Monday, April 20, 2009

What is Rootkit and how it can be removed?

Do you know, what is Rootkit? Until recently, I knew that only from theoretical perspectives. Last week, I got a great opportunity to familiarize myself with the one. Started the story from the fact, that every morning for three days in the row, my computer got frozen. I performed the experiment and left it with no open applications, and it still got stuck as before. I suspected the system corruption and attempted to run chkdsk, but my system refused to do so. And that was a big warning sign as you understand. Suddenly, I could hear a clear audio advertising broadcasted from my computer. I closed all windows and running programs, but the ads has not disappeared. To make the long story short, it was a hidden rootkit that was eventually removed, and the computer functionality has been restored. In this post, I will try to give some presentation what is rootkit, and give some ways to remove it from your computer.

What is Rootkit?

Rootkit it is a set of tools used frequently by the computer science intruders or crackers that is able to accede illicitly to a computer science system. These tools serve to hide the processes and archives that allow the intruder to maintain the access to the system, often with malicious aims.
There is rootkits for an ample variety of operating systems, as Linux, Solaris or Microsoft Windows. For example, rootkit can hide an application that it connects a console whenever the attacker connects itself to the system to traverse of a certain port. Rootkits of kernel or nucleus can contain similar functionalities.
A backdoor can also allow that the processes sent by a user without administrator privileges execute some functionality reserved solely to the superuser. All type of useful tools to obtain data of illicit form can be hidden by means of rootkits.

Which are their objectives?

They try to conceal to other processes that are carrying out malicious actions in the system. For example, if in the system there is a back door to carry out espionage tasks, the rootkit it will hide the open ports that they expose the communication; or if there is a system to send Spam, it will hide the activity of the mail system.

Rootkits, when being designed to happen unnoticed, they cannot be detected. If a user tries to analyze the system in order to see what processes are being executed, rootkit will show deception, showing all the processes except him himself and those that are hiding. That is why my audio ad was not detectable through the normal processes manager review.

Or if it is tried to see a listing of the files of a system, rootkit will cause that is that information but hiding the existence of the own file of rootkit and of the processes that it hides.

When the antivirus makes a call to the operating system in order to verify what files it has, or when it tries to find out what processes are in execution, the rootkit will falsify the information and the antivirus will not be able to receive the correct information to carry out the disinfection of the system. That is why my AVG antivirus was not able to detect the malicious elements up to the moment when rootkit was killed. Immediately, the antivirus problem reported several files infection.

Rootkit Types

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits

A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits

Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits

There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits

Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel’s list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

Rootkit Removal

In spite of which it comes saying itself, rootkits can be eliminated (although not so easily). These programs are autoprotegen hiding and avoiding that no other process (as a antivirus) can detect them. But so that that process can be hidden, it must be in activated operation and in memory.

The best way to avoid than the process between in action, it is to avoid the starting of the operating system in the disc in which is rootkit, using a disc different from the one from the infected system; as it can be CD. Thus, if rootkit is well-known, it will be able to be eliminated.

Nevertheless, if rootkit is not known (that is to say, that has been developed specifically for a system in concrete), any antivirus will fail. In this case, the computer science problem is almost less important: there is a person who, deliberately, it wants to make damage to its company and it has been bothered in entering the system to harm to him.

While there are several free utilities to resolve the rootkit infection program, I will present the one that worked for me (actually, it was the first I tried). The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware. It is highly effective at removing malware that is hooked deeply into the operating system itself, which is often difficult for standard tools.

While it is a very powerful tool for the software professionals, it can be used in a safe for everyone automatic rootkit detection and removal mode. Just check the "Scan for Rootkits" box and The Avenger will scan for rootkit drivers hidden from the operating system. The utility can also disable any hidden drivers found automatically. However, it is strongly recommended to examine the results of a rootkit scan before you authorize Avenger to disable anything.

Download the file from the link Note that it is absolutely portable, and no installation needed to fight your enemy.

No comments:

Related Posts Plugin for WordPress, Blogger...