The "No Network is 100% Secure" series
- Rootkits -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us

What is a rootkit?: Rootkits use a cloaking technology. The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

A common rootkit infection occurs when a user visits a compromised or malicious web site. The web site then probes the user computer for vulnerabilities. If any vulnerabilities are found, they are immediately exploited without the user's knowledge or assistance. This is known as a "Drive-by".

Once infected, rootkits can be extremely difficult to remove, often requiring a disk reformat. Rootkits sometimes attach themselves to the Master Boot Record (MBR). Others create registry entries that often look legitimate and sometimes can fool antivirus software.

Computers that have been "rooted" can be used for numerous malicious purposes including being keylogged, configured to host malware, acting as relay proxies, and even participating in DDOS attacks. Many of these functions operate in a virtually undetectable manner.

It is a common misconception that rootkits create root/Administrator access to computers. In fact, for a rootkit trojan to be downloaded and installed, the hacking method must already have root/Administrator access to the computer. In the case of Microsoft Windows machines, this is usually not difficult since many users are running with Power User or Administrator privileges.

There are rootkit exploits for most operating systems including *NIX and MS Windows.

Hacker defender is one of the more common user-level rootkit applications available for use against Microsoft Windows computers.

Rootkit developers, unlike so-called script kiddies, are very familiar with operating systems programming. In many cases, they use readily available applications like Microsoft's own DDK (Driver Development Kit) to get a jump start. DDK was designed to allow programmers the ability to design drivers that are compatible with Windows.

Persistent Rootkits: A persistent rootkit is malware that activates each time the system boots. Such malware contains code that is in a persistent store, such as the Registry or file system. It is configured in a method by which the code executes without user intervention.

Memory-Based Rootkits: Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits: There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits: Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

Is there a sure-fire way to know of a rootkit's presence?: In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by antivirus software, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.

Rootkit tools:

Rootkit Removal: UNTESTED!!!!! They require e-mail verification to download
Sysinternals suite:
Process Explorer:

Runs automatically and is self-configured with several options. Running RootKitRevealer is easy. Interpreting the output, not so much.

RootKitRevealer will list Registry key discrepancies showing that Registry keys stored for potential rootkit device drivers and service settings are not visible to the Windows API, but are present in the raw scan of the Registry hive data. Similarly, the rootkit-associated files are not visible to Windows API directory scans, but are present in the scan of the raw file system data.

One must examine all discrepancies and determine the likelihood that they indicate the presence of a rootkit. Unfortunately, there is no definitive way to determine, based on the output, if a rootkit is present, but you should examine all reported discrepancies to ensure that they are explainable. If you determine that you have a rootkit installed, search the web for removal instructions. If you are unsure as to how to remove a rootkit you should reformat the system's hard disk and reinstall Windows.

Interpreting the output of RootKitRevealer is beyond the scope of this white paper. However, some common messages are as follows:

Access is Denied RootkitRevealer should never report this discrepancy since it uses mechanisms that allow it to access any file, directory, or registry key on a system.

Scanning process:
Visible in Windows API, directory index, but not in MFT.
Visible in Windows API, but not in MFT or directory index.
Visible in Windows API, MFT, but not in directory index.
Visible in directory index, but not Windows API or MFT.

A file system scan consists of three components: the Windows API, the NTFS Master File Table (MFT), and the NTFS on-disk directory index structures. These discrepancies indicate that a file appears in only one or two of the scans. A common reason is that a file is either created or deleted during the scans. This is an example of RootkitRevealer's discrepancy report for a file created during the scanning:

3/1/2009 5:26 PM
8 bytes
Visible in Windows API, but not in MFT or directory index.

Windows API length not consistent with raw hive data Rootkits can attempt to hide themselves by misrepresenting the size of a Registry value so that its contents aren't visible to the Windows API. You should examine any such discrepancy, though it may also appear as a result of Registry values that change during a scan.

Type mismatch between Windows API and raw hive data Registry values have a type, such as DWORD and REG_SZ, and this discrepancy notes that the type of a value as reported through the Windows API differs from that of the raw hive data. A rootkit can mask its data by storing it as a REG_BINARY value, for example, and making the Windows API believe it to be a REG_SZ value; if it stores a 0 at the start of the data the Windows API will not be able to access subsequent data.

Key name contains embedded nulls The Windows API treats key names as null-terminated strings whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit.

Data mismatch between Windows API and raw hive data This discrepancy will occur if a Registry value is updated while the Registry scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value and virus scanner "last scan" values. You should investigate any reported value to ensure that its a valid application or system Registry value.

What can be done about rootkit exploits?: The best way to deal with rootkits is to prevent them from happening in the first place. Intrusion Protection Systems (IPS) contain many signatures that identify known rootkits like Hacker defender. In addition to that, the attacker must compromise the system before a rootkit can be installed. Keeping systems patched to avoid vulnerabilities, and utilizing IPS/IDS systems with built in anomaly detection capabilities may help against these types of zero-day exploits.

Firewalls are helpful too, as they can provide another obstacle in preventing attackers from reaching their target. Many of today's firewalls have Application Layer Gateways that read into the tcp stack and provide sanity checks that may prevent many attacks.

Many antivirus applications can detect well know rootkits. However there are applications designed specifically for rootkit detection. For *NIX systems, Chkrootkit is perhaps the most well known. Rootkit hunter is similar to Chkrootkit in that it scans possibly infected systems.

Its important to be aware that most kernel level rootkits cannot be removed from the infected system without reformatting and reinstalling the OS.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified May 5, 2009
Copyright 1990-2009 Easyrider LAN Pro