G
Gordon Darling
Last Updated: April 7, 2005 v1.4
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
"RootkitRevealer is an advanced patent-pending root kit detection utility.
It runs on Windows NT 4 and higher and its output lists Registry and file
system API discrepancies that may indicate the presence of a user-mode or
kernel-mode rootkit. RootkitRevealer successfully detects all persistent
rootkits published at www.rootkit.com, including AFX, Vanquish and
HackerDefender (note: RootkitRevealer is not intended to detect rootkits
like Fu that don't attempt to hide their files or registry keys). If you
use it to identify the presence of a rootkit please let us know!
The reason that there is no longer a command-line version is that malware
authors have started targetting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan from a randomly named copy of itself that runs as a Windows service.
This type of execution is not conducive to a command-line interface. Note
that you can use command-line options to execute an automatic scan with
results logged to a file, which is the equivalent of the command-line
version's behavior. What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby
malware, including viruses, spyware, and trojans, attempt to hide their
presence from spyware blockers, antivirus, and system management
utilities. There are several rootkit classifications depending on whether
the malware survives reboot and whether it executes in user mode or kernel
mode.
Persistent Rootkits
A persistent rootkit is one associated with malware that activates each
time the system boots. Because such malware contain code that must be
executed automatically each system start or when a user logs in, they must
store code in a persistent store, such as the Registry or file system, and
configure a method by which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and
therefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For
example, a user-mode rootkit might intercept all calls to the Windows
FindFirstFile/FindNextFile APIs, which are used by file system exploration
utilities, including Explorer and the command prompt, to enumerate the
contents of file system directories. When an application performs a
directory listing that would otherwise return results that contain entries
identifying the files associated with the rootkit, the rootkit intercepts
and modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients
and kernel-mode services and more sophisticated user-mode rootkits
intercept file system, Registry, and process enumeration functions of the
Native API. This prevents their detection by scanners that compare the
results of a Windows API enumeration with that returned by a native API
enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they
intercept the native API in kernel-mode, but they can also directly
manipulate kernel-mode data structures. A common technique for hiding the
presence of a malware process is to remove the process from the kernel's
list of active processes. Since process management APIs rely on the
contents of the list, the malware process will not display in process
management tools like Task Manager or Process Explorer. How
RootkitRevealer Works
Since persistent rootkits work by changing API results so that a system
view using APIs differs from the actual view in storage, RootkitRevealer
compares the results of a system scan at the highest level with that at
the lowest level. The highest level is the Windows API and the lowest
level is the raw contents of a file system volume or Registry hive (a hive
file is the Registry's on-disk storage format). Thus, rootkits, whether
user mode or kernel mode, that manipulate the Windows API or native API to
remove their presence from a directory listing, for example, will be seen
by RootkitRevealer as a discrepancy between the information returned by
the Windows API and that seen in the raw scan of a FAT or NTFS volume's
file system structures.
Can a Rootkit hide from RootkitRevealer? It is theoretically possible for
a rootkit to hide from RootkitRevealer. Doing so would require
intercepting RootkitRevealer's reads of Registry hive data or file system
data and changing the contents of the data such that the rootkit's
Registry data or files are not present. However, this would require a
level of sophistication not seen in rootkits to date. Changes to the data
would require both an intimate knowledge of the NTFS, FAT and Registry
hive formats, plus the ability to change data structures such that they
hide the rootkit, but do not cause inconsistent or invalid structures or
side-effect discrepancies that would be flagged by RootkitRevealer.
Is there a sure-fire way to know of a rootkit's presence? In general, not
from within a running system. A kernel-mode rootkit can control any aspect
of a system's behavior so information returned by any API, including the
raw reads of Registry hive and file system data performed by
RootkitRevealer, can be compromised. While comparing an on-line scan of a
system and an off-line scan from a secure environment such as a boot into
an CD-based operating system installation is more reliable, rootkits can
target such tools to evade detection by even them.
The bottom line is that there will never be a universal rootkit scanner,
but the most powerful scanners will be on-line/off-line comparison
scanners that integrate with antivirus."
