From entry to entry: Rootkit detection, removal, and prevention

Rootkit is a program that can access the computer or computer network as an administrator. Typically, hackers obtain user-level access by exploiting known vulnerabilities or password cracking to install rootkit on a computer. After the Rootkit is installed, it will allow attackers to conceal their intrusions and gain access to the computer at the root or privileged level, if possible, you can also obtain access to other computers on the network.

Rootkit threats

Generally, Rootkit itself is not a malware. It is a means by which malware hides itself. However, the transformed rookkit may include spyware and other programs, such as programs that monitor network communication and user keys. You can also build a backdoor in the system for easy use by hackers, you can also modify log files, attack other computers on the network, or change existing system tools to avoid detection.

Hackers use a variety of technologies to manipulate the operating system. The result is that users cannot use common anti-virus software to find traces, let alone clear them.

For example, you cannot use a common file viewer in the resource manager to search for spyware files, or use the task manager or most other process viewers. Similarly, other files cannot be found in the system startup folder or in other startup locations. That is, it is also difficult to use Trend Micro's HijackThis tool.

Hackers are increasingly keen to use rooktit to hide spyware or viruses. This is not good news for users because they are more vulnerable to this infection.

Detecting the existence of rootkit is not easy. Most anti-spyware or anti-virus scanning programs cannot detect this code. Although some products have this function, users need more professional rootkit detection tools.
Rootkit type

There are at least five types of rootkit: firmware rootkit, virtualized rootkit, kernel-level rootkit, library-level rootkit, and application-level rootkit.

1. firmware (firmware) rootkit
Firmware rootkit uses device or platform firmware to create stubborn malware images. This rootkit can be successfully hidden in the firmware because it usually does not check the integrity of the firmware code.

2. virtualization rootkit
This rootkit works by modifying the startup sequence of the computer, with the aim of loading itself rather than the original operating system. Once loaded into the memory, the virtual rootkit loads the original operating system into a virtual machine, which enables the rootkit to intercept all hardware requests sent by the customer's operating system. Blue Pill is an example.

3. kernel-level rootkit
The kernel-level rootkit adds additional code and can replace some features of an operating system, including the kernel and related device drivers. Most operating systems do not enhance the different features of the kernel and driver. In this way, many rootkits in kernel mode are developed as device drivers, or as loadable modules, such as loadable modules in Linux or device drivers in Windows, which are extremely dangerous, because it can obtain unrestricted security access. If there is any error in the Code, any code operation at the kernel level will have a profound impact on the stability of the entire system.

Kernel-level rootkit is extremely dangerous because it is difficult to detect. The reason is that it is at the same level as the operating system, so that it can modify or destroy any request sent by other software. In this case, the system itself is no longer trustworthy. An acceptable detection method is to use another Trusted System and Its installed detection software, load the infected system into a data source for detection.

4. Database-level rootkit
Library-level rootkit can be patched, hooked (so-called hook), and replaced by system calls by hiding attacker information. Theoretically, this rootkit can be traced by checking the changes in the code library (DLL or dynamic link library in windows. In fact, multiple libraries released together with some applications and patch packages make it quite difficult to detect such rootkit.

5. application-level rootkit
The application-level rootkit can replace the binary code of a common application with the disguised code with the Trojan horse feature, you can also use hooks, patches, injection code, or other methods to modify the behavior of an existing application.

Rootkit Detection

Through a simple analysis of the above rootkit types, we believe that detecting rootkit on a computer suspected to be infected with rootkit is unreliable or Untrusted. Rootkit can tamper with the library files that many tools and all other programs rely on. Therefore, the basic problem with rootkit detection is that if the current system has been damaged by rootkit, it will no longer be trustworthy. Specifically, some administrator operations, such as listing the running programs and listing all the files in a folder, may not be expected by the original designer. In short, running the rootkit detection program on an active computer can only be used based on the assumption that the detected rootkit does not adopt a mechanism to hide itself.

