BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Rootkit Detection & Removal

Subject : This document gives the user an introduction to Rootkit Detection & Removal including an Alternate Data Streams, Detection and Removal (Automatic - Semi-Automatic - Manual Removal - Advanced Techniques) and MBR Rootkits. Author : Abdul-Rahman Elshafei Version : 1.0 Date : July, 2010 Nb pages : 44

Rootkit Detection & Removal

Abdul-Rahman Elshafei Contributing Book Author of “Rootkits For Dummies”

Outline 

Introduction  Alternate Data Streams  Detection and Removal – – – – 

Automatic Semi-Automatic Manual Removal Advanced Techniques

MBR Rootkits

Basics  “Rootkits

are powerful tools to compromise computer systems without detection. “– G. Hoglund (www.rootkit.com)



The purpose of a rootkit is NOT to gain access to a system, but to preserve existing access  Rootkits hide processes, ports, files, and other resources from the OS and security programs  Other types of stealth also co/exist such as Alternative Data Streams (ADS) and MBR techniques.

Basics • Rootkits are about stealth. Stealth is about survival. Survival is about criminal gain. Criminal gain is about control and cash. • Originated from unix platforms

• used mostly in the past by hackers hiding trojans and keyloggers • Recently used to spread viruses, spywares and worms • Sometimes used by legitimate commercial software

Rootkits Trend

Alternate Data Streams (ADS)  Attribute

of Windows NTFS  Allows compatibility with the Macintosh Hierarchical File System (HFS).  Piggybacking other files  File Summary Information  Commonly used by malware and rootkits  Few programs detect and remove ADS

Alternate Data Streams (ADS) Creation File: C:\> type c:\visible.exe > ads.txt:hidden.exe Directory: C:\test> echo ?test? > :hidden.txt

Execution C:\> start c:\ads.txt:hidden.exe

Detection and Removal  Hijackthis: http://www.trendsecure.com/portal/enUS/tools/security_tools/hijackthis/dow nload



LADS:

http://www.heysoft.de/Frames/f_sw_la_e n.htm

DEMO 1

ADS Vanquish

Important Guidelines Before Removing a Rootkit 1. 2. 3. 4. 5.

6.

Backup all important data, emails, documents, etc. Disconnect from the internet Close down All Scheduling/Updating + Running Background tasks etc. Disable real-time monitoring programs When scanning for a rootkit, do not use the computer at all Use 2 or more rootkit scanners

Automatic Detection and Removal 

F-secure online scan:

http://support.f-secure.com/enu/home/ols.shtml     



AVG antirootkit Trend-micro Rootkit Buster Panda Antirootkit Avira Antirootkit Mcafee Rootkit Detective Sophos Antirootkit

AVG Anti-Rootkit http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0

AVG Anti-Rootkit

Avira Anti-Rootkit http://www.avira.com/en/support/support_downloads.html

Avira Anti-Rootkit

Trend Micro RootkitBuster http://www.avira.com/en/support /support_downloads.html

Trend Micro RootkitBuster

Panda Anti-Rootkit http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx

Mcafee Rootkit Detective http://vil.nai.com/vil/stinger/rkstinger.aspx

Mcafee Rootkit Detective

Semi-Automatic Rootkit Detection and Removal

Semi-Automatic Detection 

For experienced users  Need to distinguish rootkits from false positives 

Rootkit Indicators: 1. Windows service 2. Hidden files related to service



Rootkit tools such as: – – – – – – –

GMER Icesword Rootkit Unhooker Darkspy SVV VICE RAIDE

Removal Steps  Step1:

Disable Service

 Step2: Unhook or  Step3: End

unregister any dll files

executable process(s)

 Step4: Delete

service and related files

RKUnhooker

RKUnhooker

http://www.softpedia.com/get/Antivirus/DarkSpy-Anti-Rootkit.shtml

Darkspy

Darkspy

Manual Rootkit Detection and Removal

Manual Detection and Removal Detection Tools 

RootkitRevealer  Rootkit Hook Analyzer  Sysprot

Removal Safe mode 2. DOS Commands 3. Manual Removal Tools 1.

