SysInternals Releases RootkitRevealer

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

Strange...

[bigtallmofo]

Every time I try to go to www.sysinternals.com to find the new Rootkit removal application, my system shuts down automatically.

Probably nothing to worry about.

Re:Strange...

[adlaiff6]

My Winbox shuts down whenever I put in my Slackware disc. Really.

Re: Strange...

[Alranor]

Let me guess, the mods have been at the crack pipe again, how exactly is the parent off-topic??

Idiots.

Re:Strange...

[SpinJaunt]

If you are using Windows XP SP2 or Windows 2003 SP1, you'll need to turn off DEP (Data Execution Prevention) by editing your BOOT.INI and have change from

/noexecute=optin

to

/noexecute=AlwaysOff

http://msdn.microsoft.com/library/default.asp?url= /library/en-us/ddtools/hh/ddtools/BootIni_aff45176 -bd02-43cf-9895-c212fa392de2.xml.asp I had this problem with Daemon tools and Acohol 120%

Re:Strange...

Subtle humor

I guess it might be an attempt at subtle humor.

Or perhaps, a subtle attempt at humor.

Could even be a subtle attempt at subtle humor.

What it definately is not, is subtle humor.

The warning bells were positively clangling at the first reading of the title Strange . . .

If that weren't enough, there was a nudge and a wink with the line Probably nothing to worry about., whilst the would be comedian was jumping up and down, vigorously pointed with their free hand to the apparently innocuous winking action they were making.

If that's subtle to you, then fair enough.

By the way, when people flee the room when you enter, that is not actually a coincidence.

Re:Strange...

Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.

Re:Strange...

[0x461FAB0BD7D2]

...which is what the rootkits expect you to do so they can achieve their fiendish ends, thereby revealing themselves anyway, requiring little use for the Sysinternals tool. /from the Ministry of Silly Tin foil hats

Re:Strange...

You, sir, are an idiot. Everyone that modded you +3 Informative is an idiot too. The original comment was a JOKE you ignoramous.

Re:Strange...

If that's subtle to you, then fair enough.

As far as I can tell most /. moderators would find Benny Hill too subtle.

Re:Strange...

I think you'll find someone gave a useful solution to a problem

And how many Average Joes, actually set a password on the Administrator account? also, everyone is an Administrator by default on XP Pro

Also, how many people actually disable Windows Firewall? which IMO, is pretty good for "free".

Re:Strange...

To be fair, not everyone is as Paranoid as you and me?

They could in actual fact renable DEP after they installed RootkitRevealer - and maybe do this whilest you're NOT connected to a network?

Re:Strange...

[wo1verin3]

Or you could right click on My Computer, click 'advanced', click on 'settings' in the performance box, and then on the 'Data Execution Prevention' tab.

Re:Strange...

[PurpleXanathar]

You can reenable it after installing Deamon Tools and Alcohol (at least it worked for me).

Re:Strange...

[Bert64]

Actually it's pretty crap for "free" when you consider that OpenBSD's packet filtering is also available for free.
Aside from the fact that the XP firewall is NOT free, it requires you to purchase a copy of XP in order to use it, therefore it's a component of a non-free product.

Re:Strange...

[plague3106]

I believe there was a way to excempt programs from DEP. Why not just add a few programs to the exemptions list?

Re:Strange...

when you consider that OpenBSD's packet filtering is also available for free.

it's a BSD licence right?

i wonder what the response would be here if MS took it and incorporated it into Windows XP SP3?

Re:Strange...

You're from Fark, so we'll overlook it this time, but here you need to include HTML code to break a line, like BR or P.

HTH HAND

Re:Strange...

[X0563511]

Last i checked, all accounts without a password set are denied remote and terminal access.

For example: \\path.to.machine\c$ will not work if all of the administrative logins have no password.

Of course, a local attack is a bit of a problem, if you do that.

Re:Strange...

Owned Wind0ze makes wares kids happy:

ftp://mooseheadloosemoose.no-ip.com/

Re:Strange...

[hedge_death_shootout]

Not only is it not really free - XP Firewall only works on XP.
I only found this out after shelling out for a copy of XP so's I could install the firewall on my Linux box. What a total rip-off. :-(

Re:Strange...

Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.

A site which I support, relies on two different pieces of software from two different vendors, to make their business run. One is point of sale system software and the other is software specific to that type of stores specialized needs. I am constantly putting out fires, because these two companies, which must co-exist within many of their customers sites, whether they like it or not, have very different points of view on how their customers networks should be configured.

The sad part is, that one of them, really do expect that all passwords, including admin be set to blank and the whole of each drive be shared to everyone. Unfortunately for me, I am in no position to have my client use another company to replace the one with the lax attitude.

Scarey stuff? This client of mine is in the medical field! Customer financial and medical records don't matter much it seems! Many times I have felt like just walking away from this disaster waiting to happen. I am surounded by deaf ears.

Re:Strange...

Has anyone run this from a bootable PE or ERD Commander CD?

Re:Strange...

And how many Average Joes, actually set a password on the Administrator account?

I don't need a password on my admin account because, as an MCSE, I know what I'm doing. Rest assured, though, that every user account is password-protected.

Sysinternals is great

[Dr.Opveter]

I love their stuff

No really, they have class utilities for free, thanks Sysinternals

Re:Sysinternals is great

[Triumph+The+Insult+C]

i agree

regmon is perhaps the best utility out there for trying to get old apps to work on newer operating systems. where i work, that happens a lot

if this new tool is anything like their others, i'm sure it will be quite good

Re:Sysinternals is great

[cnettel]

Agreed.

One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

Re:Sysinternals is great

[gowen]

A screen saver that fakes Windows system crashes? xscreensaver has had one of those for years. (It also simulates Linux and Solaris kernel dumps, Macintosh Bombs, Amiga Guru Meditations and others)

Re:Sysinternals is great

[buckley]

Yes, absolutely. The pstools (psexec, pskill, etc.) are indispensable.

Re:Sysinternals is great

In XP, Microsoft added a (semi) documented API for hooking the registry API. This was done mostly, if not entirely, so SysInternals regmon could operate without patching the system call table. Regmon (and filemon) are used a lot inside Microsoft.

The change in Win64 to disallow kernel patching can be defeated. Malware just has to disable the code that enforces the rule -- all it takes is one RET instruction in the right place. I'm glad MS is trying to do something about the problem, but in the long run it's a losing battle. There is no technical defense against lusers logged in as Administrator loading malicious kernel-mode code.

Re:Sysinternals is great

[Phisbut]

Unfortunately, it's only a detector and not a remover, so the best it can do is inform you that you have a rootkit installed and that you need to format and reinstall everything.

Now, I'm not blaming Sysinternals or anything, I don't suspect it's even possible to clean a system from rootkits other than reinstalling. It's still good to be informed if you're infected though.

Re:Sysinternals is great

Yeah, but it also will fake HD activity during startup. Quote amusing.

Re:Sysinternals is great

[klasikahl]

Unfortunately, it's only a detector and not a remover, so the best it can do is inform you that you have a rootkit installed and that you need to format and reinstall everything.

Uh, if you have a rootkit on your system, simply removing it is NEVER enough. You can't tell what has been comprimised. Anyone who considers themselves even remotely security savy realizes that if your box is comprimised, reinstalling is the only way to be sure the box is once again secure.

Re:Sysinternals is great

[peeon]

Their tools are the best. If anyone needs to deal with the abundant of spyware and junk out there, get these tools immediately. Process Explorer is as powerful as task manager + msinfo32 combined. Autorun much more powerful than msconfig. Tcpview is better than the netstat. Filemon and regmon are neat tool if you can read fast enough lol (there is a pause event option).

Bloated Software Giant Ahead of the Curve Again

Wow. Pop-up blocking, rootkit detection, basic network security... isn't it amazing how an enormous patent library and billions of dollars encourages so much innovation? It's like they're ten years ahead of everyone else.

Wait... no, the other way around...

Free Sony PSPs. It's real. It's here.

Re:Bloated Software Giant Ahead of the Curve Again

[CyBlue]

MS should just patent buffer overflows and rootkits and we'd have nothing to worry about!

Better solution.