Regards
Gordon
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
"RootkitRevealer is an advanced patent-pending root kit detection utility.
It runs on Windows NT 4 and higher and its output lists Registry and file
system API discrepancies that may indicate the presence of a user-mode or
kernel-mode rootkit. RootkitRevealer successfully detects all persistent
rootkits published at www.rootkit.com, including AFX, Vanquish and
HackerDefender (note: RootkitRevealer is not intended to detect rootkits
like Fu that don't attempt to hide their files or registry keys). If you
use it to identify the presence of a rootkit please let us know!
The reason that there is no longer a command-line version is that malware
authors have started targetting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan from a randomly named copy of itself that runs as a Windows service.
This type of execution is not conducive to a command-line interface. Note
that you can use command-line options to execute an automatic scan with
results logged to a file, which is the equivalent of the command-line
version's behavior. What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby
malware, including viruses, spyware, and trojans, attempt to hide their
presence from spyware blockers, antivirus, and system management
utilities. There are several rootkit classifications depending on whether
the malware survives reboot and whether it executes in user mode or kernel
mode.
Persistent Rootkits
A persistent rootkit is one associated with malware that activates each
time the system boots. Because such malware contain code that must be
executed automatically each system start or when a user logs in, they must
store code in a persistent store, such as the Registry or file system, and
configure a method by which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and
therefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For
example, a user-mode rootkit might intercept all calls to the Windows
FindFirstFile/FindNextFile APIs, which are used by file system exploration
utilities, including Explorer and the command prompt, to enumerate the
contents of file system directories. When an application performs a
directory listing that would otherwise return results that contain entries
identifying the files associated with the rootkit, the rootkit intercepts
and modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients
and kernel-mode services and more sophisticated user-mode rootkits
intercept file system, Registry, and process enumeration functions of the
Native API. This prevents their detection by scanners that compare the
results of a Windows API enumeration with that returned by a native API
enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they
intercept the native API in kernel-mode, but they can also directly
manipulate kernel-mode data structures. A common technique for hiding the
presence of a malware process is to remove the process from the kernel's
list of active processes. Since process management APIs rely on the
contents of the list, the malware process will not display in process
management tools like Task Manager or Process Explorer. How
RootkitRevealer Works
Since persistent rootkits work by changing API results so that a system
view using APIs differs from the actual view in storage, RootkitRevealer
compares the results of a system scan at the highest level with that at
the lowest level. The highest level is the Windows API and the lowest
level is the raw contents of a file system volume or Registry hive (a hive
file is the Registry's on-disk storage format). Thus, rootkits, whether
user mode or kernel mode, that manipulate the Windows API or native API to
remove their presence from a directory listing, for example, will be seen
by RootkitRevealer as a discrepancy between the information returned by
the Windows API and that seen in the raw scan of a FAT or NTFS volume's
file system structures.
Can a Rootkit hide from RootkitRevealer? It is theoretically possible for
a rootkit to hide from RootkitRevealer. Doing so would require
intercepting RootkitRevealer's reads of Registry hive data or file system
data and changing the contents of the data such that the rootkit's
Registry data or files are not present. However, this would require a
level of sophistication not seen in rootkits to date. Changes to the data
would require both an intimate knowledge of the NTFS, FAT and Registry
hive formats, plus the ability to change data structures such that they
hide the rootkit, but do not cause inconsistent or invalid structures or
side-effect discrepancies that would be flagged by RootkitRevealer.
Is there a sure-fire way to know of a rootkit's presence? In general, not
from within a running system. A kernel-mode rootkit can control any aspect
of a system's behavior so information returned by any API, including the
raw reads of Registry hive and file system data performed by
RootkitRevealer, can be compromised. While comparing an on-line scan of a
system and an off-line scan from a secure environment such as a boot into
an CD-based operating system installation is more reliable, rootkits can
target such tools to evade detection by even them.
The bottom line is that there will never be a universal rootkit scanner,
but the most powerful scanners will be on-line/off-line comparison
scanners that integrate with antivirus."
Regards
Gordon