The best way to detect rootkit is to shut down the computer suspected to be infected with rootkit, start the computer with another clean hard disk or other media, and use the relevant detection software for inspection. Because a rootkit that is not running cannot hide itself, we can use some universal anti-malware tools (such as rising and other domestic security program suites) use a dedicated anti-rootkit tool to check and clear rootkit. However, just as not all anti-virus software can detect and clear all viruses, whether this detection method is effective is worth further exploration.

There are many tools for detecting rootkit, such as chkrootkit, rkhunter, OSSEC, and zeppoo on the linux platform. We will introduce the tools on the Windowws platform below, but for now, many rootkit writers have added some detection programs to the list of escape files, that is, they will adopt some method to avoid detection. Therefore, the utility of the detection tool involved by the author below is not absolute.

Four major tools for detecting rootkit on Windows Platforms

If you can find a copy of an uninfected test system and use it as a reference, executing a file-to-file comparison can be used as a test method. In this case, rookkit and its loaded files can be easily detected.

However, in fact, this situation is rarely met, because many people do not have reference copies of their systems, not to mention the dynamic changes of the system, there are always some legitimate changes in the system, this change makes the file more difficult.

In practice, rootkit detection programs often work within the system that may be infected. Detecting rootkit becomes a difficult task. Moreover, developers of rootkit are aware of the use of some new technologies and constantly develop new versions of their products to avoid new detection methods. As a matter of fact, detection and escape detection have become a hide-and-seek game for cats and mice.

In this case, users should not be limited to the idea that a specific rootkit detection program is the best. In fact, I suggest you use several detection programs. The user should also upgrade the detection program in time, because the battle between Tao and the magic is constantly changing.

Many rootkit detection programs can be used now, but most of them are for specific rootkit programs. I will recommend four general rootkit detection programs that are not specific to you, we recommend that you use multiple tools to increase the chances of detecting most of the latest rootkits. You know, the rootkit scanner is not as powerful as anti-virus software ".

In general, the kernel-mode rootkit can control any aspect of the system, so the information returned through the API (including the registry and file system data) may be damaged. Although it is more reliable to compare online and offline scanning of a system (such as starting to enter a CD-based operating system, that is, to start a CD-based operating system), rootkit can avoid detection using this tool. In this way, it is impossible to have a unified and absolutely reliable rootkit scanner.

 

BlackLight

F-Secure BlackLight's Rootkit clearing technology can detect objects that cannot be found by common users and security tools, and provide users with an option to clear rootkit. This tool performs In-depth checks on the system so that it can detect threats that cannot be cleared by common security software.

This Rootkit cleanup technology has three advantages:

1. It can detect and clear the active rootkit in the computer. You know, traditional anti-virus scanning programs cannot do this.

2. In a common system, this technology will not let users see the confusing list of suspicious objects, so that even normal users can use it.

3. This technology can also be used for background work during user system operations. Many other rootkit scanners require the system to restart or generate false information if the system is being used by users during scanning.

Because of its ease of use and ease of operation, BlackLight can be used in both enterprise environments and ordinary home computers. F-Secure Internet security 2008.jpgis displayed. It integrates the rootkit detection function. (1)

498) this. style. width = 498; "border = 0>

This tool is quite simple to use. You only need to run the Blacklight Rootkit Eliminator software. However, the latest features of this software have been integrated into F-Secure Internet security 2008.

RootkitRevealer

RootkitRevealer is an advanced rootkit detection program that can successfully detect all the stubborn rootkit published on www.rootkit.com. When using RootkitRevealer, You need to note that it does not use the command line version any more, because some malware authors start to adopt corresponding countermeasure by using the executable file name. The software developer re-modifies the software so that it can start scanning from a random copy of the file. Note: You can use the command line option to perform automatic scanning and record the results to a file. This is equivalent to the command line version. (2)