[jcr]

If you must run MS-windows, run it under VM ware on Linux. If you detect an infection, throw away the infected image.

-jcr

Re:Better solution.

[MSFanBoi]

How is it better? VM's under linux don't carry over all my hardware. It's not going to do me any good if my modem chassis don't work, or if my video adapter doesn't work, or if my DVD burner doesn't work... So this isn't really a good solution...

Re:Better solution.

[lopingrhondo]

Yes! Quick and easy! I did this for my grandma and at first she had some trouble with it: She kept picking up the mouse to move the pointer. Once she got that down though, she had no problem running Windows on Linux with VMware. And all was once again right with the world.

Re:Better solution.

[jcr]

Burn your DVDs under Linux, and choose supported video cards. Linux's coverage of current ATI and NVidia cards is very good.

-jcr

Re:Better solution.

[Taladar]

But AFAIK VMware's is not.

Re:Better solution.

[cypherz]

The hardware that the hosted OS sees is generic virtualized hardware. I've used the vm containing my Windows dev environment on 4 machines over the two years I've been using it. I haven't had to reconfigure W2K once. As long as the DVD (or other hardware) is seen by linux, then vmware will virtualize it and present it to the hosted OS as a generic dvd (or whatever is appropriate). For example, the dvd on my current notebook is a hitachi. It is presented to Windows as an NEC/Vmware CD.

Re:Better solution.

[Reducer2001]

How did your grandma feel about the $300 price tag? Or did you just 'borrow' a copy from work/p2p?

Rootkit?

[Fls'Zen]

I didn't think people needed rootkits for windows...

Re:Rootkit?

[slavemowgli]

Why not? The purpose of a rootkit is usually not so much to take over a box (trivial on a standard windows installation), but rather to hide the fact that such a take-over occured.

Re:Rootkit?

[Fls'Zen]

True, I know a lot of sysadmins who don't get a chance to regularly admire their server logs, processes, etc., though.

Re:Rootkit?

Hide what? Stealing cereals from your place every morning because your front door is left wide open ISN'T a "take over".

Re:Rootkit?

[Geek+of+Tech]

Wouldn't the appearance that the computer hasn't been compromised lead one to become suspicious?

:P

Re:Rootkit?

[$raim_n_reezn!]

Since taking over a standard windows installation is trivial. Can you tell me how you would take over a box where you're locked in to limited user priviledges and you can't edit the registry or touch system files?

Re:Rootkit?

[Billly+Gates]

Go read slashdot's last week edition?

Rootkit makers are spyware makers. Sadly spyware/malware are worms and trojan horses. Rootkits are the only way to hide and protect spyware from programs like adaware.

Its getting insane and I favor criminal rather than civil charges if spyware makers began to make trojan horse rootkits. Its sabatage and if it looks like a duck and quacks like a duck then its a duck, regardless if a cracker has written it or an emarketing company.

Re:Rootkit?

roooooooooooooooooooooooofleolololololloololololol olololololololololololollolololoolololol
mirc0$ha ft w1nd0z sux

Re:Rootkit?

Reset administrator password, reboot, enjoy.

Re:Rootkit?

[Carnildo]

Its getting insane and I favor criminal rather than civil charges if spyware makers began to make trojan horse rootkits.

Personally, if that occurs, I favor dynamite charges over either of the above.

Call to arms

[Willeh]

Good idea, but i'm waiting for the first batch of viruses or whatever to disable this rootkit. Probably won't take long either, stuff like this is begging for a bunch of attacks from the hacker community.

But it's a good start, so that johnny q spammer won't be able to hijack as many sites as he had been doing previously. Good work, sysinternals!

Re:Call to arms

[Taladar]

Viruses don't disable rootkits, they install them. Rootkits are replacement system programs/libraries to hide the intruder presence/activity on your computer

Re:Call to arms

[Phisbut]

Good idea, but i'm waiting for the first batch of viruses or whatever to disable this rootkit.

Other than nothing that RootkitRevealer is not a rootkit itself, it's also nice to see that Sysinternals knows the weakness of their products, how it can be exploited, and how it is very very unlikely that it will be.

It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

The complete opposite of security by obscurity. I like that.

So this is...

[JustNiz]

>> RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level,

So this is a rootkit in itself.

I don't know that I'd trust Microsoft anymore than anyone else running rootkits on my ststem.

Re:So this is...

[interiot]

No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

RootKitRevealer doesn't change any results of API calls at all.

RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

Re:So this is...

[conteXXt]

as a previous poster humourously stated
"I didn't think people needed rootkits for windows..."

Windows is it's own rootkit. This one is for high-availability reasons.

Re:So this is...

[Chris+Kamel]

RootkitRevealer is the one made by Sysinternals, not MS

handy

[diegocgteleline.es]

This will be interesting as soon as spyware starts using rootkits in windows.

You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)

Re:handy

[mytec]

Speaking of running as Administrator, or having to in some cases, did you ever see the docs that show the hoops you have to go through to run Visual Studio as a non-administrator non-Admin? While I cannot speak for Delphi 2005, Delphi 7 has this same problem to some extent. Sometimes it's a pain in the ass to not run as Administrator. That needs to be fixed.

Re:handy

[bratboy]

This is an interesting analogy to the insurgency in Iraq - because Microsoft let things get to the current point, there's too much momentum/mindshare devoted to the problem to easily shut it down. If it had been extremely hard to crack the system in the first place, the rewards few and the risk significant, then we wouldn't be in the current mess. (I say "we" because no matter what OS you use, you're still going to have to pay for MS's boneheadedness - in spam, increased ISP fees, Internet worms, latency, etc.)

Re:handy

[shufler]

It should also be noted that "fixing" this problem should not consist of granting higher rights to the User group.

The "Designed for Windows XX" logo signifies (at least in the NT variants) that a program can be run by anyone in the User group. I read somewhere what this entails (not writing to certain portions of the registry comes to mind), but I'm sure someone will followup with that information.

I can understand VS not running under the User group -- there's a need to develop for users who aren't going to be in the User group. That said, they should make an option to change this, orfailing that, never develop with VS on a computer attached to the Internet. Which might be impossible, depending on what you're developing.

Eh. Don't use VS I guess.

Re:handy

[utexaspunk]

I think it's a good thing. While the system should've been secure in the first place, it is better that the system gets a trial by fire against (relatively) benign nuisance spyware programs than they go undetected until something really destructive comes along.

think of spyware as the common cold- ever evolving, practically undefeatable, but essentially just a periodic nuisance that keeps the immune system on its toes...

Re:handy

[arkanes]

Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.

Re:handy

[Tim+C]

Unfortunately, it doesn't matter how secure your system is - if you have a naive user with the admin password using it, you're still going to have it infected with all sorts of nasties.

Re:handy

[mrogers]

It's hard to fix - you need to be Administrator to run a debugger because a debugger attaches to another process and alters its memory. But maybe the rest of Visual Studio could run as a normal user, with the debugger using Run As? Coincidentally I was just reading a journal entry on exactly that subject.

Re:handy

[Foolomon]

Running as Administrator isn't bad. Running as Administrator with no password is criminal though. Unfortunately, the vast majority of "casual user" installations are running as admin with no password.

A password and a little bit of caution will keep your system clean, or at least it has kept my system clean.

Re:handy

[m50d]

Running as Administrator *is* bad, because any vulnerability means you are rooted. If an attacker has to find a privilidge escalation bug as well to get root on your system, although this is far from impossible it adds another layer of security.

Re:handy

[skubeedooo]

For many home users (I'm tempted to say most) it doesn't make any difference if you're running as admin or user, because all the sensitive data is in the user directory anyway. Whilst it might be a serious issue if a unix style setup with hundreds of users gets rooted, for a home computer it may be no better or worse than a trojan keylogger.

I'm not an expert in these things, but it seems to me that SELinux has the right idea, adding increased resolution for access permissions. Ideally you should have a standardized tool which can prevent certain user apps (not certain users) from accessing different sets of files. I don't know whether SELinux actually does this, but IMO in the end it must do to keep mum-and-dad users a bit safer.

Re:handy

[radish]

Amusing, but utterly false.

