Earlier this week, in my Daily Net News column, I posted the following –
Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration.
That’s truly scary stuff – rootkits are not your common everyday piece of malware. As a reminder to regular readers that rootkits can be hunted down and eradicated, I’m reposting an edited version of an article first published in December of last year.
Rootkits use any number of techniques to hide, including concealing running processes from monitoring programs, and hiding files, and system data, from the operating system.
In other words, the rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools. It’s easy to see then, that if a threat uses rootkit technology to hide, it is going to be difficult to find.
So, scanning for Rootkits occasionally, is good practice, and if you have the necessary skills to interpret the results of a Rootkit scan, Tizer Rootkit Razor, appears to be a good choice to help you do this. I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.
Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
Here’s a reasonable test to determine if you have the skills necessary to use this application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using this program would prove to be beneficial. On the other hand, if you can interpret the results of a HiJackThis scan, you’re probably “good to go”.
The user interface is dead simply – functional and efficient, as the following screens from my test system indicate. BTW, no Rootkits were found during this test. Or, after scanning with the additional tools listed below.
Main Screen: This page displays information related to your operating system and memory usage.
Smart Scan: This feature automatically scans all the critical areas in the system and displays hidden objects, making things easier for the user.
NOTE: The user is provided with a feature to fix the hidden object (if any).
Process Scan: This module scans processes currently running on the machine. A process entry will be highlighted in red if it is a hidden rootkit. The user can click on an individual process to display any hidden modules loaded by the process.
NOTE: The user is provided with the option to terminate processes and delete modules.
Registry Scan: This module scan is for hidden registry objects.
Smart Scan: A smart scan will scan the critical areas of the registry.
Custom View: This module provides a virtual registry editor view, hence enables the user to navigate through the registry and check for hidden keys or values. (Hidden keys/values will be highlighted)
Kernel Module Scan: This module scans for loaded drivers in the memory. A module entry will be highlighted in red if it is hidden.
NOTE: The user is provided with a feature to unload and delete a driver module from memory.
Services Scan: This module scans all installed services on the local machine. A particular service entry will be highlighted if it is hidden.
NOTE: The user is provided with start, stop, pause, and resume features. They may also change the startup type of service.
SPI Scan: This module lists all the LSPs installed in the system. This is read only information.
NOTE: The user can check for any unauthorized LSP installed.
SSDT Scan: This module scans for any altered value in the System Service Descriptor Table (SSDT). The process of alteration is termed as “Hooking.”
NOTE: The user can restore the altered value to its original value.
Ports Scan: This module will scan all open TCP and UDP ports. A particular port entry will be highlighted if it is hidden.
NOTE: The user is provided with the option to terminate the connection.
Thread Scan: This module will enumerate all running processes. The user can click on a particular process to view and scan all threads running in context of that process. Any hidden threads will be highlighted in red.
NOTE: The user is provided with the option to terminate a thread.
File/Object Scan: This module will scan for any hidden files in the system. The user selects a location on the computer to scan.
Click here to read about Tizer Rootkit Razor’s features, in comparison with other anti-rootkit applications.
System requirements: Windows XP, Vista, Win 7
Download at: Tizer Secure
Note: registration required.
If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything. To be safe, I occasionally use each of the rootkit detectors listed below, on my machines.
Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at http://www.rootkit.com, including AFX, Vanquish and Hacker Defender.
IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.
This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.