SysInternals Releases RootkitRevealer

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

Strange...

[bigtallmofo]

Every time I try to go to www.sysinternals.com to find the new Rootkit removal application, my system shuts down automatically.

Probably nothing to worry about.

Re:Strange...

[SpinJaunt]

If you are using Windows XP SP2 or Windows 2003 SP1, you'll need to turn off DEP (Data Execution Prevention) by editing your BOOT.INI and have change from

/noexecute=optin

to

/noexecute=AlwaysOff

http://msdn.microsoft.com/library/default.asp?url= /library/en-us/ddtools/hh/ddtools/BootIni_aff45176 -bd02-43cf-9895-c212fa392de2.xml.asp I had this problem with Daemon tools and Acohol 120%

Re:Strange...

Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.

Re:Strange...

[wo1verin3]

Or you could right click on My Computer, click 'advanced', click on 'settings' in the performance box, and then on the 'Data Execution Prevention' tab.

Re:Strange...

[PurpleXanathar]

You can reenable it after installing Deamon Tools and Alcohol (at least it worked for me).

Sysinternals is great

[Dr.Opveter]

I love their stuff

No really, they have class utilities for free, thanks Sysinternals

Re:Sysinternals is great

[cnettel]

Agreed.

One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

Re:Sysinternals is great

[gowen]

A screen saver that fakes Windows system crashes? xscreensaver has had one of those for years. (It also simulates Linux and Solaris kernel dumps, Macintosh Bombs, Amiga Guru Meditations and others)

Bloated Software Giant Ahead of the Curve Again

Wow. Pop-up blocking, rootkit detection, basic network security... isn't it amazing how an enormous patent library and billions of dollars encourages so much innovation? It's like they're ten years ahead of everyone else.

Wait... no, the other way around...

Free Sony PSPs. It's real. It's here.

Rootkit?

[Fls'Zen]

I didn't think people needed rootkits for windows...

Re:Rootkit?

[slavemowgli]

Why not? The purpose of a rootkit is usually not so much to take over a box (trivial on a standard windows installation), but rather to hide the fact that such a take-over occured.

Re:Rootkit?

[Geek+of+Tech]

Wouldn't the appearance that the computer hasn't been compromised lead one to become suspicious?

:P

Re:Rootkit?

[Carnildo]

Its getting insane and I favor criminal rather than civil charges if spyware makers began to make trojan horse rootkits.

Personally, if that occurs, I favor dynamite charges over either of the above.

So this is...

[JustNiz]

>> RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level,

So this is a rootkit in itself.

I don't know that I'd trust Microsoft anymore than anyone else running rootkits on my ststem.

Re:So this is...

[interiot]

No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

RootKitRevealer doesn't change any results of API calls at all.

RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

handy

[diegocgteleline.es]

This will be interesting as soon as spyware starts using rootkits in windows.

You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)

Re:handy

[arkanes]

Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.

Re:handy

[Tim+C]

The real problem isn't people running as adminstrator; I do so at work and at home with no problems. The problem is naive computer users who run/install content from untrsuted sources, don't run (up to date) AV software, don't use a firewall, etc.

Even a system with zero exploits will not be safe from an incautious/careless user with the admin password. Even if all IE, ActiveX, etc holes are plugged, malware will still be installed piggy-backing on or masquerading as legitimate software installations.

MS hasn't allowed the industry to grow, they just gave it a nice, easy start in life. The crap would still have been developed without their inadvertant help.

Re:handy

[stevenbdjr]

I don't know how your system is configured, but on my network all of my users run with non-privledged (read Users) accounts and can run Office 2000, XP, and 2003 just fine.

Re:handy

[hepwori]

Can you explain how it doesn't qualify? I think you may be confused: you mentioned non-compliance with the HIG, but the HIG isn't referenced at all from the "Designed for Windows XP" specification.

Take a look at the Designed for Windows XP Application Specification and let us know which bit you think Office doesn't comply with.

Re:handy

[skubeedooo]

I meant more in terms of privacy than persitancy. For example, if someone gets access to your bank details, you could become very poor very quickly. I'm not sure what bank policy is about this, but i imagine you are treading on thin ice. If one's home-made films stored on one's home computer got stolen, this could also causea big problem. There are lots of other important privacy things like this (unrelated to big-brother tinfoiling bullshit); i'm sure you can think of more.