The Microsoft Catalogue lists products which meet the "designed for" standards. This search should find Office 2003, note the "Designed For" logo to the right. You can do similar searches for other products (I checked Office XP) - everything I looked up was certified.

Re:handy

[Tim+C]

The real problem isn't people running as adminstrator; I do so at work and at home with no problems. The problem is naive computer users who run/install content from untrsuted sources, don't run (up to date) AV software, don't use a firewall, etc.

Even a system with zero exploits will not be safe from an incautious/careless user with the admin password. Even if all IE, ActiveX, etc holes are plugged, malware will still be installed piggy-backing on or masquerading as legitimate software installations.

MS hasn't allowed the industry to grow, they just gave it a nice, easy start in life. The crap would still have been developed without their inadvertant help.

Re:handy

[Bert64]

You shouldn't need any special priveleges to attach to a process that's also running as your user, atleast unix systems don't have this stupid limitation, i've done lots of development on non root unix systems.

Re:handy

[plague3106]

Its really the developers I think at fault now.. how many programs just refuse to run as non-admin? There are quite a few, and I don't think any of those are MS (short of needing to install something).

Seriously, how do you expect to be able to run as non-admin when something as simple as The Sims needs to be admin so it can download the latest patches (which are released about once a week or so)?

Re:handy

[arkanes]

I didn't say they didn't brand it, I said it didn't qualify. It's not especially suprising, MS is hardly rigid about compliance with the logo, at least with it's big business partners. Apple is the same way, except they actually change the HIG everytime they decide to violate it (the creep of the "allowed" scope of brushed metal being the most obvious).

Re:handy

"This will be interesting as soon as spyware starts using rootkits in windows."

I spent the last week trying to get rid of a rootkit that installed a whole lot of spyware. I finally reinstalled windows. The intresting thing was it installed "ad-clickers"(http://vil.nai.com/vil/content/v_100 446.htm) to make you click ads.
2 cents/click
1 clicks/ad
10 ads/min
60 min/hr
24hr/day
for 7 days
thats 100800 clicks per week
$2016 per week

These people must be making bank

Re:handy

[stevenbdjr]

I don't know how your system is configured, but on my network all of my users run with non-privledged (read Users) accounts and can run Office 2000, XP, and 2003 just fine.

Re:handy

[mrogers]

I dunno, I can see arguments on both sides - what if spyware attaches to an ssh client?

Re:handy

[hepwori]

Can you explain how it doesn't qualify? I think you may be confused: you mentioned non-compliance with the HIG, but the HIG isn't referenced at all from the "Designed for Windows XP" specification.

Take a look at the Designed for Windows XP Application Specification and let us know which bit you think Office doesn't comply with.

Re:handy

[diegocgteleline.es]

Its really the developers I think at fault now.. how many programs just refuse to run as non-admin? There are quite a few, and I don't think any of those are MS (short of needing to install something).

Microsoft has encouraged it. The problem is that when you create a user account, the default privilege level give is administrator. This is inside of XP. In the installer, it asks you for a user name and it gives that account privileges with no option to remove the privileges until the installation finishes

If XP had created unprivileged accounts from day 1, everybody would run XP with no privileges. But that would have broken all programs...once again, the backwards compatibility bites microsoft

Re:handy

[WhiteWolf666]

For many home users (I'm tempted to say most) it doesn't make any difference if you're running as admin or user, because all the sensitive data is in the user directory anyway. Whilst it might be a serious issue if a unix style setup with hundreds of users gets rooted, for a home computer it may be no better or worse than a trojan keylogger.
I kind of agree with this, but not really.

It's much easier to backup/restore user data than to backup/restore the whole system.

I can fit all of my data on a dvd or 2. My entire system, however, would require quite a huge backup.

Backing up/restoring my user data is also quite painless, while reinstalling all my system stuff is quite painful (I'm not careful enough to archive the entire install on a continuous basis, so I would end up having to do a basic restore, then install newer apps on tops of that).

Of course, I run Linux, so I'm more used to this behavior, but you should be able to do the same thing by running as an unpriviledged user on Windows, then backup/restore 'C:\Documents and Settings'.

Of course, there are enough privledge esclation exploits that I would be hard pressed to consider a compromised Windows system 'clean', but the idea is nice.

At least I can use RPM to verify all my installed packages from a clean linux live boot cd, as long as I only install packages from either RPM or build software into self-signed RPMs.

Re:handy

[wehup]

" This will be interesting as soon as spyware starts using rootkits in windows."

Already has... and on my VmWare Windows 2K test machine it causes a crash when RootkitRevealer runs. The malware is msupd5.exe or msupd6.exe.

On an infected machine you cannot see the malware in the file system, nor in the registry (at least with any utility I tried). The malware installs a kernel level driver in %SYSTEM%\System32\Drivers and several files in the System32 directory plus a couple of hidden BHO's. Although the files could be seen from safe mode, the infection on my machine never shows up in hijack this logs in any mode. Spooky.

Microsoft has an article about the crash in KB 894278

Regards.

Re:handy

[sconeu]

The problem with RunAs is that you need to give out the root/Admin password, which kind of defeats the purpose of denying Admin.

Re:handy

[skubeedooo]

I meant more in terms of privacy than persitancy. For example, if someone gets access to your bank details, you could become very poor very quickly. I'm not sure what bank policy is about this, but i imagine you are treading on thin ice. If one's home-made films stored on one's home computer got stolen, this could also causea big problem. There are lots of other important privacy things like this (unrelated to big-brother tinfoiling bullshit); i'm sure you can think of more.

Re:handy

Well that is kind of the point, newer MS Windows installations may as well be DOS as far as the local security model is concerned. The only thing that has really changed is that for the initial entry into the system you use the API instead of writing to kernel structures directly.

What MS should really do is make legacy support exist in a sandbox. It works, but is somewhat inconvenient and not optimized for speed - but rather for paranoid levels of security. All new software would target the new security environment, since there would be no need for legacy support within the new environment itself it would lack the inherited weaknesses that have plagued former MS attempts to improve security.

Re:handy

[Bert64]

Well, why would it need to? It could modify your path/shortcuts/menus so that you didn't load the normal ssh client and loaded it's replacement version instead. If the spyware is running under your user id, it can screw with anything your doing anyway.

Re:handy

[WhiteWolf666]

Agreed.

Didn't think of that angle.

I like to think no one else can get at my personal documents. Hopefully, my own personal security is pretty good :)

Re:handy

[plague3106]

Yes, MS has encourged it in the past although its gotten better.

I don't think you HAVE to create that user @ install time, especially if you're running Pro on a domain.

I believe local users are created as Power Users by default..but I'm not 100%. Of course if it is creating Admin by default then obviously thats something that needs to be addressed.

Out of curiosity, how do you propose MS fix this problem? Break backward compatibility, and thus no one will upgrade (b/c their apps break)? Have MS force every developer to comply with creating apps that work as Users? I don't see that getting far either.

Re:handy

[diegocgteleline.es]

"Out of curiosity, how do you propose MS fix this problem? Break backward compatibility, and thus no one will upgrade (b/c their apps break)? Have MS force every developer to comply with creating apps that work as Users?"

Yes. (they will have to do it _anyway_, giving excuses for not doing it is pointless. They did it in SP2)

Looking forward...

[Apiakun]

defeating their tool would require a level of sophistication not yet seen

What, until tomorrow?

Re:Looking forward...

Yes, tune in tomorrow for another episode of As The Internet Burns... when we learn that Darl wasn't killed in the courtroom trainwreck after all. (Brought to you by SpinWash: "Snake oil? You're soaking in it.")

Re:Looking forward...

defeating their tool would require a level of sophistication not yet seen

Is that a challenge?

Re:Looking forward...

[Jahz]

What, until tomorrow? yes

Re:Looking forward...

[stienman]

They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen.

Now that's some interesting circular logic.

"We haven't seen the kind of rootkit that we wouldn't be able to detect. Therefore such a rootkit does not exist. QED."

-Adam

If you run linux

[Apreche]

If you run linux you can use chkrootkit

Re:If you run linux

[slavemowgli]

You don't need to run Linux for chkrootkit. More or less any Un*x or Un*x-like OS will do fine:

"chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."

