Detecting and Removing Rootkits in a Nutshell
** FOR HJT HELPERS
The information provided is based on a presentation I have made at an IT event and at an academic institute. The presentation was focused more on live demos, so not much of textual and theoretical descriptions are provided.
Categorizing the rootkit detection and removal method is solely based on my personal opinion. I will appreciate any feedback or reports of inaccuracies, fallacies, found in this article:
abuibrahim0 AT gmail DOT com
Important Guidelines Before Removing a Rootkit if a rootkit is found on a machine:
1. Backup all important data, emails, documents, etc.
Þ this is just for safety measures. Removing a rootkit can cause system instability and a antirootkit software may sometimes remove a system file along with the rootkit. This step is particular important when using automatic tools for rooktit detections and removal.
2. Disconnect from the internet
3. Close down All Scheduling/Updating + Running Background tasks etc.
4. Disable real-time monitoring programs
5. When scanning for a rootkit, do not use the computer at all
6. Use 2 or more rootkit scanners
Þ Never rely on the results of one anti-rootkit software. Rootkits uses different technologies for hiding and no single anti-rootkit can find all rookit techniques.
Methods of Detecting and Removing Rootkits:
1. Automatic Detection and Removal
2. Semi-automatic Detection and Removal
3. Manual Detection and Removal
4. Advanced Detection and Removal
1) Automatic Detection and Removal:
Tools that automates the process of detecting a rootkit and removes them. Minimal skills are required to uses these tools.
1. F-secure online scan: http://support.f-secure.com/enu/home/ols.shtml
2. AVG antirootkit
3. Trend-micro Rootkit Buster
4. Panda Antirootkit
5. Avira Antirootkit
6. Mcafee Rootkit Detective
7. Sophos Antirootkit
Disadvantage of using these Automated tools:
1. Highly unstable software. Have used it once at the rootkit revelations forum and it destroyed windows beyond repair
2. Highly unpredicatable -> they sometimes report that they remove a rootkit and they actually did nothing
3. Highly unreliable -> cannot find rootkits that use newer techniques.
The automatic tools are good though if you are removing the most popular or classic rootkits such as pe386.
2) Semi-automatic Detection and Removal:
- For more experienced users
- You will need to distinguish rootkits from false positives
- Such tools will highlight entries that are predicted to be rootkits. For example Icesword and GMER will highlight services and processes that are rootkits. RKunhooker will tag what are hidden.
3. Rootkit Unhooker
Detection and Removal are split into two ways:
1. Rookits that use drivers (more common):
- Two important indicators are: hidden service, and rootkit files.
Rootkit files can be found at processes list (ex. Icesword), SSDT list (ex Icesword), rootkit file scan (ex. GMER), rootkit file browsing (ex. Darkspy) or from the service image path in the registry.
- Rootkit Removal steps:
Step1: Stop or Disable Service
Step2: End executable process(s)
Step3: Delete service and related files
2. Rootkits that use inline hooking or DLL hooking such as Vanquish (less common):
- One important indicator: presence of a dll file
The dll file can be found by two ways: "Code Hook" scan using RKunhooker (recommended), the other way is doing a full file scan using GMER or any other anti-rootkit tool
Note: GMER and Icesword do not automatically find these kind of rookits. Only when a full file scan is performed or rootkit file browsing, some hidden files may appear.
- Removal steps:
Step1: perform "Code Hook" scan using RKunhooker
Step2: highlight all entries related to culprit dll file and click 'unhook selected'
Step3: End executable related process(s) if applicable (ex. vanquish.exe)
Step4: Delete dll and related files
3) Manual Detection and Removal:
¨ Manual Detection Tools:
2. Rootkit Hook Analyzer
For how to know if there is a rootkit present in the rootkitrevealer results:
To know how to intepret rootkitrevealer logs:
¨ Manual Removal Methods:
1. Manually deleting files in safe mode
» given that the rootkit does not use SafeBoot keys to be hidden in safe mode as well
2. DOS commands
» may or may not work. HackerDefender can be completely deactivated and cleaned up using this method
Sc stop RKservice
Sc delete RKservice
Net stop RKservice
REG DELETE RKregpath
3. Manual Removal Tools
- Delete on reboot using killbox
In combofix the rootkit:: directive is not always needed. I found that file::, driver:: and killall:: are enough with most rootkits I have encountered.
4) Advanced Detection and Removal:
1. Slaving hard-drive to another computer and perform a normal anti-virus scan
2. Using a Bootable CD-ROM such as BartPE and UBCD4Win
3. Offline file comparisons: http://staff.kfupm.edu.sa/coe/shafei/index_files/Page1443.htm
- Detection: see http://www2.gmer.net/mbr/
as you can observe the presence of the phrase: "\Device\Harddisk0\DR0" any where in a GMER log is an indication of an MBR rootkit regardless of its variant. However, you may need to verify first that changes done to MBR is not perfomed by a legitimate application such as acronis.
1. Windows Recovery Console:
Windows XP/2k: fixmbr
Windows Vista: bootrec.exe /fixmbr
2. Stealth MBR rootkit detector 0.2.2 by Gmer:
3. ESET Mebroot Remover:
Microsoft MVP – 2008