Wednesday, November 15, 2006

What are Rootkits and free RootKit detecting softwares.

For anyone who is familiar with computer terminologies knows what it means to have the priveleges of the user at the root level. It simply means that that user has the administrative powers. So if a programme has the same priveleges it means that it can bury itself into the operating system's Application Program Interface (API). It will this have the power to be the middle man between the operating system and the programs that rely on it, deciding what those programs can see and do. Sitting in that position it can mask itself from any normal anti-virus programmes. If an application tries to get the contents of a directory which holds one of the rootkit's files it has the ability to censor the file name from the list. It even has the power to hide anything the person that has put the root kit in the PC wants hidden like password lists, mp3 files etc:-

All sorts of other tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems the compromised system communicates with such as sniffers and keyloggers.

Usually after putting the root kit on the PC the attacker has to connect to the system through an open port on the PC just like using any other back door programmes. But the difference here is that like I mentioned earlier root kits are not easily detected by normal AntiVirus tools.

Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.

One of the scariest thing is that once your computer is compromised by the hacker (a computer attached to the Internet that has been compromised by a security cracker, a computer virus, or a trojan horse is called a Zombie computer)it can be used for further attack by the hacker and it will appear that it orginated from the compromised computer instead of the hacker's machine.

One of the ways to make sure you don't contribute to the installing of a root kit in your PC is by accepting only digitally-signed device drivers.

F-Secure's Blacklight.
F-secure the Finland based Internet security services firm offers a free and very effective tool which can even be used by beginners to eliminate the Rootkits. It comes in a very small size (808 kb) and is called Blacklight. It has two versions.

One is the GUI(graphical user interface) version and the other one is the command line version. The GUI version is very easy to use even for beginners. The scan takes around 5 minutes. The software is a beta version and is free to use till Jan 2007.

Currently it is the only Rootkit detector with a combination of GUI and expert detection which makes it easy to use for beginners. All other Rootkit detectors like Rootkit Revealer and Gmer are for advanced users.

If the Rootkit detector detects the hidden rootkit files or the files that have been hidden by rootkit then the scan will show the list. To remove the files first you need to rename the malware files by hitting the "rename" button. You can untag the non malware files by using the "untag" button before hitting the "clean" button.

It is important to note that rootkits can hide legitimate processes and files. So when selecting the files you would like to rename one should make sure you are only renaming the spyware/malware files. If you rename the wrong files it will cause problems to the state of your machine.

Once you hit the "clean" button the files that you renamed will be made inactive by the scanner and will appear with a .ren extension after re-starting the PC. And you will get a notepad that shows the list. Look at the list and delete the .ren files from your PC.

You can download both the Blacklight(F-secure) GUI version and command line version here.

The command line version can be used by people who are comfortable with command lines and it also has an expert mode. The default mode is the normal mode. For the command line version help you can visit the F-secure related page.

Two other tools.
If you want to use more than one Rootkit detector and is an advanced user you can try Rootkit Revealer and Gmer. Both are free softwares.

Related reading:-
Best Free AntiVirus softwares.
27 steps to prevent Virus/Trojans.
Anti-Rootkit for Windows Vista.


Ratan Koduru said...

Looks like you forgot to mention about unHackme. I found it very useful
BTW, If you are a targetted network, dont worry about trying to detect rootkits. Best idea is to formt your machine if you have a doubt :)

Ratan Koduru