Re:If you run linux

[nuclear305]

Except this story has nothing to do with linux...I know it's hard to accept, but nice try!

Re:If you run linux

[Taladar]

Don't forget to run it from a known-good live-cd, otherwise it won't do you much good since it is just a script that uses several system programs.

Re:If you run linux

[slavemowgli]

Or use a SCSI hard disk with jumper-enabled hardware write protection (enabled after a known-good install, of course). :)

Re:If you run linux

Well it has unix terminology in common, otherwise they would call it "AdministratorkitRevealer".

Re:If you run linux

Yeah, that'd be the point. The story is about a Windows tool -- here's a Unix equivalent.

Re:If you run linux

Informative?

How about just "off topic"?

Re:If you run linux

[gbjbaanb]

or a VMWare session with the 'discard changes' option set.

You'd have to keep your home directory on a network or removable drive though, and only install programs when disconnected from the net.

Re:If you run linux

[Wapiti-eater]

And there's also root kit hunter. Be interesting someday to see a well written comparision 'twixt chkrootkit and rkhunter.

Initial reading implies rkhunter is, "...more user-friendly and comprehensive...". See This PDF (Dealing with Rootkit Attacks on Linux).

Re:If you run linux

[OneArmedMan]

RKHunter is another good RootKit checker for your Favourite Unix flavour.

http://www.rootkit.nl/projects/rootkit_hunter.html

Re:A level of sophistication?

[LiquidRaptor]

Yeah, but at the moment this is a BIG help for people, plus I'm sure that as new rootkits become availible they'll update this puppy. But it's not like linux doesn't have it's own rootkit detector http://sourceforge.net/projects/checkps/. Any server operating system is eventully going to have exploits if it's got any use, it's a fact of life, this tool helps find out if you got rooted, no more no less.

LOL

[http101]

"RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com."

So its kinda like telling my computer to turn its head and cough, right? *squeeze*

Netcraft has announced; "God exists"

[eatmywake]

...and goes by the alias "SysInternals".

Forget the vatican and mecca, point your browsers to http://www.sysinternals.com and pay homage.

Re:Netcraft has announced; "God exists"

[Professor+J+Frink]

Homage?! You're all drunk. It's disgusting. Out! The lot of you, out!

Um

[jb.hl.com]

Tripwire, anyone?

Re:Um

Not even close. rootkits change system innards in such a way that processes magically don't show up in /proc, or 'ps' output, that md5 of 'somefile' returns a false signature, and other bits of magic.

The point of a rootkit is to subvert the system at such a deep level that tools like tripwire are fooled.

Re:A level of sophistication?

[johndiii]

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

I scanned mine..

[Folmer]

And it told me that i had a rootkit installed called windows XP SP2. To remove it i had to download something called FedoraHat....

About the software

[JordanAU]

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds?? In other words is it foolproof?? I'm sorry that was a bad question. How foolproof is it??

Re:About the software

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds??

Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.

It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.

Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.

Re:About the software

[arkanes]

In your case, the answer is simple: don't use this software, it's not for you. It's a tool for skilled admins, not a point & click "removal" tool like Spybot.

Re:About the software

Its not for the average fool.

Rootkit Ben Kanobi says...

[ScentCone]

If you detect my rootkit, I will become more powerful than you can possibly imagine.

This really does feel like raising the stakes (or poking a bear with one, regardless).

Unavoidable, I suppose. <sigh>

Re:Rootkit Ben Kanobi says...

Yeah, I shouldn't raise the stakes on this issue. I should just let some fucktard do as he pleases with my computer and violate my privacy as Capt Ass Dribbler so desires. No thanks. Let's go ahead and escalate to the next level and the one after that when the time comes. Eventually it will be exceptionally clear that there is not middle ground. You're either breaking the law or you aren't. If you are, you'll not be able to pretend not to have made a significant effort to do so.

Re:Rootkit Ben Kanobi says...

[ScentCone]

Eventually it will be exceptionally clear that there is not middle ground. You're either breaking the law or you aren't. If you are, you'll not be able to pretend not to have made a significant effort to do so.

You're right, of course. I'd suggest that we're pretty much there already, aren't we? I mean, dicking around with the OS is so plainly off limits (or should be) that anyone planting code like that should be just hauled out back and shot.

Like a partition?

[bigattichouse]

Just waiting for a root kit that fdisks, makes a partition at the end, and hides there. Would standard MBR scans catch that?

Re:Like a partition?

[XMyth]

It still has to modify system files to do anything.

Re:Like a partition?

[Geek+of+Tech]

Nah. I'm waiting for one that converts the filesystem to an encrypted filesystem of its own, and makes all disk access go through itself first.

No way will it let you remove itself. If you boot off of some sort of safe media and delete the thing, the computer no longer has the ability to read any of its data.

Yeah, I know I messed up the jargon, but I'm sure I'll be corrected on that. :P

Re:Like a partition?

[Technician]

Would standard MBR scans catch that?


It would be hard to hide from any Linux Live CD's. You boot a read only file system (not modifiable by a bug), load a trusted application (FDISK or Disk Druid) and check the partition table. Not much can hide from a scan from a non-compromised OS.

Re:Like a partition?

[tricops]

So basically, you're waiting for a boot sector virus of old. There were a few that did exactly that. Booting off of safe media alone would render the drive unreadable.

Of course, it sounds like you're referring to one running under windows, which means at least part of the filesystem would need to be unencrypted for windows to be able to load and then load the virus drivers (well, unless the virus could somehow place its own load before windows... but I'm not sure how feasible that would be). So otherwise then it would have to deal with seperating the partition somehow, or only encrypt on a file by file basis, or only affect extra partitions. All of those cases are semi-broken compared to complete encryption.

Re:Like a partition?

> Just waiting for a root kit that fdisks, makes a partition at the end, and hides there. Would standard MBR scans catch that?

Well, it would have to resize the existing NTFS filesystem first (most people have a single-partition disk), and it's hard to think about how to do that in a non-noticeable manner.

Re:Like a partition?

[izomiac]

If there was one that did something like Drivecrypt's partition hiding then that'd be scary. What it does is use the freespace in your windows partition to hold encrypted data for a separate partition. This hidden partition is even bootable and AFAIK can hold encrypted partitions of its own in its freespace. Of course, the MBR would have to be altered for it to run, but perhaps it could make the MBR seems as if it hasn't been altered (catch filesystem calls).

Re:Like a partition?

[Kehvarl]

So, basically, you're waiting for Microsoft Palladium?

Re:Like a partition?

You could make a tool that knew how the kit worked, finds it, hacks the crap out of it to give up its key for the encryption, and then replaces the kit with its own go-through program that can read the disk, long enough for you to get your data off and reformat your system.

My jargon is also totally fucked up.

Re:Like a partition?

That's a big pain in the butt. Wipe the disk, reinstall the OS, then restore from yesterday's backups.

You have backups, right?

Re:Like a partition?

[kurobejin]

I remember one like this from the mid 90s, called 'One-Half'; it decrypted as it read, and encrypted as it write, and when the disk was half full, it deleted itself.

Whenever we found it, we'd back up the drive via a parallel port tape backup, and since reading the files decrypted them, clean data went onto the tape.

Then the drive would be wiped, and we'd reinstall and restore.

Re:Like a partition?

[Khazunga]

It would be hard to hide from any Linux Live CD's. You boot a read only file system (not modifiable by a bug), load a trusted application (FDISK or Disk Druid) and check the partition table. Not much can hide from a scan from a non-compromised OS.

It need not show up in the partition table. Just use up a part of the disk and somehow guarantee it won't be written over:

• Let those cylinders remain unallocated by any partition (like Thinkpad's do with system restore files), or
• Mark the sectors bad (like some DOS-era viruses did), or
• Mark the sectors used in the windows filesystem (again, some DOS-era viruses did that)

Microsoft BSA

[TheFlyingGoat]

While you're at it, download the Microsoft Baseline Security Tool. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.

Re:Microsoft BSA

[kaustik]

Hey, thanks. I am downloading this right now...

Re:Microsoft BSA

[Geek+of+Tech]

Could you help me? I can't seem to get the MS BS to work....

