If you want to know more about rootkit detection, then this is the perfect article for you. Rootkits are a sophisticated type of malware that provides the creator (usually an attacker, but not always) with a back door into systems. This gives the creator remote administrator-level access and control over a computer system or network. Threats that are inherently malicious target user-mode applications and often disable anti-virus and anti-malware software.
Rootkits detection is difficult because these threats inherently hide traces of themselves. Attackers use rootkits to hide and remain inactive for a period of time until the attacker executes files or changes configurations. Rootkits can also be used to spy on the use of a legitimate user, register a victim computer in a botnet to launch DDoS attacks, increase privileges, enable persistence and “call home” sensitive data.
Rootkit Installation Methods
Rootkit technologies are emerging rapidly in a variety of places, including commercial security products and seemingly innocuous third-party application extensions. Rootkits can be installed on a computer in a number of ways below:
1. Find your system memory
Monitor all entry points to a process as it is called and keep track of imported library calls (from DLLs) that can be appended or redirected to other functions, including loading device drivers, etc.
2. Seeking the truth – Exposing API Dishonesty
A good rootkit detection application for Windows is RootkitRevealer, by Windows security analysts Bryce Cogswell and Mark Russinovich. This small binary (190KB) searches for file system locations and registry structures and looks for hidden information from the Windows API, the master file table, and the directory index.
In addition, Jamie Butler, author of the highly recommended book Subverting the Windows Kernel: Rootkits, developed a tool called VICE that routinely tracks hooks in APIs, look-up tables, and function pointers. RootkitRevealer may take some time as it does an exhaustive search. First it empties the registry hives, then it examines the C: directory tree for known rootkit sources and signatures, and finally does a quick scan of the entire C: volume.
3. Stay up to date with the latest antivirus and malware protection software from leading antivirus and security providers
Sysinternals and F-Secure offer independent tools for rootkit detection (RootkitRevealer and Blacklight). Microsoft has also implemented rootkit detection features in its own removal tool for malware.
4. Update your firewall protection
Remember that for a potential attacker to have an effective secrecy process, it is imperative that the hacker can re-enter a machine once it has been compromised. While firewalls do not help mitigate application-level risk, they can be a significant challenge for an attacker if they prevent re-entry into a victim’s computer.
5. Harden your workstation or server against attacks
The National Security Agency publishes a Windows Environments Hardening Policy, which is a great starting point to educate you about preventative measures against system intrusions.
How rootkits are distributed
Rootkits are often spread through the use of combined threats. A mixed threat uses multiple vulnerabilities to launch an attack. In the case of rootkits, it uses a pipette and charger. The dropper is software that installs the rootkit on a system. This can be in the form of an email attachment or an infected download. The loader is the code that starts the rootkit.
Rootkit detection methods
It is notoriously difficult to detect and remove rootkits because, as mentioned earlier, they are hiding. In addition, once an operating system has been compromised, it is unlikely to find unauthorized changes, and it cannot be trusted that nothing will behave as it normally should. This means that rootkits can usually only be found if they have a defect. And to make matters even more complicated, malware authors use rootkit detection tools that actually customize their own rootkits, making them even more difficult to detect.
However, there are some useful rootkit detection methods such as:
- – Use a logging solution to receive alerts for unusual traffic.
- – Use a behavior analysis tool to find unusual behaviors and behaviors that are commonly reported by rootkits.
- – Start the system in question on a known clean machine. In this new environment, use runtime tools to find rootkit components.
- – Perform a rootkit scan. Today, many major anti-malware software vendors have their own rootkit scanners, and some are even free.
- – Using static machine learning analysis to detect rootkits and prevent rootkits from running.
- – A variety of investigative detection techniques.
Fortunately, as is common in security, this is more of an arms race than a one-sided victory. As rootkits have become more sophisticated and diverse, the tactics and tools available to deal with them are also available. Examples of rootkit detection methods include:
A trusted analytics host
To work around the problem of a compromised operating system that may have been modified to hide a rootkit, simply use another host with an operating system known to be safe for your scan. For example, a CD cannot be overwritten or compromised and can be booted from it.
Based on signature
Just as antiviral solutions look for predictable signatures, byte-level rootkit detection can do the same, but this approach is usually only effective against older threats.
Behavior based
Once installed, rootkits alter system performance in subtle, sometimes noticeable ways. For example, the timing of API calls sometimes slows down and CPU usage sometimes increases. A known clean system with otherwise identical hardware and software can be used to benchmark to aid in rootkit detection.
Integrity check
The idea here is to compare key files or Windows registry entries on a suspicious host with clean samples to see if they have been changed in any way.
Based on the difference
Are the binaries installed on a drive the same as their RAM-resident counterparts in a working system? Otherwise, that’s a bad sign (although false positives are possible too).
Memory dumps
Rootkit detection can also be done by scanning virtual memory dumps as the rootkit will not be able to detect and block the scan.
Conclusion
As you can see, it is obvious that rootkits pose a formidable threat, and not just because they are sometimes installed by vendors (like Sony) or created by bad actors (like hackers). They are changing incredibly quickly as researchers open up new horizons.
Did you know, that in 2020 the Jellyfish rootkit was developed to show that it was possible to install a rootkit in a graphics processor! In this way, it inherits the processing capabilities of the hardware GPU while getting a new and impressive one at the same time via a logical location in the host that is beyond the purview of most OS-based rootkit detection tools. For more info about your computer protection, you can visit our features page. Don’t forget to like and share this post. 🙂