Five steps for rootkit detection: Check IT List

Sony and Symantec have recently been reported to be engaged in questionable practices involving rootkits. Both companies have reportedly had rootkit-based functionality in certain products. This technique uses a simple approach to disguise activity and filesystem information from the Windows API, thus preventing direct observation of the application's behavior. It also causes the operating system to misreport systemwide activity.

Finding and eradicating potential rootkit installations is not an exact science. Rootkits can be installed on a computer in many ways. No single tool (and no combination of tools) can correctly identify all rootkits and rootkit-like behavior. The following Check IT list provides pointers and references to purpose-built tools that are useful for examining application behavior and determining if further investigation is necessary.

1. Search your system memory. Monitor all ingress points for a process as it is invoked, keeping track of imported library calls (from DLLs) that may be hooked or redirected to other functions, loading device drivers, etc. The drawback to this approach is that it is tedious, time-consuming and cannot account for all possible avenues in which a rootkit can be introduced into the system.
2. Seek the truth -- expose API dishonesty. One good rootkit detection application for Windows is the RootkitRevealer by Windows security analysts Bryce Cogswell and Mark Russinovich. This tiny (190 KB) binary scouts out file system locations and registry hives, looking for information kept hidden from the Windows API, the Master File Table and the directory index. In addition, Jamie Butler, author of the highly recommended trade book Subverting the Windows Kernel: Rootkits, has created a tool called VICE, which systematically hunts down hooks in APIs, call tables and function pointers.

   RootkitRevealer may take a while to complete because it performs an exhaustive search. First it dumps the registry hives, then it examines the C:\ directory tree for known rootkit sources and signatures, and finally it performs a cursory analysis of the entire C: volume.
   

   ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchCIO-Midmarket.com

   As an existing member of the TechTarget network please activate your SearchCIO-Midmarket.com account 

   By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Security for the midmarket Information security program revamp adds outsourcer oversight and more Your IT security budget: How to get more bang for the buck Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Information security management for the midmarket Mobile device management: From business apps to device security Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Risk management for the midmarket CIO resources: Top five technology topics of 2009 Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk assessment framework (RAF)  (SearchCIO-Midmarket.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   

3. Keep abreast of the latest antivirus and malware protection software from leading antivirus and security vendors. Sysinternals and F-Secure offer standalone rootkit detection tools. Even Microsoft has implemented rootkit detection features in its own Malicious software removal tool.
   Sysinternals RootkitRevealer
   F-Secure Blacklight
   Microsoft Malicious Software Removal Tool

4. Update your firewall protection. Remember, for the concealment process to be effective to a potential attacker, it is vital that the hacker can get back into a machine once it's been compromised. Although firewalls do nothing to mitigate application-level risks, they can pose a significant challenge to attackers when they prohibit re-entry into a victim machine.

5. If possible, harden your workstation or server against attack.This proactive step prevents an attacker from installing a rootkit in the first place. The National Security Agency publishes a guideline for hardening Windows environments, which is a great jump-off point for educating yourself on preventive actions against system intrusion.
   NSA Guideline to Securing Windows XP

Note: If you do discover a rootkit (or rootkit-like software) on your machine, unless there's a targeted removal tool (as is the case for the Sony DRM software), the only way to remove a rootkit from an infected machine is to wipe the drive and reinstall everything. If that proves necessary, be sure to back up all files and settings or try to roll back to an earlier backup, drive image or restore point.

Ed Tittel is a full-time freelance writer and trainer based in Austin, Texas, who specializes in markup languages, information security and IT certifications. Justin Korelc is a longtime Linux hacker who concentrates on hardware and software security topics. They contributed to a recent book on home theater PCs and Tom's Hardware 2005 Holiday Buyer's Guide.