**cough**

Someone's got root... and I don't think it's me

[LordCybrid]

Funny enough, when I tried to run RootKit Revealer, I got the 'Root kit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience.' Error. Not that that's suspicious, or anything like that...

Re:Someone's got root... and I don't think it's me

[zero+waitstate]

I get the same message when I try both the GUI and CLI versions. I wonder what's wrong? I'm running XP SP2.

how about a live cd?

[zerkon]

waiting for the whoppix project to produce a livecd distro I can just pop in...

Re:how about a live cd?

[samekt]

http://www.nu2.nu/pebuilder/

RootKit in windows?

[Zangief]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

Re:RootKit in windows?

the "Root" of the system

Re:RootKit in windows?

[tverbeek]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

For the same reason trackpads, wireless pointing devices, and such are called "mice", even though they look nothing like a mouse.... why solid state storage devices are called "flash disks" or "flash drives", even though there's nothing flat and circular in them and no moving parts... why the stuff in the middle of pencils is called the "lead", even though it's mostly graphite... why magazines featuring stories told with sequential art are called "comic books", even though they're usually not humorous.

Re:RootKit in windows?

[diablobsb]

Because it would suck to call it "AdministratorKit" silly...

Re:RootKit in windows?

[mrogers]

A wireless mouse really ought to be called a hamster.

Re:RootKit in windows?

[ratnerstar]

Because "rootkit" sounds cool, like a plumber's tool or some sort of kinky sexual practice.

Re:RootKit in windows?

[PurpleXanathar]

And a cracker is sometimes called as "hacker", but all slashdotters easily accept this change.. ..or not ?

Re:RootKit in windows?

[Bert64]

The real superuser is actually called SYSTEM.

Re:RootKit in windows?

Nice troll attempt. Not.

Lamer.

Re:RootKit in windows?

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

Because an administrator-kit sounds like MCSE replacement technology.

Re:RootKit in windows?

[Jim_Callahan]

That's because the colloquial meaning slot for "cracker" has already been filled. Twice! Leave the poor word alone!

Re:RootKit in windows?

[nonliteral]

For the same reason you still dial a number on your cellphone...

macs are for rich idiots

$500 for a computer (and I use the term loosely, since a 'mac' cannot run windows or any decent games) that doesn't even include a screen or anything? get real.

Re:macs are for rich idiots

[mailtomomo]

500 $ for a silent computer was cheap enough for me
And they include games with it (marble madness gold and nanosaure 2 : not mainstream but enough to play)
As for "decent" games, i still can use my gamecube or my "gaming only" PC (loud as hell but used at most once per week)
(As for the rich part : i'm still unemployed)
It's not perfect but it beat my old linux box ...for nearly the same price

Re:macs are for rich idiots

My Mac can run Windows just fine - can your PC run OS X? No.

Free Rootkit...

[Forget4it]

Is that free as in speech or as in beer?
Free Root Beer!




Ha ha.

Reputation Counts

[Ridgelift]

Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals". They put their name on everything they give away and sell.

When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS have saved my butt in the field.

Way to go Sysinternals.

Re:Reputation Counts

[value_added]

"They put their name on everything they give away and sell."

Yeah, but do we really need to be reminded of their name each time you use one of their commands? There must be some book somewhere that someone at Microsoft wrote that defines how to write command-line utilities in the most annoying method possible.

Agreed that Sysinternals does provide useful utilities, but I think what's being overlooked is that it's left to someone else to provide the basic (rudimentary, actually) toolset Microsoft seems congenitally unable to provide themselves (excluding their attempts to sell that confused collection of odd-ball utilities known as Reource Kit(s), Support Tools, etc., each of which is typically as brain dead as cmd.exe.

Re:Reputation Counts

[Bert64]

Unfortunately, if microsoft released a rootkit detection tool they would leverage their os to gain market share for their rootkit detection tool until such time as their competitors stopped producing competing tools, then the microsoft rootkit detection tool would stagnate.
Also, with a single dominant detection tool out there, it would make the lives of rootkit authors much easier since they'd only need to test their kit against one tool and make sure that tool couldn't detect it.

Re:Reputation Counts

[jafac]

I hate to post an AOLamer "Me too" - but hell yeah, me too.

Windows would be absolutely useless and unmanagable without Sysinternals' tools. IMO.

my office pc is infected = howto remove?

here I copy and paste the results of the scan on my corporate workstation, running NT4.0

And yes they are out the get me :(

D:\$AttrDef 09.08.02 14:53 35.16 KB Hidden from Windows API.
D:\$BadClus 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\$BadClus:$Bad 09.08.02 14:53 9.30 GB Hidden from Windows API.
D:\$Bitmap 09.08.02 14:53 2.33 MB Hidden from Windows API.
D:\$Boot 09.08.02 14:53 8.00 KB Hidden from Windows API.
D:\$LogFile 09.08.02 14:53 4.00 MB Hidden from Windows API.
D:\$MFT 09.08.02 14:53 25.95 MB Hidden from Windows API.
D:\$MFTMirr 09.08.02 14:53 4.00 KB Hidden from Windows API.
D:\$Quota 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\$UpCase 09.08.02 14:53 128.00 KB Hidden from Windows API.
D:\$Volume 09.08.02 14:53 0 bytes Hidden from Windows API.
D:\WINNT\Profiles\admeier\Anwendungsdaten\Mo zilla\Firefox\Profiles\Default User\Cache\EE31AF68d01 23.02.05 16:13 135.60 KB Visible in Windows API but not in MFT or directory index.

Re:my office pc is infected = howto remove?

easy

Re:my office pc is infected = howto remove?

[erlenic]

The only way to remove a root kit is to format the drive and reinstall the OS. Have fun!

Seriously though, at least two of those are listed in the article as being fine. Looking over the list, I don't see anything suspicious, and I have many of the same things listed for my system. Although if I'm reading that third line right, you have 9 GBs of bad clusters. You might want to scandisk.

No info on what the results mean!

[techmuse]

Ok. So I ran the utility and got 33 discrepancies. Some look like they are probably default MS stuff (as described on the sysinternals site). But not all. But how do I tell what those other things are? Are they a rootkit, or just a normal part of Windows?

Re:No info on what the results mean!

[Bert64]

A real rootkit would try to make itself look like legitimate tools aswell, to reduce the chances of it being identified and removed.

Re:No info on what the results mean!

[Duhavid]

Set up a pristine machine*, run the test against that, see what the differences are?

Just a thought, perhaps a stupid one.

* Pristine meaning OS + your supposed patch level, assuming you can achieve that.

Re:A level of sophistication?

[dasunt]

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

Always a good suggestion.

That being said, what is preventing a trojan from digging into the MBR (old virus-style), then running in memory upon HDD boot and launching the rest of its code from an "unused" section of the drive?

Of course, there are problems: Not much room in the MBR, and the OS may actually use the empty sector unless steps are taken to prevent it. Would be an interesting proof-of-concept code.

*boot from CD, scan drive, find no trojans, boot from HDD, scan drive, trojan runs.

Paranoid?

[DoChEx]

Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.

Re:Paranoid?

[JamieF]

>I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges.

So don't give users root access. You don't need some sort of hardware DRM crap to do that.

>you'll never have a completely safe system ...period. No need to add conditions to that.

Why would shifting more responsibility onto a vendor that's legendary for shipping buggy, insecure software make the system more secure?

Re:Paranoid?

[wings]

Just think. If Palladium or Trusted Computing is implemented and the vendor has root, I'm sure some advertising company will dangle enough money in front of your vendor so that you'll get vendor mandated^Wapproved spy^H^H^Hmonitoring software installed with your next Service Pack. Even if you can even figure out it's installed, you couldn't remove it.

Where?

Really? Where?

(hint: chkrootkit isn't it)

You can download this from Usenet if slashdotted

Its currently hidden in a naked Christina Augulera avi file so The Man will keep his hands off it. I would install it double quick without taking any time to scan it for viruses. Its just too important to wait.

Incompatible?

[gr8_phk]

"It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

Re:Incompatible?

i've allready had McAffee Virus scan tell me that some of the tools that i d/l-ed from SysInternals matched virus signatures.

Re:Incompatible?