Looking forward...

[Apiakun]

defeating their tool would require a level of sophistication not yet seen

What, until tomorrow?

If you run linux

[Apreche]

If you run linux you can use chkrootkit

Re:If you run linux

[slavemowgli]

You don't need to run Linux for chkrootkit. More or less any Un*x or Un*x-like OS will do fine:

"chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."

Re:If you run linux

[Taladar]

Don't forget to run it from a known-good live-cd, otherwise it won't do you much good since it is just a script that uses several system programs.

Re:If you run linux

[OneArmedMan]

RKHunter is another good RootKit checker for your Favourite Unix flavour.

http://www.rootkit.nl/projects/rootkit_hunter.html

Re:A level of sophistication?

[LiquidRaptor]

Yeah, but at the moment this is a BIG help for people, plus I'm sure that as new rootkits become availible they'll update this puppy. But it's not like linux doesn't have it's own rootkit detector http://sourceforge.net/projects/checkps/. Any server operating system is eventully going to have exploits if it's got any use, it's a fact of life, this tool helps find out if you got rooted, no more no less.

LOL

[http101]

"RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com."

So its kinda like telling my computer to turn its head and cough, right? *squeeze*

Netcraft has announced; "God exists"

[eatmywake]

...and goes by the alias "SysInternals".

Forget the vatican and mecca, point your browsers to http://www.sysinternals.com and pay homage.

Re:A level of sophistication?

[johndiii]

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

About the software

[JordanAU]

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds?? In other words is it foolproof?? I'm sorry that was a bad question. How foolproof is it??

Re:About the software

I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds??

Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.

It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.

Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.

Re:Call to arms

[Taladar]

Viruses don't disable rootkits, they install them. Rootkits are replacement system programs/libraries to hide the intruder presence/activity on your computer

Microsoft BSA

[TheFlyingGoat]

While you're at it, download the Microsoft Baseline Security Tool. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.

Someone's got root... and I don't think it's me

[LordCybrid]

Funny enough, when I tried to run RootKit Revealer, I got the 'Root kit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience.' Error. Not that that's suspicious, or anything like that...

how about a live cd?

[zerkon]

waiting for the whoppix project to produce a livecd distro I can just pop in...

Reputation Counts

[Ridgelift]

Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals". They put their name on everything they give away and sell.

When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS have saved my butt in the field.

Way to go Sysinternals.

Paranoid?

[DoChEx]

Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.

Incompatible?

[gr8_phk]

"It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

Re:Incompatible?

[cnettel]

Possibly. But, what I was talking about is that some sysinternals tools overload/hook certain kernel calls. The system call tables are, IIRC, write protected even from kernel when the kernal has been loaded in the current/coming Win64 editions.

Re:RootKit in windows?

[tverbeek]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

For the same reason trackpads, wireless pointing devices, and such are called "mice", even though they look nothing like a mouse.... why solid state storage devices are called "flash disks" or "flash drives", even though there's nothing flat and circular in them and no moving parts... why the stuff in the middle of pencils is called the "lead", even though it's mostly graphite... why magazines featuring stories told with sequential art are called "comic books", even though they're usually not humorous.

Simple, really

[sczimme]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.

Google and Sysinternals...

[scovetta]

Google and Sysinternals are the only two companies that always make me feel good about being a Computer Scientist.

If I were Google, I'd buy Sysinternals and have them help build GoogleOS.

Sysinternals.com is a Good site

[tristanj]

Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

Here are some good tools of their that I use frequently

Autoruns

http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

http://www.sysinternals.com/ntw2k/utilities.shtml

IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

How do you REMOVE a rootkit?

[Eric_Cartman_South_P]

This is good and all, but how do you remove a Rootkit if it finds one?

Re:How do you REMOVE a rootkit?

[denis-The-menace]

Just use MS SOP to fix 99% of problems: Re-install

This irony here is that it's what you have to do to be 100% sure that no rootkits exists in ANY OS.

Re:How do you REMOVE a rootkit?

[3.5+stripes]

Format c:

Re:A level of sophistication?

