Jump to content
Sign in to follow this  
nellie2

Rootkits

Recommended Posts

There has been some discussion recently about Rootkits, especially with the Sony Rootkit debacle going on at the minute

 

However... people can get a little confused about rootkits (me included) but Suzi at SpywareWarrior has written an excellent information piece on Rootkits

--------------------------------------------------------------------

Quote Suzi;

 

Since rootkits are in the news recently, and a lot of people don't know much, if anything, about rootkits, I thought I'd post some info and a list of rootkit detection apps.

 

Definitions:

 

http://searchsecurity.techtarget.com/gDefi...i547279,00.html

 

A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.

It's a good write up and talks about the histoy of rootkits.

 

Excellent article here with a lot more detailed technical information:

 

http://online.securityfocus.com/print/infocus/1850

 

In anti-spyware forums like this one, rootkit technology is sometimes found with spyware and/or trojans, backdoors and RATs (remote access tools). One spyware company, Enternet Media, has been documented to use rootkit technology to hide the presence of their spyware. Enternet Media is the company responsible for SearchMiracle/Elitebar spyware.

 

http://www3.ca.com/securityadvisor/pest/pe...px?id=453090724

 

http://www.f-secure.com/v-descs/elitebar.shtml

 

A screenshot of a rootkit revealer log showing Elitetoolbar can be seen in this link:

 

http://netrn.net/spywareblog/archives/2005...hos-your-daddy/

 

Rootkits have been found on machines with Rbot and SDbot and keyloggers.

 

http://www.dslreports.com/forum/remark,14493487

 

http://www.dslreports.com/forum/remark,13680927

 

http://spywarewarrior.com/viewtopic.php?t=16103

 

Presumably the rootkit is used to hide the tojans which can be used by the attacker to take total control of a machine while the keyloggers transmit information back to the attackers including passwords and data from the infected machine. An ugly situation at best. In cases like this I think the safest thing for a user to do is format and reinstall because there is no way to tell how severly the machine has been compromised and what dangers may lurk inside, even if the trojans and rootkit files are removed, if they can even be removed.

 

Here's an example where format and reinstall was advised on a severely compromised network computer.

 

http://spywarewarrior.com/viewtopic.php?t=16273

 

Here's a list of rootkit detection apps, copied from Eric Howes' website:

 

https://netfiles.uiuc.edu/ehowes/www/soft5.htm#rootkit

 

Blacklight

http://www.f-secure.com/blacklight/cure.shtml

 

IceSword

http://xfocus.net/tools/200505/1032.html

 

InvisibleThings.org

http://invisiblethings.org/tools.html

 

Microsoft - Malicious Software Removal Tool

http://www.microsoft.com/security/malwareremove/default.mspx

or http://www.microsoft.com/downloads/details.aspx?...

 

RootkitRevealer

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

UnHackMe

http://www.greatis.com/unhackme/index.html

 

Note these tools should be used with the guidance of an experienced malware removal expert or advanced user.

 

Some anti-spyware apps have added rootkit detection, Spy Sweeper for one, and there may be others I'm not aware of yet.

 

Other sites for rootkit information:

 

http://research.microsoft.com/rootkit/

 

Microsoft webcast on rootkits:

 

http://msevents.microsoft.com/cui/WebCastE...&CountryCode=US

 

http://www.securityfocus.com/columnists/358

 

http://www.viruslist.com/en/analysis?pubid=168740859

 

Rootkits in the news:

 

http://www.eweek.com/article2/0,1759,1829744,00.asp

 

http://www.eweek.com/article2/0,1759,1816972,00.asp

 

http://www.eweek.com/article2/0,1895,1841266,00.asp

 

AIM worm drops rootkit and more:

 

http://blogs.zdnet.com/Spyware/?p=687

 

Sony's DRM rootkit:

 

http://www.sysinternals.com/Blog/

 

PestPatrol will detect and remove Sony's rootkit:

 

http://blogs.zdnet.com/Spyware/?p=698

 

The ultimate rootkit site:

 

http://www.rootkit.com/

 

Anyone who finds this helpful is welcome to post it at their own site or other sites. A link back here would be nice. :)

Share this post


Link to post
Share on other sites

. One spyware company, Enternet Media, has been documented to use rootkit technology to hide the presence of their spyware. Enternet Media is the company responsible for SearchMiracle/Elitebar spyware.

