Rootkit Detection & Removal

BLUE KAIZEN CENTER OF IT

SECURITY Cairo Security Camp 2010 Rootkit Detection & Removal

Subject :

This document gives the user an introduction to Rootkit Detection & Removal including an Alternate Data Streams, Detection and Removal (Automatic - Semi-Automatic - Manual Removal - Advanced Techniques) and MBR Rootkits.

Author : Abdul-Rahman Elshafei Version : 1.0 Date : July, 2010 Nb pages : 44 Rootkit Detection & Removal

Abdul-Rahman Elshafei Contributing Book Author of “Rootkits For Dummies” Outline

 Introduction  Alternate Data Streams  Detection and Removal – Automatic – Semi-Automatic – Manual Removal – Advanced Techniques  MBR Rootkits Basics

 “Rootkits are powerful tools to compromise computer systems without detection. “– G. Hoglund (www.rootkit.com)

 The purpose of a rootkit is NOT to gain access to a system, but to preserve existing access  Rootkits hide processes, ports, files, and other resources from the OS and security programs  Other types of stealth also co/exist such as Alternative Data Streams (ADS) and MBR techniques. Basics • Rootkits are about stealth. Stealth is about survival. Survival is about criminal gain. Criminal gain is about control and cash.

• Originated from unix platforms • used mostly in the past by hackers hiding trojans and keyloggers • Recently used to spread viruses, spywares and worms • Sometimes used by legitimate commercial software Rootkits Trend Alternate Data Streams (ADS)  Attribute of Windows NTFS  Allows compatibility with the Macintosh Hierarchical File System (HFS).  Piggybacking other files  File Summary Information  Commonly used by malware and rootkits  Few programs detect and remove ADS Alternate Data Streams (ADS) Creation Detection and Removal File:  Hijackthis: C:\> type c:\visible.exe > http://www.trendsecure.com/portal/en- ads.txt:hidden.exe US/tools/security_tools/hijackthis/dow Directory: nload C:\test> echo ?test? > :hidden.txt  LADS: http://www.heysoft.de/Frames/f_sw_la_e Execution n.htm C:\> start c:\ads.txt:hidden.exe DEMO 1

ADS Vanquish Important Guidelines Before Removing a Rootkit

1. Backup all important data, emails, documents, etc. 2. Disconnect from the internet 3. Close down All Scheduling/Updating + Running Background tasks etc. 4. Disable real-time monitoring programs 5. When scanning for a rootkit, do not use the computer at all 6. Use 2 or more rootkit scanners Automatic Detection and Removal  F-secure online scan: http://support.f-secure.com/enu/home/ols.shtml  AVG antirootkit  Trend-micro Rootkit Buster  Panda Antirootkit  Avira Antirootkit  Mcafee Rootkit Detective  Sophos Antirootkit AVG Anti-Rootkit http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0 AVG Anti-Rootkit Avira Anti-Rootkit http://www.avira.com/en/support/support_downloads.html Avira Anti-Rootkit Trend Micro RootkitBuster http://www.avira.com/en/support /support_downloads.html Trend Micro RootkitBuster Panda Anti-Rootkit http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx Mcafee Rootkit Detective http://vil.nai.com/vil/stinger/rkstinger.aspx Mcafee Rootkit Detective Semi-Automatic Rootkit Detection and Removal Semi-Automatic Detection

 For experienced users  Rootkit tools such as:  Need to distinguish – GMER rootkits from false – Icesword – Rootkit Unhooker positives – Darkspy – SVV  Rootkit Indicators: – VICE – RAIDE 1. Windows service 2. Hidden files related to service Removal Steps

 Step1: Disable Service

 Step2: Unhook or unregister any dll files

 Step3: End executable process(s)

 Step4: Delete service and related files RKUnhooker RKUnhooker http://www.softpedia.com/get/Antivirus/DarkSpy-Anti-Rootkit.shtml Darkspy Darkspy Manual Rootkit Detection and Removal Manual Detection and Removal

Detection Tools Removal

 RootkitRevealer 1. Safe mode  Rootkit Hook 2. DOS Commands Analyzer 3. Manual Removal  Sysprot Tools RootkitRevealer

 Performs cross-difference comparison of scan results between windows API and low-level disk reads (RAW)  Detects files, folders and registry for both user- mode and kernel-mode rootkits  Drawback: – Cannot detect DKOM rootkits – No removal methods – False Positives Interpreting RootkitRevealer

 rootkit exists if rootkitreveler finds one or more of the following entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxxx  A hidden file may or may not be shown in the scan results Sample RootkitRevealer Output

} False Positives Removal Must Identify rootkit service and files first 1. Safe mode 2. Command-Prompt

 Delete service using Sc stop RKservice regedit or services .msc Sc delete RKservice  Locate/Search and delete files Net stop RKservice REG DELETE regpath 3. Manual Removal Tools

 Delete on reboot using killbox: http://www.bleepingcomputer.com/files/killbo x.php

 Avenger

 ComboFix Cfscript.txt ComboFix http://subs.geekstogo.com/ComboFix.exe

 A manual removal tool to be used under experienced supervision  Capable of automatically removing large number of known malware  Best to disable antivirus before running  Uses a Cfscript.txt file as directives to manual remove hidden/persistent files – ..\Desktop> combofix.exe Cfscript.txt DEMO 2

GMER Icesword Advanced Rootkit Detection and Removal

Applicable for Windows 95/98/ME 1. Scanning the OS from an external medium

Rootkit intercepts OS calls and filters the information the OS returns to deny the rootkits presence

Methods 1. Slaving hard-drive to another computer

2. Using a Bootable CD-ROM – Microsoft WinPE

– Bart Preinstallation Environment (BartPE) www.nu2.nu/pebuilder/

– Ultimate Boot CD for Windows (UBCD4Win) www.ubcd4win.com 2. Offline file comparisons

1. Disable as many processes as possible 2. Cleanup all temp files 3. Use command prompt to type the following commands: cd \ dir /s /b /ah > hiddenfiles1.txt dir /s /b /a-h > otherfiles1.txt 4. Boot into Dos using Windows 98 boot disk or through recovery console (XP) 5. At the command prompt type the following commands: dir /s /b /ah > hiddenfiles2.txt dir /s /b /a-h > otherfiles2.txt 6. compare the files hiddenfile1.txt with hiddenfiles2.txt and otherfiles1.txt with otherfiles2.txt Comparison programs: - Compare-It: http://www.grigsoft.com/wc3setup.zip - Examdiff. http://www.prestosoft.com/edp_examdiff.asp 7. If rootkit is found, rename the file in Dos using ren command MBR Rootkits

 Rootkit replaces the infected system's Master Boot Record  The MBR is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process.  Does not require a file or any registry entries MBR Rootkits Detection 1 MBR Rootkit Detection 2

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2008-03-26 09:01:20 Windows 5.1.2600 Dodatek Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F9A934B2 4 Bytes [ 7E, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + FF F9A934BD 4 Bytes [ 28, 24, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 10A F9A934C8 4 Bytes [ 90, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 111 F9A934CF 4 Bytes [ 84, 78, 82, 81 ] PAGE CLASSPNP.SYS!ClassInitialize + 118 F9A934D6 4 Bytes [ 8A, 78, 82, 81 ] PAGE ... MBR Rootkits Removal

1. Windows Recovery Console:  Windows XP/2k: fixmbr  Windows Vista: bootrec.exe /fixmbr

2. Stealth MBR rootkit detector 0.2.2 by Gmer:  http://www2.gmer.net/mbr/mbr.exe Questions?