[cnettel]

Possibly. But, what I was talking about is that some sysinternals tools overload/hook certain kernel calls. The system call tables are, IIRC, write protected even from kernel when the kernal has been loaded in the current/coming Win64 editions.

The key word is...

[fatgeekuk]

not YET found.

Just wait a month/week/day and there will be a new rootkit specifically engineered to be undetectable.

Its like publishing your own personal list of spam filter rules... as soon as you do, all the spammers use this to work out a wrinkle.

I'm not sure if it would help

[Gary+Destruction]

But Crucial Security has a tool called Crucial ADS which scans for alternative data streams in NTFS volumes. http://www.crucialsecurity.com/downloads.html

How paranoid am I?

[clowe]

Given the incestuous relationship between Microsoft and Intel, I find myself more than a little suspicious of code MS releases only for the AMD64 core. But I'm sure it will all be fine...

Simple, really

[sczimme]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.

Re:Simple, really

[Barlo_Mung_42]

"The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again."

That's more optimistic than cynical. It means that security is improving when the black hats have to step it up a notch.

Close the blinds!

and stop displaying your rootkit out of windows...

We need forums...

Looks like somebody's going to have to start a RootkitRevealer forum to go with all the HJT forums, 'cause I sure can't tell what's what on this scan. "Post your RKR scan here and we'll tell you what's hosed."

Microsoft trawls a big net.

As a side effect, they kill a lot of dolphins.

Does the size of the marketplace they create outway the risks of participating in it? Well, we all have our opinions, and ultimately it's a question for every potential customer to evaluate on their own.

Google and Sysinternals...

[scovetta]

Google and Sysinternals are the only two companies that always make me feel good about being a Computer Scientist.

If I were Google, I'd buy Sysinternals and have them help build GoogleOS.

Re:Google and Sysinternals...

[Mr+Bubble]

If you were Google, you would actually buy Winternals, which is the for-profit side. But, I don't think Google wants to buy a Windows utilities company.

Sysinternals.com is a Good site

[tristanj]

Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

Here are some good tools of their that I use frequently

Autoruns

http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

http://www.sysinternals.com/ntw2k/utilities.shtml

IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

Re:Sysinternals.com is a Good site

[pe1chl]

Filemon and regmon are also very useful when you are trying to lockdown a system and are confronted with applications that only like to run on a system where the user has Administrative access.

Creating tempfiles in %windir%, keeping datafiles under %ProgramFiles%\Appname, modifying registry keys in HKEY_LOCAL_MACHINE, etc. These can be tracked with those tools.

Got about 15 "Access is denied" results

[Nine+Tenths+of+The+W]

Is this normal?

Re:Got about 15 "Access is denied" results

Read The Article.

How do you REMOVE a rootkit?

[Eric_Cartman_South_P]

This is good and all, but how do you remove a Rootkit if it finds one?

Re:How do you REMOVE a rootkit?

[denis-The-menace]

Just use MS SOP to fix 99% of problems: Re-install

This irony here is that it's what you have to do to be 100% sure that no rootkits exists in ANY OS.

Re:How do you REMOVE a rootkit?

[3.5+stripes]

Format c:

Re:How do you REMOVE a rootkit?

FYI, the reader should note that "MS SOP" is not a software package but shorthand for "Microsoft Standard Operating Procedure".

Re:How do you REMOVE a rootkit?

[caseih]

The only way to really remove a root kit on any operating system (linux, unix, windows, etc) is to do a format and reinstall of the OS. This is unlikely to ever change for any operating system. Except for maybe trusted computing...

Re:How do you REMOVE a rootkit?

[Reziac]

I tried format.c -- it wouldn't compile. ;)

Re:A level of sophistication?

What is to stop a rootkit from putting itself in the BIOS or the firmware of your hard drive or CD drive? How would you detect a rootkit living in the flash memory on your Nvidia card? I doubt most people are going to be desoldering chips to check for rootkits which is what would be required.

Re:A level of sophistication?

[Hal_Porter]

Hmm, it's interesting idea, and you could do it back in the Dos days - load above Dos, hook some vectors that allow you wake after it loads and the system is yours.

The problem is that Windows takes over completely - it switched into protected mode, overwrites all memory and generates its own interrupt vector table. Hiding from Windows wouldn't be too hard - you'd just hook the Bios to tell it not to use bits of memory when NTDETECT runs. The problem would be getting your code to run after Windows loads.

Actually, you could imagine a virus that virtualises the CPU (maybe with the Vanderpool stuff). That way you'd get called whenever Windows did some trappable operation like changing the page table. You'd wait until system structures has stabilised and then install your Api hooks.

It's non trivial though.

For the Average User, Worthless

[TheDoctorWho]

For the hacker, priceless. This really accomplishes so little. Sure, here are your 'descreprancies', but they might not be that at all. Mostly Pointless. A good step, but only something the hackers will get control of well before this becomes mainstream.

Re:A level of sophistication?

[johndiii]

Not a bad point, at least in regard to the BIOS. If it can be legitimately flashed, then it can be corrupted. But the hard drive, CD drive, and video card firmware is run by the processors or microcontrollers in those devices, not by the CPU, so while (at least in the case of the drive firmware) it could be used to hide things, it would be more difficult to hide the firmware changes. The altered firmware would have to know the exact disk location of the OS elements it would replace (by injecting its own code when those sectors are read), as well as hiding from direct memory access to the firmware. Probably not impossible, but more likely to just trash the machine than actually function.

Re:A level of sophistication?

[johndiii]

From the article:

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.

I would think that any competent antivirus product would scan the MBR as a matter of course. It might still be possible to hide in the BIOS (as the AC poster below suggests), but that leads to further complications.

Re:Better solution. (mod parent up!)

[cypherz]

VMware is a very good way to neuter Windows and minimize some of its bad behavior. I've been beating the crap out of my windows development environment for two years straight with no re-installs of windows. My windows environment is hosted by SuSE Linux. I have reverted to a snapshot a couple of times, at a cost of a couple of minutes of downtime. Saving the original install off to somewhere safe is easy (just copy the virtual machine's directory somewhere else).

somebody mod this mother fucker redundant

There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs.

thank you for telling us what the fuck we already know....I can't believe you got modded +5 insightful for this, jackass...

Re:somebody mod this mother fucker redundant

[diegocgteleline.es]

thank you for telling us what the fuck we already know....I can't believe you got modded +5 insightful for this, jackass...

Bah, everybody also knows that I'm a jackass and you didn't get modded up. See the difference?

...MRxDAV...

[Timo_UK]

was found in the Registry. Does anybody know what this is?

Re:...MRxDAV...

[ectotherm]

http://support.microsoft.com/?kbid=832143 Click and learn, Grasshopper... ;)

Re:...MRxDAV...

[Fulg]

Google is your friend...

(sorry, couldn't resist)

Re:...MRxDAV...

[Timo_UK]

Off course I Googled, and I got just f*cking useless results! Know-it-alls like you were beaten up on the playground when I was a kid...

Re:...MRxDAV...

[Fulg]

Off course I Googled, and I got just f*cking useless results! Know-it-alls like you were beaten up on the playground when I was a kid...

Easy there bud. This wasn't meant as a personal attack you know.

Look a little deeper at the f*cking useless results. I had no clue what mrxdav was either and the first hit from Google reveals it is the "Web Distributed Authoring and Versioning (WebDAV)" component from Microsoft. This is further confirmed with subsequent Google hits.

Just because the answer isn't in the title of the Google hit doesn't make it f*cking useless...

An argument in favor of NTFS

[Beryllium+Sphere(tm)]

An MBR-based rootkit would look partly like a boot manager. It might bootstrap up to being able to read/write a file system, then install a rootkit into the Windows binaries (complete with a shutdown script to remove itself), and then chainload to Windows.

If it had to unravel NTFS to do its dirty work, that would make it a larger and more error-prone piece of code.

Yeetch, that would be a nasty one. Ghostbuster wouldn't detect it. You'd need a boot CD that looked at all the boot records and maybe even compared LILO and Grub MD5s^H^H^HSHA1s^H^H^H^HSHA256s against known good values.

