Security → RSA: Microsoft on 'rootkits': Be afraid, be very

Try the index page.

»www.rootkit.com/index.php

Thank you!

it all comes down to this.

I've never understood why internet explore allows software to install to the registry or write no files without prompting you.. why is there no prompt period or an option to disallow any registry change etc....

regardless of what security level you have set

Not trying to hack-anybody-off: But have any of these anti-rootkit tools been vetted by independent trusted sources?
I could see how a rootkit hacker could have hacked into a site and added their own code to one of these tools to where it ignores the hacker's own rootkit.

Funny! I love it!

Not another computer, necessarily -- though that will work. Rootkits pervert the operating system software, so the infected OS needs to be scanned from another operating system known to be clean.

I agree, though, that no one has yet made it easy enough for home Windows users to detect and clean rootkits, but many of the pieces are there.

Going back to Steve's analogy, ("I'm starter than the guy who rooted my box.") the problem I still see here if kernel and even usermode rootkits abound is: "Am I patient enough to reinstall all the software on my Dell?" (As an example.) Which might lead into the question "Am I obligated to reinstall all the software on my Dell?"

Hmmm...that kind of tangentially touches on subjects in the long thread on the concept of computer operator negligence, too.

Sorry.

Philip Sloss

Would booting from a WinPE, BartPE or Knoppix CD do the trick?

Or do something like the Witty worm, which was just user mode...

The thing about this is, though, that the bad guys pretty much want to use your computer and its running operating system, not trash it. There's no financial opportunity for the bad guys with a trashed computer, because after the system is trashed, even they can't use it.

Philip Sloss

Yes, from those you could scan an infected operating system. (And even attempt to clean it.) You still need to provide the scanner, though there have been a few distributions mentioned recently that do just that...

(Only the latter two are really options for home users.)

Philip Sloss

Thanks. And this - attempting cleaning the system - may very well be impossible unless you have the right tools for it, I guess.

So, are there any reliable tools to deal with Windows rootkits? What role do AVs - KAV, Mcafee, etc - play in this scenario assuming you boot from a clean environment? Will they be able to detect the rootkit and clean the infected system?

Kav, McAfee and any top AV detects the rootkit many ways to remove the rootkit, here is another posted here on dslreports on how to find them.

»Re: rootkit

Anything installed on a computer can be removed, it's that simple.

And any credibility you have ever had in this forum has been removed too, it's that simple.

Well, this just brings us back to the question of whether one should even bother to clean a rootkit.

Thinking about this more, here's my pet example again: a Microsoft-sanctioned WinPE-based boot CD-R in the hands of consumers that had Microsoft's anti-spyware software on it, could get an IP address, and could do some limited browsing. After booting, the system could be taken to an online AV scanner (like TrendMicro's) and also to update the anti-spyware signatures. If those can scan and clean the offline operating system, does that theoretically mean the system is equivalently clean to one in which malware is "cleaned" by software from within the "normal" OS install?

This would change the question Steve asked to: "Is the 'widget' division (I don't know the name, or even if it's a division) at Microsoft smarter than the guy that rooted my computer?"

I'm still not sure of the answer myself, but in my opinion it would be a good idea to give all those XP Home users this ability. (One of the downsides being that prevention is still a more ideal way to deal with this and this just prolongs the Windows institution of allowing the system to be compromised in the first place.)

If the answer to the question Steve asked is still no, then the procedure is straightforward to wipe all the partitions on the infected computer and reinstall all the software.

Philip Sloss

Thanks,Vampirefo .

So any of these top AVs with updated definitions will be able to identify and block the rootkit before the harm is done, right?

Glad to hear that.

Good topic and discussion - my knowledge level on these things is much below Steve , Vampirefo psloss and all you other folks -

This topic triggers some questions on the repair from a known good system;

To me, the complexity and possible hindances would be that the tool would have to have extensive information on the operating system and application files that may be on the infected system in order to prevent reinfection. For example the rootkit could place a piece of itself in a commonly used non-OS application or driver, say a printer driver, word processor, CD burning, spreadsheet etc. that would detect a repaired OS and then reinfect the system from that program. using the driver, opening or running the program could execute the "detect/repair" function of the rootkit.

Wouldn't the repair tool need to verify everything on the system, OS, applications, utilities, drivers, any OEM programs etc. to clean the system? If not, the rogue would still be there, trying -or succeeding- in reinfection.

LOL They are just now realizing their system can be rooted.... gesh.

It's not at all clear your knowledge is less than Vampirefo

Nothing like a good Ghost image from before you got hit.

But how do you exactly know with these rootkits that the ghost image you assume is a pristine backup really is kosher?

There must be some tools out there to find and expose rootkits, provided you boot from a clean environment.

Let me put it this way: how do you know you have a rootkit installed when these bastards are so good at camouflaging and hiding? There must be some kind of computer activity generated by these rotkits that you can identify. What do rootkits really benefit from? Setting a warez tftp server in your box? Stealing your online bank accounts passwords?

Good point(s). I've just been thinking of detection and removal. Repair would (I think) require integrating some of the repair options available off the Windows install CD. Among other things.

And it doesn't address virally-infected third party software.

As to prevention, I don't know if that can be addressed yet, because we're still stuck with a lot of consumer software that's incompatible with the preventative "stuff" in NT/2000/XP. So even if you could apply a security template externally to a "freshly disinfected" system, it's going to break some software.

Philip Sloss

I think the premise of Microsoft's tool is to run the tool on the infected system, which collects file checksums and the like, then run the tool again from BartPE or the like: if the sets of checksums don't match, it means the live system was lying to you about the filesystem. Then you know you're infected (though not necessarily how).

Once you're infected, though, the game is over: Time to flatten and reload.

Steve

There are plenty rootkits and plenty tools that can find them and/or prevent them from being installed in the first place. There must be a rootkit being created...just now... than none of the above tools know about ...until it is discovered

Cudni

This brings up another point in terms of the "repair" option: the more "stuff" one has to repair, the closer one is to doing a flatten and reload. In which case, why bother with the former...

Philip Sloss

The operating systems will prevent the rootkit from being installed if it can't/isn't run as "root."

Philip Sloss

Credibility is in the eye of the beholder, if people want to believe that rootkits can't be removed and they must format their drives, then they should just follow your poor advice.

The more aware or knowledgeable people would test the rootkits and see how easy they realy are to detect and remove, rather than just take your word on it, and format.

Can you point me to a reference on how to detect and remove an entrenched Windows kernel rootkit? Or, if you can write up the instructions here, that would be cool, too...

Thanks,

Philip Sloss

Well considering that you're confused on safe mode, you're confused on the debug privilege, confused on systems programming in general, I can't see why your advice would carry any weight with anybody.