Google Answers Logo
View Question
 
Q: Advice needed on detecting/eliminating rootkits ( Answered 5 out of 5 stars,   2 Comments )
Question  
Subject: Advice needed on detecting/eliminating rootkits
Category: Computers > Security
Asked by: pcventures-ga
List Price: $10.00
Posted: 28 Nov 2005 15:37 PST
Expires: 28 Dec 2005 15:37 PST
Question ID: 598698
Have a client's PC that is infected with something normal antivirus
and antispyware programs can't pick up, but it seems
 like there's something deeper.

 F-Secure's Blacklight won't run (gives me an odd error when I try to run it).
 The machine also redirects me to a fake Microsoft search page when I try to acess
 any of F-Secure's sites.

If I connect that machine's hard drive to a second PC, and try to scan
it, what tools
can I use to detect/eliminate rootkits?

(I commonly use the yank HDD and connect to other PC technique,
becuase it allows me to delete files that would have been loaded into
memory if that drive booted on its "native" PC)
Answer  
Subject: Re: Advice needed on detecting/eliminating rootkits
Answered By: sublime1-ga on 28 Nov 2005 18:27 PST
Rated:5 out of 5 stars
 
Hi pcventures! I hope you're feeling well.

It turns out that Microsoft has what's been called an "elegant"
solution, but (surprise!) according to this article on About.com,
they're not into sharing it yet:
http://netsecurity.about.com/b/a/146844.htm

Ah! I just discovered Microsoft's page on their "Ghostbuster":
http://research.microsoft.com/rootkit/

And they note that the SysInternals RootkitRevealer, which I
discuss further down, uses the same "elegant" solution:

"SysInternals RootkitRevealer, released on February 22, 2005,
 implements the same hidden-file and hidden-Registry detection
 techniques used in the Inside-the-box GhostBuster (which
 includes additional hidden-process and hidden-module detection
 techniques)."
http://research.microsoft.com/rootkit/#Tools


I checked out F-Secure Blacklight and the disclaimer on the
download page looked scary to me, predicting your experience:

"Notice: This is a Beta version of F-Secure BlackLight -software.
 Therefore, the software may malfunction, cause your computer to
 malfunction, operate erroneously and/or affect the operation of
 other software in adverse manner. By downloading and using the
 software you accept such risks and agree not to hold F-Secure
 responsible and/or liable for your use of the software."
http://www.f-secure.com/blacklight/try.shtml


SysInternals is a software group I trust implicitly, and they're
free Rootkit Revealer is running on my system as I type this.
http://www.sysinternals.com/Utilities/RootkitRevealer.html

<Tapping foot, waiting for results>

Well it ran with no glitches or errors and found 87 discrepancies
but all of them were Temporary Internet Files, so no biggie.

Rootkit Revealer requires that it run on the system while it's
up, so that it has access to the registry hives being used.
This requirement doesn't gel with your intended methodology,
but I'm not sure there's a way for any software to work in
that way, since access to the active registry seems needed
in order to detect rootkits.

Rootkit Revealer also has a method of running which is meant
to bypass code in the rootkits designed to target rootkit
detection programs when they run:

"The reason that there is no longer a command-line version
 is that malware authors have started targetting RootkitRevealer's
 scan by using its executable name. We've therefore updated
 RootkitRevealer to execute its scan from a randomly named
 copy of itself that runs as a Windows service. This type of
 execution is not conducive to a command-line interface. Note
 that you can use command-line options to execute an automatic
 scan with results logged to a file, which is the equivalent of
 the command-line version's behavior."


Kurt Dillard of Microsoft has written a comprehensive article
about rootkits on SearchWindowsSecurity.com:
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1086476,00.html

There are several good links on that page, one of which is
promising, but requires registration. See the link for:

"Webcast: Detailed expert advice: Detecting and removing
 rootkits in Windows":
https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&align=left&regwidth=450&totalwidth=800&eventid=12308&sessionid=1&key=1930559AA4856741B57DC798A36AD009&partnerref=siteposting&referrer=http%3A%2F%2Fsearchwindowssecurity.techtarget.com%2F&sourcepage=register

A page from that article about Detection and Removal is here:
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1086474,00.html

He notes on that page that, in addition to F-Secure and SysInternals,

"Microsoft has also added rootkit detection and removal to its
 Microsoft Malicious Software Removal tool, which it updates monthly."

You can run a scan online or download MS' latest tool here:
http://www.microsoft.com/security/malwareremove/default.mspx


Wikipedia has a very thorough article, but, for the most part,
names the same major players. In this section of the page, it
is noted that removal may not be possible even if detection is
successful. It mentions a tool which sounds promising for the
removal process:

"There is a way to delete a rootkit using another filesystem
 driver when the system is online. Rkdetector v2.0 implements
 a way to wipe hidden files when the system is running using
 its own NTFS and FAT32 filesystem driver. Once erased and
 after a system reboot, rootkit files will not be loaded
 because data contained is corrupted."
http://en.wikipedia.org/wiki/Rootkit#Removing_rootkits

You can download Rkdetector from its homepage:
http://www.rootkitdetector.com/


That should get you going! Let me know if anything's unclear.

sublime1-ga


Searches done, via Google:

detect OR eliminate rootkits
://www.google.com/search?q=detect+OR+eliminate+rootkits
pcventures-ga rated this answer:5 out of 5 stars and gave an additional tip of: $1.25
good answer - thanks!

Comments  
Subject: Re: Advice needed on detecting/eliminating rootkits
From: bozo99-ga on 28 Nov 2005 16:15 PST
 
If you used a Linux live CD and something like tripwire you could
compare the current state of your box to a state you saved earlier
when it was OK, or to another box known to be OK.
Subject: Re: Advice needed on detecting/eliminating rootkits
From: sublime1-ga on 30 Nov 2005 11:12 PST
 
pcventures...

Thanks very much for the rating and the tip!

sublime1-ga

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy