Rootkits: is removing them even possible?
Rootkits: is it possible to clear them?
Author: Michael kassner
By Michael kassner
Translation: endurer, 20008-12-02 1st
Category: general, security, botnet
Classification: conventional, security, botnet
Tags: Built-in sophistication, Blacklight, gmer, rootkits, scanning program, security, spyware, advertising software & malware, hardware, peripheral devices, Michael kassner
English Source:Http://blogs.techrepublic.com.com/networking? P = 736 & tag = NL. e099
Is it possible to remove rootkits? Some say yes, and others say no. The people developing rootkits are smart and have Ally motivated to design rootkits that evade detection. So what's the answer?
Is it possible to clear rootkit? Some people say yes, and others say no. Rootkit developers are smart and can avoid detecting rootkit with financial motives. So what is the answer?
---------------------------------------
ThroughoutMy SeriesAbout rootkits and botnets, I 've been impressed by the number and quality of member comments, especially the ones discussing how to remove rootkits. thinking about this led to one of my ah-ha moments; fortuitously I decided to listen and define lidate those real-world tips along with what I have gleaned from security experts.
I have been impressed by the quantity and quality of comments from members through my rootkit and botnet articles, especially those discussing how to eliminate rootkit. Thinking about this problem leads me to "Aha !" I accidentally decided to listen to and consolidate the secrets of these real worlds, together with the security experts I have collected.
Why rootkits are hard to remove
Why is rootkits hard to be cleared?
To be honest, my research is showing rootkit removal to be a rather haphazard affair, with positive results not always the norm. the apparent reason for this is the increased sophistication of rootkits. some examples of these improvements are:
To be honest, my research shows that rootkit cleanup is quite accidental, and positive results are not always standardized. The obvious reason for this is that rootkit complexity is increased. Examples of these improvement measures are:
- The ability to install rootkits at increased privilege levels in the operating system, making them immune to malware scanners.
Install rookits on the privilege layer of the operating system to make it immune to malware scanning programs.
- The use of advanced QoS parameters to reduce the amount of time required to getProof of conceptRootkit outIn the wild, Making it difficult to get workable signatures for malware scanners.
Using Advanced QoS (Service Quality ?) Parameter to reduce the time used to detect popular rootkit ideas, making it difficult for malware scanning programs to obtain feasible signatures.
- Built-in sophistication allowing rootkits to morph their signature at will, which totally negates any pattern recognition by scanners.
The built-in deformation mechanism allows rootkits to change the pattern at will, which completely invalidates any recognition mode of the scanner.
That's just a few reasons, but you get the picture. i'm happy to say there's hope though. I can confidently say that once it's determined a computer has an installed rootkit; it's entirely possible to remove it. it's the how that gets a bit complicated.
This is only for some reason, but you know the general situation. I'm happy to say that there is hope. I can confidently say that once the computer has installed rootkit, it is entirely possible to clear it. This is complicated.
Endurer Note: 1. Get the picture: Get a rough picture
My mistakes
My errors
The next three points are now readily apparent to me, but I 've had to learn the hard way. I see no sense in anyone repeating my mistakes, so please consider doing the following before you start troubleshooting:
The next three points are obvious to me, but I have studied hard. I understand that repeat my errors by anyone makes no sense, so consider the following before you start troubleshooting:
Endurer Note: 1. Learn… the hard way: learned through hardships
Let's get started
Let's get started.
It seems like everyone has their favorite malware finished, probably because it's worked for them in the past. like you, I have my favorites. the problem is rootkits aren't generic, so a packet that works for one occasion may not work another time.
It seems that everyone has their favorite malware scanner, probably because of a long time. Like you, I have my favorite. The problem is that rootkits is not generic, So scanning programs that can work at a certain time may not work at other times.
I 've used several scanners and have no problem recommending them. on the flip side, there are trying scanners out there that I don't have any experience with, and I urge caution in their use. it seems that a certain percentage of rootkit developers also like to create rootkit scanners. so please be careful. I 'd now like to discuss several of the generic scanners that have some success in Removing user-mode and kernel-mode rootkits.
I have used several scanning programs and it is okay to introduce them. On the other hand, there are a lot of scanning programs that I don't have any use experience and I urge you to use them with caution. A certain proportion of rootkit developers seem to want to create rootkit scanning programs. Therefore, please note. I want to discuss some common scanning programs that have succeeded in clearing rootkit in user mode and kernel mode.