 

 

 

hopefully, enternet media is out of business

 

 

 

The Federal Trade Commission has filed a complaint against Enternet Media for allegedly installing spyware in a deceptive manner. At the FTC's request, Enternet Media was ordered to halt their activity. Last week, a person who says he works across the street from Enternet Media witnessed over a dozen cops raiding their offices.

http://www.spywareinfo.com/newsletter/arch.../2005/nov11.php

Can a root kit salfely be removed, being kinda paranoid myself, I don't trust a format and opt to zero out the drive

Share this post


Link to post
Share on other sites

yes.....things are getting scarry.....but it brings a smile to see that there are those who are fighting back to gain control over their computers....and for others.

Nellie....thank you for taking the time and work for this post and the information it has provided.

Share this post


Link to post
Share on other sites

Thanks Jacee, Sophos also has a remover for the sony root kit, but what I was wondering...are other malicious root kits safe to remove, like the kind that black hats and spyware's install

Edited by Joe C

Share this post


Link to post
Share on other sites

If I find a rootkit on an infected machine, I insist on a reformat. Its not so much that I mistrust my own level of skill to remove them, as I mistrust the deviousness of the attacker that put it there (and possibly more besides) in the first place.

Share this post


Link to post
Share on other sites

WinPatrol has actually detected the Sony Rootkit on a number of machines.

Our active tasks list will display it as $SYS$DRMSERVER.EXE.

 

I decided we'd make sure to warn all of our users so they don't have to be PLUS members to get information from our knowledgebase.

 

I heard today that Sony is recalling all CD's that use XCD now that malicious code is being released that takes advantage of the $sys$ hole that they created.

 

Bill

Share this post


Link to post
Share on other sites

If I find a rootkit on an infected machine, I insist on a reformat. Its not so much that I mistrust my own level of skill to remove them, as I mistrust the deviousness of the attacker that put it there (and possibly more besides) in the first place.

I don't even trust formats...I've only have run across two rootkits so far on infected machines but I suspect their may have been more. I'll only feel comfortable with a low level format cuz ya can't tell if something could survive a standard format

Share this post


Link to post
Share on other sites

I don't even trust formats...I've only have run across two rootkits so far on infected machines but I suspect their may have been more. I'll only feel comfortable with a low level format cuz ya can't tell if something could survive a standard format

Oh don't worry about my reformats. Theyre "special" ;)

Share this post


Link to post
Share on other sites

Nick, who is an admin at Spyware Warrior has posted a bit more info on this issue.

 

Microsoft has released signatures for the removal of the rootkit portion of the Sony XCP DRM software. There are 2 ways to get these. One is by updating Microsoft Antispyware with the November 17th update, which is numbered 5777. After updating, choose the full system scan. The other way is to try the Windows Live Safety Center and select the "Full Service Scan" followed by the "Quick scan" option.... Microsoft will also include detection and removal of the XCP rootkit with the December release of their Malicious Software Tool. That will be release on the 2nd Tuesday of the month or December 13th. ref here

 

Note that either Microsoft removal technique will only remove the rootkit portion of the XCP software. The digital rights management software will remain. Also, some of the other removal tools do not remove the rootkit but only uncloak it.

Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash

ref from here

 

With that in mind, I would use the Microsoft method to remove it.

Looks like the AV companies jumped on the bandwagon and said they'd fix it, which was only partially true. They only decloaked it but left it intact. The actual removal is risky and they didn't want to have everyones CD drives disappear. Yet they let people assume on their own that it would be fixed.

Share this post


Link to post
Share on other sites

If I find a rootkit on an infected machine, I insist on a reformat. Its not so much that I mistrust my own level of skill to remove them, as I mistrust the deviousness of the attacker that put it there (and possibly more besides) in the first place.

I feel the same way.

 

nellie2, thanks for all the information.

 

I used RootkitRevealer one time but had a hard time finding information on how to interpret the results.

Share this post


Link to post
Share on other sites

I feel the same way.

 

nellie2, thanks for all the information.

 

I used RootkitRevealer one time but had a hard time finding information on how to interpret the results.

The same for me, I downloaded 'RootkitRevealer' and I had trouble understanding the results??? :unsure::huh:

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...