Re:An argument in favor of NTFS

[Hal_Porter]

You'd need a boot CD that looked at all the boot records and maybe even compared LILO and Grub MD5s^H^H^HSHA1s^H^H^H^HSHA256s against known good values.

Most people who run XP don't use a bootmanager, so the mere presence of one should be enough to ask the user why it's there, with the default action to disable it by installing the standard MBR / bootsector.

Oh, and microsoft kernel mode binaries are public key signed since windows 2000, so you don't need MD5/SHA - you can see if they are haxored or not by checking the signature.

Interestingly enough, you can do Start->Run sigverif.exe on a live system. The problem with sigverif is that it dumbly scans the windows directory for all files, not just the critical ones - I get warnings on a bunch of dlls, because they came with ancient 3rd party software.

Signature verification is the way to check the files on a bootdisk like BartPE or WinPE, though it would be need to be a bit smarter than sigverif.

Re:A level of sophistication?

[m50d]

Companies are starting to have digital signatures on their firmware and BIOS, mostly to stop geeks messing with them but it also stops this happening. The limited space available and the difficulty of programming at such a low level also puts a bios-level rootkit beyond the capabilities of most script kiddies. It's doable, but very hard - even when viruses were hand-coded in assembley, very few of them went near the bios, and those that did usually just trashed it.

I wonder how well this would work.

[jd]

I'd want to test it against the following scenarios, before I'd have much confidence:

• Polymorphic viruses/rotkits (work by having self-modifying and/or self-encrypting code)
  
• Stealth viruses/rootkits (work by intercepting syscalls and reads, making it appear that the values are normal)
  
• Dead-Space viruses/rootkits (dead-space exists because file boundaries aren't the same as sector boundaries or (for FAT-based systems) the same as cluster boundaries - this memory is free to use by viruses, but would be invisible to file-level operations)
  
• Bad Sector viruses/rootkits (viruses where the loader is visible, but where the main body of the code is concealed from the OS by flagging the sectors as bad - the loader either ignores the flag or temporarily resets it to load in)
  
• Virtual System viruses/rootkits (these would likely reside in Flash RAM and create a virtual machine any loaded software would run in - any rootkit checker that was loaded would still be running inside the virtual machine of the rootkit)
  

Only the first two of these are known to exist in the wild. You might find the rest in a research lab, you might not. But these are certainly known technologies. They require no technique that isn't already known, understood and routinely used throughout the software industry. If viruses don't exist that use them, then it's just a matter of time.

I would not trust a rootkit detector that can't handle known vulnerabilities, only known attacks. The attacks of yesterday aren't the problem. If you are getting a rootkit detector, you're concerned about the attacks of tomorrow, next week and probably next year.

It could be that this rootkit scanner will do the job, but it has to prove it.

Re:I wonder how well this would work.

Vulnerability scanners are a dime a dozen. So why does a rootkit scanner need to reinvent the wheel?

Virtual system rootkits: please explain how such a thing would represent a compromise of the parent system. The *virtual* system is compromised, sure, but how is this different from compromising just some other machine on the same network?

The rest of what you've written: go back and re-read (slowly and carefully) the Sysinternals description of their tool. As you are doing this, ask yourself how the rootkit is managing to make the results look exactly the same whether the resource was accessed by highlevel or lowlevel access. Also ask yourself what exactly triggers the system to execute code stored in dead-space or bad-sector locations.

Upon reflection, blush in embarassment.

Re:I wonder how well this would work.

[Xenna]

Polymorphic: Useless because the scanner would check for the original binaries. If the checksum doesn't match a know good list -> alert. Viruses don't bother with polymorphism anymore since scanner manufacturers defeat these schemes easily these days.

Stealth: ALL rootkits are stealth (hide their presence). That's the whole point of a rootkit.

Dead space: Rubbish, data in dead space is never executed. It would have to be bootstrapped by normally visible code which is detected in the usual ways.

Bad sector: See dead space

Virtual system: See stealth

All in all I'd say your post is somewhat overrated ;)

Re:I wonder how well this would work.

[ps_inkling]

Bad sector viruses do exist in the wild -- early PC computers had boot-sector or application-patched code to load data from a (hard-coded) sector/cluster marked as bad (but really wasn't).

I remember checking a brand-new floppy disc and seeing bad sectors listed by the CHKDSK program -- the disc had been infected with a bad-sector virus.

The really nice part about bad-sector viruses is that the code to load a hard-coded sector from the hard drive and transfer execution is just a few bytes -- load AX, BX, CX, DX, call INT 13, and JSR to virus code.

A dead-space virus would work in a similar manner, but the infection code would look for incompletely filled clusters and store code in the slack space of a cluster. Unfortunately, you also have to patch INT 13 to catch writes to your special sector so you can re-locate when your slack space is no longer slack (another file moves into the cluster). Much more difficult all around. (With dead-space viruses, if you have 4K clusters and store a file that's 1K long, there's 3K of slack space in the cluster holding the file data. If it's a 14K file with 4K clusters, that's 3 full clusters and 2K of slack space in the last cluster of the file data.)

A virus using bad sectors to hold their code would be far more difficult in a microkernel environment where hardware access (INT 13) is not allowed from user space. It would be interesting to see Stoned or Ping-Pong on the "Press F8 for Boot Menu" text screen, though.

Mental Illness Alert!

Anger problem.

Re:Better solution. (mod parent up!)

[mchawi]

What sort of hardware do you suggest for this?

With the cost of VMWare it almost seems like it would just be cheaper and more cost effect for a HOME solution to dual boot - although I can see it making sense for businesses.

Paraphrasing.....

....my first Engineering manager:

"Make it completely foolproof, and only a complete fool will use it."

The Unseen Level of Sophistication

[Captain+Scurvy]

...but that defeating their tool would require a level of sophistication not yet seen.

Of course you haven't seen it. It's far too sophisticated. 85%+ of all Windows machines are running this rootkit, you just don't know it.

Window BMPs?

[paranerd]

I've got several BMPs flagged. Anyone (everyone?) else?

C:\WINNT\Soap Bubbles.bmp 12/7/1999 7:00 AM 64.43 KB Visible in Windows API, directory index but not in MFT.
C:\WINNT\Soap Bubbles.bmp:&#5;Q30lsldxJoudresxAaaqpcawXc 12/7/1999 7:00 AM 5.70 KB Visible in Windows API but not in MFT or directory index.
C:\WINNT\Soap Bubbles.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 12/7/1999 7:00 AM 0 bytes Visible in Windows API but not in MFT or directory index.

Re:Window BMPs?

[bunco]

google for the file's md5 hash?

The listings w/ ':' are alternate data streams (ADS). Those particular ones are commonly tied to image files. I suspect MS has leveraged ADS for thumbnailing or something.

Great info here -> http://bellamyjc.net/fr/stream.html (sorry.. french only).

Your system is fine...

[Leadhyena]

There is nothing wrong with your system. In the .chm file provided with the RootkitRevealer it explains:

Hidden from Windows API discrepancies are the ones exhibited by most rootkits, however you should expect to see a number of such entries on any NTFS volume since NTFS hides its metada files, such as $MFT and $Secure, from the Windows API. In addition, there are a number of Registry keys that are inaccessible from the Windows API and will report as access-denied discrepancies.

This explains all of the listed entries except for the last one(the $BADCLUS entry is due to missing clusters, like the previous poster said, and you need to do a scandisk). Your last entry is there because you had Firefox open when you ran the scan. Again from the help file:

Files or Registry data created after a scan starts will also show up as discrepancies, so run RootkitRevealer on an idle system.

You're fine, although your reaction will be similar to many other users who will see the same thing and freak out similarly, because they don't understand NT internals... I think this is not a good tool to release to the masses, and should only be used by sysadmins, just like how HijackThis is really good for detecting spyware, but only to someone who knows something about Windows systems.

Not to mention that if you have a rootkit installed, you better be prepared to wipe your system clean and reinstall the OS, because otherwise there's no way of knowing if you have the whole thing removed.

Re:Your system is fine...

My $badclus:$bad file is 146GB, the same size as my disk. I'm guessing here, but it's probably a sparse file that gets blocks allocated to hide bad clusters.

