| Article Index |
|
Rootkits
|
|
Page 2
|
Page 2 of 2 Detection and Removal of RootkitsNot that other types of malware are easy or fun to detect and remove but kernel level rootkits are a particular disaster. In a sense, it is a Catch 22 - if you have a rootkit, then the system files needed by the anti-rootkit software are likely to be modified and therefore the results of the check cannot be trusted. What is more, if a rootkit is running, it can successfully modify the list of files or list of running processes that anti-virus programs rely on, thus providing fake data. Also, a running rootkit can simply unload from memory the processes of the anti-virus program, causing it to shutdown unexpectedly. However, by doing this it indirectly shows its presence, so one can get suspicious about something going wrong. A recommended way for detection of the presence of a rootkit is to boot from an alternative media, which is known to be clean (i.e. a backup, or rescue CD-ROM) and check the suspicious system. The advantage of this method is that the rootkit will not be running (therefore it will not be able to hide itself) and the system files will not be tampered. There are ways to detect and (attempt to) remove rootkits. One way is to have clean MD5 fingerprints of the original system files and when in doubt of having a rootkit - to compare the current system files fingerprints with the clean ones. This method is not very reliable but is better than nothing. Using a kernel debugger is more reliable but it requires in-depth knowledge of the operating system and even the majority of system administrators will rarely resort to it, especially when there are free good programs for rootkits detection, like Marc Russinovich's RootkitRevealer. Go to his site and you will find detailed instructions how to use the program. After you detect a rootkit on your computer, the next step is to get rid of it (easier said than done). And now comes even the trickiest part - with some rootkits removal is not an option, unless you want to remove the whole operating system as well! The most obvious solution - to delete infected files (provided you know which ones exactly are cloaked) is absolutely inapplicable, when vital system files are concerned. If you delete these files, chances are that you will never be able to boot Windows again. You can try a couple of rootkit removal applications, like UnHackMe or F-Secure BlackLight Beta but do not count too much that they will be able to remove the pest safely. It might sound like shock therapy, but the only proved way to remove a rootkit is by formatting the hard drive and reinstalling the operating system again (from a clean installation media, of course!).
If you have a clue where you got the rootkit from (was it bundled in another program, or did somebody send it to you via e-mail), don't even think of running the source of infection again! Famous Examples of Rootkits Rootkits have been stealthily existing for decades until last year they became prime-time news. The case of Sony-BMG with their Digital Right Management (DRM) technology, which protected unauthorized CD copying by installing a rootkit on the user's machine provoked sharp criticism. There were lawsuits and criminal investigation. Sony-BMG had to withdraw their CDs from stores and replace the sold copies with clean ones. Sony-BMG was accused of secretly cloaking system files in an attempt to hide the presence of the copy-protection program that also used to send private data to Sony's site. If the program was uninstalled by the user, the CD drive became inoperable. In fact, this copyright protection program violated all privacy rights, employed illegal techniques that are typical for this kind of malware, and above all left the victim's computer vulnerable to different hacker attacks. Typically for a big corporation, Sony-BMG tried to go the arrogant way first by stating that if most people didn't know what a rootkit was, why would they care that they had one? Well, if there had been no guys like mark Roussinovich, who was the first to ring the bell about Sony's rootkit, the trick could have worked and millions of computers would have been infected - quite a global offense in the alleged defense of a company's intellectual property! Similar to the case with Sony, when it was not necessary to be connected to the Internet in order to get fresh supply of rootkits,is the case of Norton SystemWorks. It is true that both cases cannot be compared from an ethical or technical point of view because while Norton's rootkit (or rootkit-like technology) modifies Windows system files to accommodate the Norton Protected Recycle Bin, Norton can hardly be accused of malicious intentions to restrict user's rights or to benefit from the rootkit, as is the case with Sony. The purpose of the cloaking was to hide from everybody (users, administrators, etc.) and everything (other programs, Windows itself) a backup directory of files users have deleted, and that can later be restored from this backup directory. The function of the Protected Recycle Bin was to add one more safety net against quick fingers that first delete and then think if they have deleted the right file(s), providing an additional way to restore files that have been deleted from the Recycle Bin (or that have bypassed the Recycle Bin). These two examples are hardly the most severe cases of rootkits' activity but they are worth mentioning because by attracting attention to the particular case, public interest was drawn to rootkits as a whole. Hopefully, now more people not only know what a rootkit is but care if they have one!
|
