Rootkits are often designed to overwrite the Hard Drive’s MBR (master boot record), the first sector – Sector 0 – where the code to boot the operating system following BIOS loading, resides.
As a consequence, Rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses Rootkit technology to hide, it is going to be difficult to find.
And yes, I’m aware that major AV application developers are fond of pointing out that their products will flag and remove Rootkits. Users are expected to believe those claims – DON”T!
From a previous article (June 2011) –
Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.
Scanning for Rootkits occasionally, is good practice and by scanning with the right tools, Rootkits can be hunted down and eradicated (maybe) – but personally, I would never trust that any detection/removal application has successful removed a Rootkit.
If you have detected that your system has become infected by a Rootkit, I recommend that you first wipe the drive – using a free tool such as Darik’s Boot And Nuke, reformat, and only then – reinstall the operating system.
Rootkit detectors can be difficult to work with and consequently, my good buddy Michael C., following the last post on Rootkit detection – Got A Rootkit Infection? – Find Out With These Four Free Rootkit Detectors – posed the following question: “Just wondering if there is a rootkit detector for us “average users” that doesn’t require a MIT degree.”
And, there is.
Kaspersky Labs has developed the free TDSSKiller utility which is designed to detect and remove common Rootkits. Specifically, Rootkits in the Rootkit.Win32.TDSS family (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) – in addition to regular Rootkits (now, there’s a misnomer), as well as Bootkits.
Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (free 7-Zip, for example).
Run the TDSSKiller.exe file.
The utility can detect the following suspicious objects:
Hidden service – a registry key that is hidden from standard listing.
Blocked service – a registry key that cannot be opened by standard means.
Hidden file – a file on the disk that is hidden from standard listing.
Blocked file – a file on the disk that cannot be opened by standard means.
Forged file – when read by standard means, the original content is returned instead of the actual one.
BackBoot.gen – a suspected MBR infection with an unknown bootkit.
The interface (as shown below) is clean and simple. Click on any of the following graphics to expand.
A scan in progress.
The completed scan shows the system is clean and free of Rootkit infections. You’ll note that the scan finished in 10 seconds.
Following the scan, you will have access to a full report – if you choose.
System requirements: Win 7, Vista, XP (both 32 and 64 bit systems).
Download at: Kaspersky
Since the false positive issue is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
If you need help in identifying a suspicious file/s, you can send the file/s to VirusTotal.com so that the suspicious file/s can be analyzed.
To read a blow by blow description of just how difficult it can be to identify and remove a Rootkit, you can checkout this Malwarebytes malware removal forum posting.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.