Rubotted by TrendMicro
Trend Micro's rubotted
RubottedIs a repository that sits in the background and works quietly. this operation woshould be a good first choice for processing users who don't want to deal with privileges or the details of removing a rootkit. it's my first choice when I suspect a problem, and I 've successfully used rubotted to remove user-mode rootkits on Windows XP computers.
Rubotted is a background and quiet scanning program. This scanner is preferred for users who do not want to handle scan program configurations or clear rootkits details. It is also my first choice when I suspect a problem, and I have successfully used rubotted to clear the user-mode rootkit on Windows XP computers.
Blacklight by F-Secure
Blacklight of F-Secure
F-Secure'sSecurity CenterWeb page is full of useful information, including information about their on-line processing as well as the Blacklight processing. blacklight is a stand-alone protocol that requires very little user intervention, similar to rubotted. the major difference between the two is that Blacklight only scans on demand. another helpful link on the Web site referencesRemoval toolsFor more malicious programs.
F-Secure's security center web pages are filled with useful information, including their information on scanning programs and Blacklight scanning programs. Blacklight is an independent scanning program, similar to rubotted, which rarely requires user intervention. The main difference between the two is that Blacklight scans on demand. Some of the other websites use a connection to point to some malicious program clearing tools.
Rootkit revealer
Rootkit revealerIs a well-known written by Mark russinovich and Bryce cognal, formerly of sysinternals and now with Microsoft. rootkit revealer works in the following way:
Rootkit revealer is a well-known scanning program previously written in ysinternals, Mark russinovich of Microsoft, and Bryce Cognos. Rootkit revealer works in the following ways:
"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, rootkitrevealer compares the results of a system scan at the highest level with that at the lowest level. the highest level is the Windows API and the lowest level is the raw contents of a file system volume or registry hive."
"Because the current rookit works by changing the API results, the idea of a system using an API is different from that of a storage system, rootkitrevealer compares the highest-level system scan results with the lowest-level system scan results. The highest level is Windows API, and the lowest level is the original content of the file system volume or the Registry Hive ."
The difficult part comes once the scan is completed. unlike rubotted or Blacklight, rootkitrevealer requires user intervention to find and remove any malware. it usually requires searching online for information about the process in question and finding out how to remove it.
Once the scan is completed, the difficult part comes. Unlike rubotted or Blacklight, rootkitrevealer requires user intervention to find and remove any malware. It usually needs to search for problematic process information online and find out how to clear it.
Gmer
GmerIs an excellent plugin that searches for hidden services, registry components, and files. like rootkit revealer, it's not at all intuitive. to its advantage, gmer has the ability to delete malware, which conveniently shows up in red when the scan is completed. alibaba security experts agree with the following claims made on the gmer web site:
Gmer is an excellent search hiding service, registry components, and file scanning program. Like rootkit revealer, It is not intuitive at all. The advantage of gmer is that it can clear malware and display it in red easily when scanning is complete. Many security experts agree with the following statement on the gmer Website:
"Gmer is an application that detects and removes rootkits. it scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden alternate data streams, hidden registry keys, drivers hooking ssdt, drivers hooking IDT, drivers hooking IRP cballs and inline hooks. gmer also can monitor the following system functions: Processes creating, drivers loading, libraries loading, file functions, registry entries, TCP/IP connections."
"Gmer is an application that detects and clears rootkits. SCAN: hides processes, threads, modules, services, files, alternate data streams, registry keys, ssdt drivers, and IDT drivers, mount the driver and built-in hooks called by IRP. Gmer can also monitor the following system functions: Process Creation, driver loading, Library Loading, Hall, file functions, registry entry, and TCP/IP connection ."
I found gmer requires getting used. more to the point, if you aren't familiar with the anomaly gmer found, you either trust gmer to remove the process or research the process in question to make sure that it's not a false positive. also, uninstalling gmer is a bit different; it requires you to run the following command:
I found that gmer needs to adapt. More importantly, if you are not familiar with the exceptions found by gmer, you either trust gmer to clear the process or study problematic processes to ensure that it is not a false positive. In addition, uninstalling gmer is a bit different. It requires you to run the following command:
- Start C:/Windows/gmer_uninstall.cmd script and reboot.
Unhackme by greatis
Greatis unhackme
UnhackmeIs a specialized rootkit removal tool that can detect and remove most of the simpler rootkits as well as several of the more sophisticated types. the user interface is very intuitive, and I like the fact that unhackme can easily be configured to run in the background. sadly, unhackme isn' t freeware. you can try it for a month, after which it requires a regires fee of $19.95 USD.
