Saturday, April 25, 2009

Detect the "Undetected"..."ALARM..ALARM"

Hi folks..!! Its been days i havenot feed in some security relates articles and so,here i come with a security post...!!

Most of you must be aware of the terms like virus,trojan,spyware,adware and worms..!!
How about a RootKit??

1.What is A RootKit??

A rootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised.

A rootkit also allows someone, either legitimate or malicious, to maintain control over a computer system, without the computer user(Admin/Non Admin) knowing about it. Rootkits are the toughest malware to detect because they often fools the users to believe they are safe and install themselves as drivers or kernel modules.

Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection.

Rootkits find their existance on operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often can modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms

2.Types of RootKits??

[A}Hardware/Firmware Level

A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in the firmware, because firmware is not often inspected for code integrity.

[B] Persistent/Hypervisor level

These rootkits work by modifying the boot sequence of the machine to load themselves as a hypervisor under the original operating system creating huge booting problems.

[C] Kernel level (**** Most Reactive****)

Kernel-level rootkits add additional code and/or replace portions of an operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, that execute with the same privileges as the operating system itself

Kernel rootkits can be especially difficult to detect and remove, because they operate at the same level as the operating system itself, and are thus able to intercept or subvert any operation made by the operating system.

I would personally rate this type as the most reactive one.

[D] Library level

Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. They can be found, at least theoretically, by examining code Libraries;The DLL's for changes or against the originally distributed library package; this approach may not succeed however if the code is patched in memory only.

[E] Application level

Application level rootkits may replace regular application/programs binaries with Trojan fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.

3.How to tackle this problems??

[A] RootKit Hunter

Rootkit Hunter is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Rootkit Hunter is released as GPL licensed project and free for everyone to use.

I would Rate this RootKit Hunter as 7.5/10


I would sugguest this following Application for RootKit Problem Solution.

It scans for:

1.hidden processes
2.hidden threads
3.hidden modules
4.hidden services
5.hidden files
6.hidden Alternate Data Streams
7.hidden registry keys
8.drivers hooking SSDT
9.drivers hooking IDT
10.drivers hooking IRP calls
11.inline hooks
12.Unwanted Processess,Modules,Services,Files
13.Registry changes(It has Built in registry Editor)


Hemanth Potluri said...

i dint know these many problems wer there in my system :P...trying to recover more..thnks to u..:)..


prajyot said...

@ Hemu

oH yeah..i think this rootkit detector may find you a solution..!!