There’s malware, and then – there’s MALWARE. In other words, all malware is not created equal. For example, Rootkits are not your common everyday piece of malware.
Rootkits are often designed to overwrite the Hard Drive’s MBR (master boot record), the first sector – Sector 0 – where the code to boot the operating system following BIOS loading, resides.
As a consequence, Rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses Rootkit technology to hide, it is going to be difficult to find.
And yes, I’m aware that major AV application developers are fond of pointing out that their products will flag and remove Rootkits. Users are expected to believe those claims – DON”T!
From a previous article (June 2011) –
Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.
Scanning for Rootkits occasionally, is good practice and by scanning with the right tools, Rootkits can be hunted down and eradicated (maybe) – but personally, I would never trust that any detection/removal application has successful removed a Rootkit.
If you have detected that your system has become infected by a Rootkit, I recommend that you first wipe the drive – using a free tool such as Darik’s Boot And Nuke, reformat, and only then – reinstall the operating system.
Rootkit detectors can be difficult to work with and consequently, my good buddy Michael C., following the last post on Rootkit detection – Got A Rootkit Infection? – Find Out With These Four Free Rootkit Detectors – posed the following question: “Just wondering if there is a rootkit detector for us “average users” that doesn’t require a MIT degree.”
And, there is.
Kaspersky Labs has developed the free TDSSKiller utility which is designed to detect and remove common Rootkits. Specifically, Rootkits in the Rootkit.Win32.TDSS family (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) – in addition to regular Rootkits (now, there’s a misnomer), as well as Bootkits.
Usage instructions:
Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (free 7-Zip, for example).
Run the TDSSKiller.exe file.
The utility can detect the following suspicious objects:
Hidden service – a registry key that is hidden from standard listing.
Blocked service – a registry key that cannot be opened by standard means.
Hidden file – a file on the disk that is hidden from standard listing.
Blocked file – a file on the disk that cannot be opened by standard means.
Forged file – when read by standard means, the original content is returned instead of the actual one.
BackBoot.gen – a suspected MBR infection with an unknown bootkit.
The interface (as shown below) is clean and simple. Click on any of the following graphics to expand.
A scan in progress.
The completed scan shows the system is clean and free of Rootkit infections. You’ll note that the scan finished in 10 seconds.
Following the scan, you will have access to a full report – if you choose.
System requirements: Win 7, Vista, XP (both 32 and 64 bit systems).
Download at: Kaspersky
Since the false positive issue is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
If you need help in identifying a suspicious file/s, you can send the file/s to VirusTotal.com so that the suspicious file/s can be analyzed.
To read a blow by blow description of just how difficult it can be to identify and remove a Rootkit, you can checkout this Malwarebytes malware removal forum posting.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
Bill Mullins' Weblog - Tech Thoughts 
Hey Bill,
Nice. Super quick too. I like it.
Cheers
Hi Mal,
Quick like a bunny, huh? 🙂
Best,
Bill
Bill,
Did I read this correctly — that a rootkit can survive a reformat? If true (1) something I was previously unaware and (2) this is very scary. Does anyone know how the rootkit runs if all of the files are erased and does it relate to Alternate Data Streams?
-Eric
Hi Eric,
Frankly, I think that this is an overblown issue. I have never seen an occurrence, nor has anyone I know personally. Despite that fact, the issue is occasionally raised at security tech group meetings I attend. Rather than create a false sense of alarm I have deleted this reference.
As I understand it, there have been BIOS-based Rootkit “proof of concepts” offered – but, they don’t always translate well in the real world. Still, given how often long standing vulnerabilities are suddenly “discovered” (sort of, we didn’t know that we didn’t know), my preference will remain a low level format. Maybe an overreaction but, that’s my comfort zone.
Bill
“Just wondering if there is a rootkit detector for us “average users” that doesn’t require a MIT degree.”
Wrong Michael LOL
Regards
Michael
Hi Michael,
Yikes!!
I definitely shouldn’t write this stuff while I’m away on vacation – my natural sloppiness comes right to the fore.
Please accept my apologies. 🙂
Best,
Bill
Hey Bill. Thanks for breaking this down step-by-step and including the link to understand how tricky Rootkits really can be. You mentioned it’s helpful to scan for Rootkits occasionally, but how often would you suggest doing this?
Hey Alexandra,
I do a Rootkit scan every second Sunday – maybe a bit paranoid but….
Bill
Pingback: ‘Supercookies’ Stalk Users and Steal Data « Plato on-line
Bill is it too complicated for me to use?
I think skill level BEFORE coming to your blog was pre-school, now after a year, I THINK “oh yeah really good” then I realize probably 3rd grade of elementary school. Yet the pictures you give reminds me of all the other AV AM stuff, but that doesn’t mean anything. Glad it can KILL them not just find them.
One of the most important things I’ve learned from you is that WE CAN NEVER RELAX, we can never say, “NOW IT IS ALL SAFE & SECURE”
Keep teaching us.
Fred
Hi Fred,
No, I don’t think this is too complicated for you.
If you should encounter any files spotlighted by the app, before you deal with them, you should Google the file name to be sure they present a threat.
Good to hear from you.
Best,
Bill
Bill I did it! I had your article open so I could read it as I DL the zip file, made a folder and extracted it to that folder. Did the installation and scan and in 13 seconds, NOTHING. Wow was that easy. I do have a followup question for you:
usually when I install a program, as far as I know, ALWAYS, there is a link whatever it is in the PRGRAMS section of the START UP Menu, or at least when I go to add/remove program, the program would be listed there. Nothing for Kaspersky, what do you make of that?
Thanks again, as always,
Fred
Hi Fred,
The application doesn’t install to the drive. It’s an .exe file only – sort of like a portable application (doesn’t write Registry entries and so on).
Best,
Bill