Post Fri Sep 08, 2006 1:10 pm

Defeating Rootkits

  I am shocked by the amount of admin I meet that really don’t understand rootkits.  This is unfortunate because rootkits can be your worst nightmare if you are unaware of them.  There are computers that have been rootkitted for years and no one suspects it at all! The only good thing about a rootkit is that you need to be root to install one. In other words, they are useless if you haven’t first achieved access to the target host.  On the other hand, once they are there, your network is in deep trouble. 

  If you harden your system, no one should be able to place a rootkit in the first place. FAP your network! That is, firewall, antivirus, and patch your boxes! Yes antivirus can help.  Even the free antivirus that is available can catch rootkits before they are installed. As a test, I hacked a lab box only running Avg free antivirus and it caught all 4 of the very popular rootkits (including FU and Hacker Defender) I tried to install.

  Maybe you have just taken over responsibility for a network that might not have been well maintained and you are worried there might be a rootkit already installed.  How can you tell?  Its very difficult to tell because the entire purpose of a rootkit is to hide and give a backdoor.  They can hide in what is called user mode or kernel level. Kernel level is the worst.  If well configured, it can be almost impossible to detect by the local host scanning itself.

  The best approach to detecting and defeating rootkits is to use a combination of techniques and not to rely on just one.  Certainly running file integrity checkers is of value and should be part of the arsenal, but unfortunately you cant rely completely on them.  If a kernel level rootkit is configured perfectly, it can hide from even tripwire. The key word there is “configured perfectly” and that requires some understanding. If a less skilled attacker slips up on even just one little thing, the file integrity checker will detect them. So certainly tripwire or aide should be part of the defense strategy.

    An admin should have at least one bootable cd he can use for forensics. You can shut the machine down and then boot to the cd. The value to this is now you can inspect the file system without the corrupted kernel hiding unwanted changes.  One of the best tools for this is Helix available at http://www.e-fense.com/helix/ and I would say for me it’s a must have.

  Automated rootchecker software is of value and should be run. Again, the idea is not to rely on just one thing!  You need to run multiple kinds of tests.  The author of the notorious rootkit “hacker defender” recommends that both Backlight and IceSword are used when inspecting for rootkits.  Here is a list of some popular checkers:
IceSword http://www.blogcn.com/user17/pjf/index.html
Blacklight http://www.f-secure.com/blacklight
Rootkit Hunter http://www.rootkit.nl/
Chkrootkit http://www.chkrootkit.org/
Rootkit Revealer http://www.sysinternals.com/Utilities/R ... ealer.html
Just remember that these tools are not perfect and can give false positives. Don’t be lazy and rely only on running automated tools like these.

  If a rootkit is giving backdoor access, why cant we just run netstat –an or tools like fport, openports and tcpvcon? The problem with such scans is they rely on the corrupted kernel to give accurate results and netstat is an area that rootkits are coded to blind. The best way and often over looked is to scan not from the local host but a remote one. Do a Nmap scan from a different host on the network and look for open ports. The corrupted kernel can only deceive the local host. If you see an open port that should not be there, that is a strong clue something is not right!

    As always, to really learn about rootkits you need to install one on your test lab box. You can get some of the popular ones from rootkit.com and play with them. 

  Ok so say you have discovered one on your network, what do you do?  I am of the strongest belief there is only one real answer. You must do a complete reinstall of your OS.  Its really the only way to be sure. Even if you think you have removed a rootkit, the attacker could have hid a file that has the rootkit reinstall itself when a normal program is opened. So always have a trusted back up ready to go if you are unlucky enough to encounter your worst nightmare.
Last edited by Kev on Fri Sep 08, 2006 2:12 pm, edited 1 time in total.