Unhackme is a specialized rootkit cleanup tool that can detect and clear the vast majority of simple rootkits and more complex types. The user interface is very intuitive. What I like is that unhackme can be easily configured to run in the background. Sadly, unhackme is not a free software. You can try it for one month, and then it requires a registration fee of $130.
I 've been using unhackme for several weeks now, and I'm still learning aboutTechnical detailsOf the application. Actually it consists of three individual applications:
I have been using unhackme for several weeks, and I am still learning the technical details of this application. In fact, it contains three different applications:
- Unhackme4-Detects hidden services registry keys, processes, services, and drivers. It uses unhackmedrv. sys kernel driver.
Unhackme4-Detects hidden service registry keys, processes, services, and drivers. It uses the unhackmedrv. sys core driver.
- Partizan-Watches the Windows boot process.
Partizan-view Windows boot process
- Reanimator-Detects and removes Trojans/spyware/adware using greatis application and signature database.
Reanimator-use the greatis application and Pattern Database to detect and clear Trojan Horse/spyware/AD software
In my opinion, unhackme seems like a plugin that wocould be very useful to people who want an application that requires little user interface yet still has the sophistication to do its job. the fact that unhackme is relatively unknown is of some concern, but CNET is offering it as a download.
In my opinion, unhackme seems to be a useful scanning program for those who want less user intervention but still have complex features to do their jobs. The fact that unhackme is relatively ignorant is somewhat worrying, but CNET provides its download.
The manual approach
Manual processing
As I mentioned earlier the use of canned programs to remove rootkits can be a hit-or-miss proposition. several techrepublic members have presented a manual process to remove rootkits that will have a better success rate, but it comes at a price. the method is labor intensive and requires more than a casual knowledge of the operating system and installed applications. even if you don't try this process, it's a good study in what's required to locate and eventually remove a rootkit:
As I mentioned earlier, using a ready-made program to delete rootkit may be a temporary blessing. Some techrepublic members proposed a manual rootkit removal process with a better success rate, but it is expensive. This method is labor-intensive and requires more basic understanding of operating systems and installed applications. Even if you have not tried this process, it is still a good learning for finding and finally deleting the Rootkit:
Endurer Note: 1. hit-or-miss: No plan, no purpose, or come up with an idea
- OpenProcess ExplorerTo look for suspicious processes and suspend them, but don't delete them.
Open Process explorer to search for suspicious processes and suspend them, but do not delete them.
- Run a malware failed of your chose; since the process in question is suincluded, there's a good chance the login will see it.
Run the scan program you selected; the scan program has a good opportunity to see it because the problematic process is suspended.
- UseAutorunsAnd check for unusual service, drivers, DLLs, and processes.
Use autoruns to check abnormal services, drivers, DLL and processes.
- Write down the name and location of anything that seems suspicious.
Write down any suspicious names and locations.
- Search the Internet for information about the process, and if it is indeed malware, try to find a permanent removal tool.
Scan the process-related information on the Internet. If it is indeed malware, try to find a permanent deletion tool.
If one peeks under the hood, it becomes obvious that the manual and automatic processes are very similar. both try to capture two images of the operating system state-one initial image of what processes actually start and an image of what processes the operating system thinks started.
From the bottom layer, it is obvious that the manual process is very similar to the automation process. Both are attempting to capture the operating system status image-the initial image of which processes are actually starting, and the image of the process that the operating system considers to have started.
Endurer Note: 1. Under the Hood: At the background, at the underlying layer
Final Thoughts
Finsi
Removing malware as sophisticated as rootkits is hard. i'm convinced of that now. because of that, this article has been one of the most difficult for me to write, even after hours of research. it just seems wrong to not have a clear and concise answer for removing rootkits.
It is difficult to clear complex malware like rootkits. I believe it now. For this reason, even if I spent a lot of time researching, this article has always been the most difficult to write. There is no clear and concise answer to the removal of rootkit, which seems to be an error.
Maybe it wowould have been better if I wowould have written an entire article about removing just one variation of rootkit. yet rootkits morph and developers change signatures, so it seems that there's little value in specifics. hopefully I was able to raise general awareness about the subject to a point where you at least know where to start. if you have any thoughts, suggestions, or methods that work for you, please let me know.
It may be better if I clear a rootkit variant and write a whole article. However, rootkit deformation and developer changes in the pattern will make such an article seem to have little special value. I hope I can raise my general understanding of this topic to at least where you know where to start. If you have any ideas, suggestions, or applicable methods, please let me know.