It seems more people are hearing about rootkits but still do not understand what they are or threats they pose. Rootkits can be so effective at masking threats from your security system that a virus detected by every anti-virus product in production can be hidden so that it won’t be detected. The power from a rootkit comes from the fact that rootkits add code (called hooks) to the operating system and inserts it to run before the operating systems native function proceeds. An example would be enumerating files and directories. Typically a ‘dir’ command from the command prompt or viewing files and folders inside Explorer calls low level functions of the operating system to display all files under a particular folder.

Now imagine someone writing a function that filters the results, thus removing files of choice and inserting this function to run before your operating system runs its normal function call. At this point the operating system has no way of knowing the files and directories previously filtered with the hook inserted by the rootkit in question. Because Anti-Virus products depend on the operating systems functions (API) to report on files and directories properly it is possible to hide known threats on a system without local anti-virus protection from knowing.

Filtering file and directory listing is only one function of a rootkit, it is common for rootkits to alter other aspects of the operating system, such as the list of running processes, size of files, even what ports are opened and in listen mode on your machine. Some of the real advanced rootkits are able to use existing open service ports to transmit and receive data over the same path of other services, because it is able to view and remove data of the line before the operating system or application reacts. This allows rootkits to communicate between victims and the master silently.

There are many ways to detect and remove rootkits, but the best and most effective defense is to prevent them from installing. This means preventing installation of distrusted applications that install low level hooks into the operating system. Averting requires heuristics or pro-active defense protection in your security systems. It is becoming more common for anti-virus products such as Kaspersky to have the ability to detect “malicious looking” files and processes before there is a known signature for the threat. This allows the product to provide what is commonly referred to as Zero Day protection.

Techniques to detect and remove rootkits are getting better, but the most common and effective way to remove rootkits is to scan the system while it is offline. This means moving the drive to another system and scanning it under its operating system. The reason for this is that as long the infected operating system is running, any queries for files and processes cannot be trusted to be accurate. By removing the drive and scanning it under a different system, you effectively turn off the rootkit protection and depend entirely on your Anti-Virus product to detect the signatures of known threats. More and more tools are becoming available using clever techniques to detect rootkits without shutting down the operating system. Common techniques query what the operating system reports and what a low level direct access to the hard disk reports and comparing the two for traces of hidden information. This is used against the register to find applications that are using hidden registry records to launch malicious files.

Tags: Malware

Author: Christopher