they had anti virus software running. The attackers also tried to fool the recipients into downloading an executable file called www.google.com which many users believed may have been a link to the famous site Google. In actual fact it was a mailcious file called www.google and the .com made it executable on a persons PC.

If the user had not updated the security patches on their Windows PC for MS06-001http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx ( Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ) then a malicious WMF graphic file (img.tif) was downloaded on to their PC and this gave the attacker the option to remotely run code on the affected PC.

The rootkit component had two newish forms of stealth built in. One was the use of Reserved Names within Windows and the other is called ADS ( Alternative Data Streams ).

Reserved names for example begin with COM or LPT to name just two.
“It is impossible with normal file operations to delete or create files with these names, but, if you use the \\.\ prefix, you can delete and create these files easily with the command prompt. If you have a file called:
com4.gip
and try to do
del C:\com4.gip
you will receive an error because you can’t access this file as it uses a reserved name, but if you try to do:
del \\.\C:\com4.gip
you can bypass the check and fully delete the file.”

Alternative Data Streams exist on NTFS formatted disks which a lot of XP users would have.
“Alternate Data Streams (ADS) is a feature of the NTFS filesystem that can fork file data into existing files without affecting their functionality, size, and prevent traditional file browsing utilities from viewing the stream.”

“If you want to see the ADS features of the NTFS file system, you can click on Start - Run and write this command:
“notepad C:\autoexec.bat:mytest.txt”
Notepad will create a text file hidden in the ADS of the autoexec.bat file. The
“:” is used when you want to write to an ADS.”

To run Antirootkit programs like GMER and Icesword Marco found that he had to modify strings in the scanners by using a HEX Editor so that the rootkit could not identify the scanner by its checksum. Until the rootkit is removed the user cannot “see” the malicious files that the rootkit is hiding.

Have a read of the full articel here and get a feel for how malicious and advanced this rootkit is and the lengths the attackers used to keep their operation going. This is big and if it wasnt for people like Marco it probably would have been bigger.

Keep Safe

regards
Steo
www.antirootkit.com

The Black Hat Briefings in Las Vegas are a pointer as to the direction that particular IT trends are going. With six presentations this year dedicated to Rootkits it shows that Rootkits are fast becoming a bigger threat to users.

Gone are the days when authors wrote Rootkits for bragging rights. They are now written more by attackers trying to get their hands on sensitive information that users may have on their PC or companies on their network.

Currently to method of installing and running rootkits is to place them on the hard drive of a persons PC and get the rootkit to hide itself from all but the best anti rootkit scanner.
This year at Black Hat Joanna Rutkowska, a senior researcher at COSEINC, a Singapore-based security company, demonstrated how rootkits could be installed at an ever lower level than they are at the moment and thus provide more stealth und ultimately more longevity

Joanna Rutkowska showed how she could use AMD’s Pacifica hardware virtualization to install a rootkit and malware into Microsofts new Operating System called Vista. Another similiar method using Intel’s VT-x virtualization extension can also be used. According to Dino Dai Zovi, principal with Matasano Security LLC, rootkit authors can use VT-x to install the malicious code that is inaccessible to the running operating system, hiding and controlling access to blocks on a disk.

There is also Proof of Concept code available to install rootkits into the BIOS of your computer, although this is hard to achieve and there are no known active rootkits circulating.
John Heasman has been playing with the ability to use the Advanced Configuration and Power Interface specification for power management functions in most computers to copy data from the BIOS to the operating system. “It continues to surprise me what you can do with it,” he said. This sort of rootkit would be survive reboots and would be hard to find.

There are some interesting days ahead in the rootkit world and researchers like Joanna Rutkowska and John Heasman are way ahead in their thoughts on the next attack vector.

What ever will be next?

Keep Safe

regards
Steo
www.antirootkit.com