Countermeasures and Defenses
by Lisa Phifer,
Vice President, Core Competence Inc.
In Part 1 of
this article, I acquainted you with rootkits and some of the ways they work.
Many LiveSecurity subscribers who read the article and watched the accompanying
video emailed to say, "I can't wait to learn the
countermeasures." As I mentioned at the end of my previous article, today
rootkit developers are ahead of defense tools. There is no "simple three-step
process" to make your network rootkit-proof.
But the lack of an
anti-rootkit silver bullet is not the same as being helpless. Here are some
ways to detect rootkits, lots of links to learn more. LiveSecurity subscribers
can also read a sidebar by Corey Nachreiner and Scott Pinzon about some
Firebox techniques that can stop many rootkits from entering your network.
What's the diff?
Traditional integrity checking
tools like RkHunter and Tripwire use a method
known as cross-time diff to detect changes in a computer's persistent
state. They work by comparing snapshots taken at different times (e.g., MD5 checksums of
critical files). Unfortunately, this may generate false positives when a system
is intentionally updated (e.g., for routine patch management). And conceivably,
a rootkit could hook timing functions and hide itself by giving you the output
you expected to see.
The cross-view diff methods
used by RootkitRevealer,
Strider GhostBuster, and
many other tools can reduce false positives and spot changes to a computer's
dynamic state. They work by comparing scans conducted from two or more
perspectives: high-level vs. low-level views, or inside-the-box vs.
For example, the freeware
RootkitRevealer compares two on-line scans. A typical rootkit intercepts, or hooks,
calls to common Windows functions, such as a file directory listing. But a
rootkit detector can also get and display a Windows file listing, without using
the normal Windows function. RootkitRevealer compares queries performed through
the Windows API against a raw scan of the volume's file system and Registry
Hive. A rootkit that hooks the Windows API or Native API or patches User Mode
code will be seen as differences between those two scans. Often, the corrupted
version will show fewer files than a raw scan shows, because the rootkit is
hiding its files.
Because a Kernel Mode rootkit
alters both high and low level scan results, comparing on-line (inside-the-box)
and off-line (outside-the-box) scans can be useful. You can do this manually;
for example, by comparing directory listings obtained when booted from hard
disk to directory listings obtained when booted from a USB or CD drive. A tool
like Microsoft's Strider GhostBuster WinPE version automates this process,
comparing the potential "lies" returned by Windows APIs with the
"truth" obtained while booted from a WinPE
Off-line scans find persistent
changes more reliably, but require a reboot and may miss dynamic changes.
On-line scans are faster, less intrusive, and can do a good job of detecting
all but low-level rootkits. It therefore makes sense to adopt a "defense
in depth" policy, combining regular on-line scans with less frequent
off-line scans. Here are just a few of the many open source and commercial
rootkit detection programs you could use to implement such a policy:
- F-Secure Blacklight
- Flister (invisiblethings.org)
- Komoku Copilot PCI card
- Microsoft Strider GhostBuster
- RAIDE: Rootkit Analysis
Identification Elimination (www.rootkit.com)
- RkHunter (www.rootkit.nl)
- Sysinternals RootkitRevealer
- VICE (www.rootkit.com)
For a longer list of Rootkit
Prevention and Detection software, visit www.antirootkit.com.
Basic Defensive Posture
When it comes to rootkits, the
most efficient defense is to avoid being infected in the first place. Some User
Mode rootkits (and associated malware) may be removed, but many rootkits take
steps to deter removal (e.g., filtering delete commands, restoring themselves
after reboot). Kernel Mode rootkits are thorny to remove without debilitating
the compromised system. Painful as it may sound, your best bet in such cases is
to bite the bullet, reformat your disk, and re-install your OS to return to a
Having gone through that once
will motivate you thoroughly to prevent future rootkit infection. The most
dangerous Kernel Mode rootkits require administrative privileges in order to
install malicious device drivers; thus, running with least privileges can help.
Never use the Internet as Administrator (or any privileged account), run
anti-spyware to block suspicious installation activities, and avoid installing
software from unknown sources.
Rootkit detection will someday
be built into anti-virus and/or anti-spyware programs. Until then, choose a
rootkit detector and start scanning with it as part of your regularly scheduled
security task list. ##
LiveSecurity Resources for Learning More about Rootkits:
Malware Analysis Video: Rootkits (Part 1)
Malware Analysis Video: Rootkits (Part 2)
Rootkits 101: Rotten to the Core
Copyrightę 2006, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.