RootkitRevealer 

Performs cross-difference comparison of scan results between windows API and low-level disk reads (RAW)  Detects files, folders and registry for both usermode and kernel-mode rootkits  Drawback: – Cannot detect DKOM rootkits – No removal methods – False Positives

Interpreting RootkitRevealer 

rootkit exists if rootkitreveler finds one or more of the following entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxxx



A hidden file may or may not be shown in the scan results

Sample RootkitRevealer Output }

False Positives

Removal 1. Safe mode 

Delete service using regedit or services .msc  Locate/Search and delete files

Must Identify rootkit service and files first 2. Command-Prompt Sc stop RKservice Sc delete RKservice Net stop RKservice REG DELETE regpath

3. Manual Removal Tools  Delete

on reboot using killbox: http://www.bleepingcomputer.com/files/killbo x.php  Avenger  ComboFix Cfscript.txt

ComboFix http://subs.geekstogo.com/ComboFix.exe A

manual removal tool to be used under experienced supervision  Capable of automatically removing large number of known malware  Best to disable antivirus before running  Uses a Cfscript.txt file as directives to manual remove hidden/persistent files – ..\Desktop> combofix.exe Cfscript.txt

DEMO 2

GMER Icesword

Advanced Rootkit Detection and Removal

Applicable for Windows 95/98/ME

1. Scanning the OS from an external medium Rootkit intercepts OS calls and filters the information the OS returns to deny the rootkits presence

Methods 1.

Slaving hard-drive to another computer

2.

Using a Bootable CD-ROM –

Microsoft WinPE

–

Bart Preinstallation Environment (BartPE) www.nu2.nu/pebuilder/

–

Ultimate Boot CD for Windows (UBCD4Win) www.ubcd4win.com

2. Offline file comparisons 1. 2. 3.

Disable as many processes as possible Cleanup all temp files Use command prompt to type the following commands: cd \ dir /s /b /ah > hiddenfiles1.txt dir /s /b /a-h > otherfiles1.txt

4. 5.

Boot into Dos using Windows 98 boot disk or through recovery console (XP) At the command prompt type the following commands: dir /s /b /ah > hiddenfiles2.txt dir /s /b /a-h > otherfiles2.txt

6.

compare the files hiddenfile1.txt with hiddenfiles2.txt and otherfiles1.txt with otherfiles2.txt Comparison programs: Compare-It: http://www.grigsoft.com/wc3setup.zip Examdiff. http://www.prestosoft.com/edp_examdiff.asp

7.

If rootkit is found, rename the file in Dos using ren command

MBR Rootkits  Rootkit

replaces the infected system's Master Boot Record  The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.  Does not require a file or any registry entries

MBR Rootkits Detection 1

MBR Rootkit Detection 2

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2008-03-26 09:01:20 Windows 5.1.2600 Dodatek Service Pack 2

---- Kernel code sections - GMER 1.0.12 ---PAGE PAGE PAGE PAGE PAGE PAGE

CLASSPNP.SYS!ClassInitialize + F4 CLASSPNP.SYS!ClassInitialize + FF CLASSPNP.SYS!ClassInitialize + 10A CLASSPNP.SYS!ClassInitialize + 111 CLASSPNP.SYS!ClassInitialize + 118 ...

F9A934B2 4 Bytes [ 7E, 78, 82, 81 ] F9A934BD 4 Bytes [ 28, 24, 82, 81 ] F9A934C8 4 Bytes [ 90, 78, 82, 81 ] F9A934CF 4 Bytes [ 84, 78, 82, 81 ] F9A934D6 4 Bytes [ 8A, 78, 82, 81 ]

MBR Rootkits Removal 1. Windows Recovery Console:  Windows XP/2k: fixmbr  Windows Vista: bootrec.exe /fixmbr

2. Stealth MBR rootkit detector 0.2.2 by Gmer:  http://www2.gmer.net/mbr/mbr.exe

Questions?