Security management Toolkit

Why rootkits mean you must nuke your machine

Tags:
Malware,
Rootkit,
DRM

Matt Loney ZDNet.co.uk

Published: 17 Nov 2005 17:35 GMT

How can we detect rootkits?
There are a number of tools, including: VICE, Patchfinder2, Rootkit Revealer, Klister/Flister, F-Secure Blacklight, Microsoft File Checksum Integrity Verifier, Windows Preinstallation Environment (WinPE), Bootable Antivirus and Recovery Tools (Bart PE), Knoppix Security Tools Distribution (STD).

The ones at the top of this list examine the operating system from the inside, which means they often cannot detect the rootkit code. A lot depends on the quality of that code. Rootkit Revealer sometimes detects Hacker Defender, sometimes it doesn't. It totally depends on the attacker.

WinPE and Bart PE and Knoppix STD all rely on external operating systems loaded on CDs or thumbdrives, and they do not activate the local operating system that you're attempting to scan. They let you examine it from the outside.

There is no way to hide from an external scanner, but if the rootkit is customised then again it can be very difficult to detect. One solution is to look at the entire file system and dump it to a text file externally, then boot the suspect operating system, examine everything from within it and dump that to a text file. If I then see eight extra files on the first version that don't appear on the second version I might find that one is a rootkit, one is a virus or even a movie. That is a very reliable technique.

Of course the concern is that this is not practical when you have 80,000 PCs and 700 servers. How do you detect rootkits on those? There can be tell-tale signs. At the University of Washington they find at least two rootkits a week. The students are doing nothing [with the rootkits] but hiding movies. The university identifies systems that have rootkits because in that case they have enormous amounts of network traffic. If you have 50 people pulling a 4GB DVD off a server that normally has just 1Mbit throughput, then you should be concerned. So one way to scan for rootkits is to look for footprints and ask yourself what is it doing to my system?

How do we remove rootkits?
There is only one guaranteed way to remove a rootkit: you destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever.

You can't delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit's primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?

Are there any defences?
You should use malware scanners, firewalls, intrusion detection and prevention, strong passwords, regular patches and audits. They are easy to prevent, but extraordinarily difficult to remove.

What does the future hold?
We found one example of a rootkit recently that hides itself in video memory, and every time the system boots it loads up. This means that it doesn't exist on the hard drive, and so the only time you can detect it is when the system is running, which is when it is able to hide itself. That's where we see things going: harder to detect, better cloaking. And of course finding its way into DRM technology, and increasingly into spyware too.