NtQuerySystemInformation

[bunco]

Most rootkits intercept this call and filter accordingly. I would imagine the utility is looking for any reference to this system API call.

I'm curious as to what they're looking for in the system hive.

Re:NtQuerySystemInformation

[myndzi]

That's the entire point. The application calls functions that a rootkit would hook and alter.

Then, it reads all the same data at the lowest level by using its own code to read the filesystem and registry files in a way that can't be hooked except at that same very lowest level in a very complex fashion.

Compare the two, and you can see everything that is being hidden from the standard API calls, thus bringing to your attention files and registry entries etc. that are hidden by the rootkit.

His brother,

[Duhavid]

Obiquiet says "".

( He is living up to his name ).

( ( the above was intended as humour ) )

halting problem

You're missing the big picture. Absolute certainty is impossible whether you're "inside" the system, or "off-line". A by-product of the halting problem is that you can't be certain what software does by automated analysis (ignoring trivial examples).

The best you can do is find certain examples of malware or classes of it. This is the arms race that the virus scanners are in.

Re:halting problem

[johndiii]

Your point is good (particularly the virus/scanner "arms race"), but not because of the halting problem. What you meant to say was the undecidability of the halting problem. Even so, to write off all automated analysis of software on that basis is a gross mis-generalization of the halting problem. The undecidability of the halting problem is a very narrow statement, and depends completely on the use of an algorithm to analyze a representation of itself. It is a theoretical statement of the power of an slgorithm, and has never been applied in a practical circumstance (to my knowledge, anyway; any such example would be eagerly anticipated). In fact, per the Wikipedia article, there is a generalized algorithm to solve the halting problem for any finite machine (though it is so inefficient as to be useless).

In other news...

[eatjello]

Microsoft purchases SysInternals this week; new Microsoft rootkit exposer available via Windows Update.

Re:In other news...

You meant "rootkit explorer"? :-)

So where is the Linux version?

Since there are so many root kits for Linux, you'd think that there would have been one of these already made for it.

Where is it?

Re:So where is the Linux version?

[izakage]

CHRootKit.

I can only imagine the Windows version of this...

[Lodragandraoidh]

'RootFind found the following questionable 'root kits' on a non-windows partition and deleted them for your saftey:'

Linux
Emacs
Apt
Xorg
etc...

Thanks and have a nice day!

The day my computer tells me what I can and can not do with my computer is the day the computer gets thrown through the wall...

"Open the Pod Bay doors HAL"...

"I'm Afraid I can't do that Dave..."

why should I trust this?

[jaltman]

granted that I think sysinternals makes good stuff but the root kit revealer is not digitally signed and is not distributed even by SSL/TLS. Perhaps the machine I have contacted is sending me a root kit instead.

Re:why should I trust this?

It IS signed & with a Verisign certificate..
Check the Digital Signatures properties of the exe.

Re:Better solution. (mod parent up!)

[cypherz]

VMware runs well on anything that runs Windows fast enough for you. If machine X runs windows well, then its fast enough to run VMware and windows, with one caveat: you must have enough RAM for the host as well as the guest OS.
My 3.2 ghz HP notebook with 1 gig of RAM is much faster than I actually need. VMware runs the guest OS at approximately full speed. I gig lets the machine comfortably run KDE 3.2 and my Windows dev "box" and all the apps that I usually run in KDE and Winders. I gig is about all the memory I have ever _needed_ with VMware. Of course I'm only running one virtual machine.
VMware currently costs 189 bucks at www.vmware.com

There is also a VMware Version 5 beta that is available (free with registration).

Re:Isn't this the same type of tool as

[ZoomieDood]

streams -s [dirname]?

Thanks Again to these cats...

[tweedlebait]

Sysinternals has released so many tools that have made adminning life much easier and revealed what's going on under the hood in ways that would be laborious manually. Thanks again sysinternals for saving the day - i owe you some beer.

Even stranger...

[Reziac]

... rootkit.com is slashdotted, while sysinternals.com is not. Do all these people know something we don't??

uuh

"defeating their tool would require a level of sophistication not yet seen"

Actually, defeating their tool would be trivial.

1) Have rootkit scan processes.
2) UhOh, rootkitrevealer.exe just popped up!
3) Kill rootkitrevealer.exe (simple win32 function)
4) Popup fake rootkitrevealer.exe
5) fake rootkitrevealer.exe says you are all clean
6) Profit!!

Uhoh, no missing steps.
So called security experts are nothing more than fraudsters and snake oil artists.

Yup fully protected.

[TractorBarry]

Well I downloaded that, ran it and I seem to have every rootkit on the list already installed.

Another day, another test passed with flying colours !

Rootkits and the Sysinternals product.

[os2fan]

Root

In australia, root has several meanings, not at all nice. The sense is similar to f**k.

• to have sex for the animal pleasure
• to stuff up

Accordingly something like root user has the connetation of one that roots your system.

SysIntern RootKitRevealer

I have a fairly typical multi-boot system, with two FAT16 partitions, a FAT32 partition, a reserved BeOS partition, a HPFS partition, and the usual swag of NTFS partitions.

The disk has been showing signs of corruption [bad sectors], and a replacement is in hand: already bought, but there are some backup questions.

RootRevealer had problems scanning registry. (i suspect one of the registristry hives is not well placed on the filesys). On the other hand, i ran the thing from BartPE, (it works), it revealed a whole swag of OS/2 binaries, but i don't know if OS/2 or Windows placed them there. They were meant to be there, by the way. Apart from the metadata files in each partition, there were error messages from non-accessable partitions (like F: (hpfs) and H: (unformatted = beos).)

Not modifiable by a bug?

Actually, I think some roaches have been known to snack on CD's that are lying around, so technically they could modify the disk ;)

memory hog

[v1x]

I suppose this program loads the entire system hives into the memory at the same time, but my task manager is showing this program using 89Mb RAM & 82Mb virtual memory right now while the scan is running.

Now, if I had to defeat this detection utility, maybe all I need is something that monitors processes that use RAM in this fashion.

Too late

[lee7guy]

That already happened with Windows XP SP2. ;)

Re:Too late

YOU are KIDDING? BACKUP your CLAIM!!

lol

Ping-pong?

It is theoretically possible for a rootkit to hide from RootkitRevealer.

Then someone will come up with a RootkitRevealer hider revealer. Then someone will come up with a RootkitRevealer hider revealer hider. Then someone will come up with a RootkitRevealer hider revealer hider revealer. Then someone will come up with a RootkitRevealer hider revealer hider revealer hider. Then someone will come up with a RootkitRevealer hider revealer hider revealer hider revealer...

Re:A level of sophistication?

[Courageous]

That being said, what is preventing a trojan from digging into the MBR (old virus-style), then running in memory upon HDD boot and launching the rest of its code from an "unused" section of the drive?

You're not thinking big enough!

FLASH THE BIOS HA HA. Probe the hardware, call home to a provider, fetch the right evil bios, flash it.

Is there a Mod +1 Evil on slashdot? :)

C//

Re:In other news...Now that's entertainment!

[joemontoya]

LOL - rootkit explorer.

BRAINS... need more BRAINS!!!

[pVoid]

Hey buddy. You love bitching about microsoft and all, but shit aside, this rootkit detector is a brilliant app written by sysinternals. Which are a brilliant pair of programmers, who also happen to be gurus of the windows Kernel.

I know you would like to pretend that only linux has a kernel, that the rest of the world uses cooperative multitasking on top of DOS, and that the only real programmers are OSS kernel developers with Linus driving the army with a penguin banner... but the reality is that there are brilliant people working out there even for Microsoft.

Get over it.

Btw, there isn't a similar rootkit detection tool for linux. Tripwire and the like check for file signatures. This thing is much more intelligent than simple hash checking.

How to hide from RootkitRevealer ...

[eXocomp]

I find it very interesting that RootkitRevealer finds a rootkit by virtue of its very attempt to hide. To hide from RootkitRevealer, all one would have to do is NOT hide from it!

I don't even know what to say..

An MCSE, for one..

No password on Admin account, for two..

"Rest assured" used in reference to a Windows admin situation where no password is on Admin, and "each user account is password-protected."

Comedy Genius? You decide..