Security Advisor

Rootkit Runaround: Protect Yourself Against an Emerging Threat

A program that can detect rootkits should be an integral part of your security toolbox.

• By Joern Wettern
• 12/01/2005

As if there weren't enough threats coming at you via the Internet, now you have to secure your systems against rootkits, as well. Rootkits are similar to spyware, viruses and worms in that they're designed to run on your computer without your knowledge. Once on your system, they often perform a malicious task, like creating a backdoor to enable unauthorized access to your system.

What makes rootkits unique is that they're designed to avoid detection by standard scanning methods and tools. If a rootkit has installed itself on your computer, you won't find it using Windows Explorer or see it in the list of services that are currently running. Most virus scanners can't even find a typical rootkit. To protect yourself against this type of threat, you need to know how they work and how to remove them from your systems.

The Root of the Problem
Rootkits are hardly new. They've been around in the Unix world for a long time, typically replacing a standard Unix system file, such as the ps command that displays a list of currently running processes. A rootkit replacement for this command would produce the expected list of processes, while working its destructive magic behind the scenes.

Rootkits designed for Windows typically take a different approach. Instead of replacing system files, they often register with the operating system to intercept program requests made to standard Windows APIs. For example, when Windows Explorer needs to read the contents of a directory, it issues a standard call for a list of files in that directory. If a rootkit has registered with the operating system to handle this type of call, it can pass the request on to the real Windows function library that handles file listings. Once it receives a response, it would then filter out references to any file names that might reveal the existence of a rootkit and pass those filtered results on to Explorer. The rootkit stays hidden, no matter how hard you look.

If a rootkit uses similar techniques to remove itself from the list of processes running in Windows or to shield itself within the hidden system files holding the structure of an NTFS-formatted volume, all your tools for finding malicious software may prove useless for detecting rootkits. Other programs that depend on system calls, including virus scanners, will also fail.

Some rootkits use even more sophisticated methods. For example, the Hacker Defender rootkit adds its own code to every process currently running on a computer. Rootkit authors are constantly looking for new ways to hide their programs. They often share their discoveries with each other in places like www.rootkit.com. Here you can learn about some of the latest stealth methods used by rootkit authors.

Detecting Rootkits
While rootkits can evade standard detection methods, that does not mean they are undetectable. The key to finding rootkits is to get the running process list output before the rootkit has a chance to filter out signs of its presence. You'll need to use Windows' layered architecture to do this.

When an application like Windows Explorer is running in user mode, it issues a user-mode API call to determine a folder's contents. Windows then translates this into a kernel-mode API call. Before the call reads the data from the disk, the request passes through several more layers, including the file system driver (NTFS or FAT, among others). It finally goes out to the hardware driver, which can then issue commands to the disk controller to read the required sectors.

Most of today's rootkits will only intercept user-mode API calls. A program that can use kernel-mode APIs can display the correct file listing without giving the rootkit a chance to filter out the results. Of course, rootkit writers are aware of this and are coming up with ways for their rootkits to operate at lower levels within the Windows architecture.

The closer a rootkit operates to the hardware that ultimately holds the data, however, the harder it is to write programs that work reliably and won't crash the system. Because of these difficulties, the majority of rootkits work by intercepting user-mode APIs.

These so-called application-level rootkits are easier to install and don't require administrator privileges to setup. The potentially more dangerous kernel-level rootkits, by contrast, require administrator rights to install.

Defend Yourself
The most effective way to stop a rootkit is to nail it before installation. Rootkits get onto your computer the same way as other malware—a malicious Web site or someone may copy them directly onto your computer.

Keeping security patches on your computer up-to-date and restricting access to your machine can help prevent the introduction of rootkits. Basic secure computing practices—like not running programs that arrive in e-mail—can also help keep rootkits off your computer.

Certain anti-virus and anti-spyware programs may be able to detect and block rootkits before they have a chance to load, but most of them are not that effective. Even if an anti-virus or anti-spyware program successfully detects and removes a rootkit file, you may be vulnerable the next time you start your computer. Some sophisticated rootkits check to see whether the file from which they were started still exists after a system shutdown. If it doesn't, they recreate the file—often with a different name and in a different location—and configure the computer to run that file during the next startup.

Although rootkits are getting more sophisticated at avoiding detection and removal, there are tools that can help you identify them on your computer. Anti-rootkit tools, like Rootkit Revealer from Sysinternals, will start by looking for files, registry settings and running processes using standard user-level APIs. Then it will look for the same objects again, this time using lower-level system calls. Finally, it compares the results of both scans.

If an object appears in the first scan but not in the second, that could mean there's a rootkit on your system. Root-kitRevealer shows several files and registry settings hidden from applications that use standard Windows system calls.

You should expect each scan to find a few of these objects, regardless of whether or not there is a rootkit on your system. For example, files are often flagged as suspicious because they were created between the two scans. Because of this, you should always investigate a little further once you've run the scan to confirm whether or not the symptoms are really indicative of a rootkit. Other detection methods may include starting the computer from a bootable CD and scanning your disk when the normal operating system isn't running.

If your computers are already well protected against other threats, rootkits shouldn't pose much extra danger. However, a program that can detect rootkits should be an integral part of your security toolbox. Use that type of tool when other layers of protection fail.