Republished with permission from WatchGuard Technologies, Inc.


Rootkits 201:
Countermeasures and Defenses

by Lisa Phifer, Vice President, Core Competence Inc.

In Part 1 of this article, I acquainted you with rootkits and some of the ways they work. Many LiveSecurity subscribers who read the article and watched the accompanying video emailed to say, "I can't wait to learn the countermeasures." As I mentioned at the end of my previous article, today rootkit developers are ahead of defense tools. There is no "simple three-step process" to make your network rootkit-proof.

But the lack of an anti-rootkit silver bullet is not the same as being helpless. Here are some ways to detect rootkits, lots of links to learn more. LiveSecurity subscribers can also read a sidebar by Corey Nachreiner and Scott Pinzon about some Firebox techniques that can stop many rootkits from entering your network.

What's the diff?

Traditional integrity checking tools like RkHunter and Tripwire use a method known as cross-time diff to detect changes in a computer's persistent state. They work by comparing snapshots taken at different times (e.g., MD5 checksums of critical files). Unfortunately, this may generate false positives when a system is intentionally updated (e.g., for routine patch management). And conceivably, a rootkit could hook timing functions and hide itself by giving you the output you expected to see.

The cross-view diff methods used by RootkitRevealer, Strider GhostBuster, and many other tools can reduce false positives and spot changes to a computer's dynamic state. They work by comparing scans conducted from two or more perspectives: high-level vs. low-level views, or inside-the-box vs. outside-the-box views.

For example, the freeware RootkitRevealer compares two on-line scans. A typical rootkit intercepts, or hooks, calls to common Windows functions, such as a file directory listing. But a rootkit detector can also get and display a Windows file listing, without using the normal Windows function. RootkitRevealer compares queries performed through the Windows API against a raw scan of the volume's file system and Registry Hive. A rootkit that hooks the Windows API or Native API or patches User Mode code will be seen as differences between those two scans. Often, the corrupted version will show fewer files than a raw scan shows, because the rootkit is hiding its files.

Because a Kernel Mode rootkit alters both high and low level scan results, comparing on-line (inside-the-box) and off-line (outside-the-box) scans can be useful. You can do this manually; for example, by comparing directory listings obtained when booted from hard disk to directory listings obtained when booted from a USB or CD drive. A tool like Microsoft's Strider GhostBuster WinPE version automates this process, comparing the potential "lies" returned by Windows APIs with the "truth" obtained while booted from a WinPE CD.

Off-line scans find persistent changes more reliably, but require a reboot and may miss dynamic changes. On-line scans are faster, less intrusive, and can do a good job of detecting all but low-level rootkits. It therefore makes sense to adopt a "defense in depth" policy, combining regular on-line scans with less frequent off-line scans. Here are just a few of the many open source and commercial rootkit detection programs you could use to implement such a policy:

  • ChkRootKit (
  • F-Secure Blacklight (
  • Flister (
  • Komoku Copilot PCI card (
  • Microsoft Strider GhostBuster (
  • RAIDE: Rootkit Analysis Identification Elimination (
  • RkHunter (
  • Sysinternals RootkitRevealer (
  • VICE (

For a longer list of Rootkit Prevention and Detection software, visit

Basic Defensive Posture

When it comes to rootkits, the most efficient defense is to avoid being infected in the first place. Some User Mode rootkits (and associated malware) may be removed, but many rootkits take steps to deter removal (e.g., filtering delete commands, restoring themselves after reboot). Kernel Mode rootkits are thorny to remove without debilitating the compromised system. Painful as it may sound, your best bet in such cases is to bite the bullet, reformat your disk, and re-install your OS to return to a known-trustworthy state.

Having gone through that once will motivate you thoroughly to prevent future rootkit infection. The most dangerous Kernel Mode rootkits require administrative privileges in order to install malicious device drivers; thus, running with least privileges can help. Never use the Internet as Administrator (or any privileged account), run anti-spyware to block suspicious installation activities, and avoid installing software from unknown sources.

Rootkit detection will someday be built into anti-virus and/or anti-spyware programs. Until then, choose a rootkit detector and start scanning with it as part of your regularly scheduled security task list. ##

LiveSecurity Resources for Learning More about Rootkits:

  • Malware Analysis Video: Rootkits (Part 1)
  • Malware Analysis Video: Rootkits (Part 2)
  • Rootkits 101: Rotten to the Core

        Copyrightę 2006, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.