What is to stop a rootkit from putting itself in the BIOS or the firmware of your hard drive or CD drive? How would you detect a rootkit living in the flash memory on your Nvidia card? I doubt most people are going to be desoldering chips to check for rootkits which is what would be required.

Re:A level of sophistication?

[Hal_Porter]

Hmm, it's interesting idea, and you could do it back in the Dos days - load above Dos, hook some vectors that allow you wake after it loads and the system is yours.

The problem is that Windows takes over completely - it switched into protected mode, overwrites all memory and generates its own interrupt vector table. Hiding from Windows wouldn't be too hard - you'd just hook the Bios to tell it not to use bits of memory when NTDETECT runs. The problem would be getting your code to run after Windows loads.

Actually, you could imagine a virus that virtualises the CPU (maybe with the Vanderpool stuff). That way you'd get called whenever Windows did some trappable operation like changing the page table. You'd wait until system structures has stabilised and then install your Api hooks.

It's non trivial though.

For the Average User, Worthless

[TheDoctorWho]

For the hacker, priceless. This really accomplishes so little. Sure, here are your 'descreprancies', but they might not be that at all. Mostly Pointless. A good step, but only something the hackers will get control of well before this becomes mainstream.

Re:Like a partition?

[Geek+of+Tech]

Nah. I'm waiting for one that converts the filesystem to an encrypted filesystem of its own, and makes all disk access go through itself first.

No way will it let you remove itself. If you boot off of some sort of safe media and delete the thing, the computer no longer has the ability to read any of its data.

Yeah, I know I messed up the jargon, but I'm sure I'll be corrected on that. :P

Re:Better solution. (mod parent up!)

[cypherz]

VMware is a very good way to neuter Windows and minimize some of its bad behavior. I've been beating the crap out of my windows development environment for two years straight with no re-installs of windows. My windows environment is hosted by SuSE Linux. I have reverted to a snapshot a couple of times, at a cost of a couple of minutes of downtime. Saving the original install off to somewhere safe is easy (just copy the virtual machine's directory somewhere else).

Re:Like a partition?

[Technician]

Would standard MBR scans catch that?


It would be hard to hide from any Linux Live CD's. You boot a read only file system (not modifiable by a bug), load a trusted application (FDISK or Disk Druid) and check the partition table. Not much can hide from a scan from a non-compromised OS.

Re:RootKit in windows?

[ratnerstar]

Because "rootkit" sounds cool, like a plumber's tool or some sort of kinky sexual practice.

Re:Better solution.

[cypherz]

The hardware that the hosted OS sees is generic virtualized hardware. I've used the vm containing my Windows dev environment on 4 machines over the two years I've been using it. I haven't had to reconfigure W2K once. As long as the DVD (or other hardware) is seen by linux, then vmware will virtualize it and present it to the hosted OS as a generic dvd (or whatever is appropriate). For example, the dvd on my current notebook is a hitachi. It is presented to Windows as an NEC/Vmware CD.

Re:my office pc is infected = howto remove?

[erlenic]

The only way to remove a root kit is to format the drive and reinstall the OS. Have fun!

Seriously though, at least two of those are listed in the article as being fine. Looking over the list, I don't see anything suspicious, and I have many of the same things listed for my system. Although if I'm reading that third line right, you have 9 GBs of bad clusters. You might want to scandisk.

Re:An argument in favor of NTFS

[Hal_Porter]

You'd need a boot CD that looked at all the boot records and maybe even compared LILO and Grub MD5s^H^H^HSHA1s^H^H^H^HSHA256s against known good values.

Most people who run XP don't use a bootmanager, so the mere presence of one should be enough to ask the user why it's there, with the default action to disable it by installing the standard MBR / bootsector.

Oh, and microsoft kernel mode binaries are public key signed since windows 2000, so you don't need MD5/SHA - you can see if they are haxored or not by checking the signature.

Interestingly enough, you can do Start->Run sigverif.exe on a live system. The problem with sigverif is that it dumbly scans the windows directory for all files, not just the critical ones - I get warnings on a bunch of dlls, because they came with ancient 3rd party software.

Signature verification is the way to check the files on a bootdisk like BartPE or WinPE, though it would be need to be a bit smarter than sigverif.

Your system is fine...

[Leadhyena]

There is nothing wrong with your system. In the .chm file provided with the RootkitRevealer it explains:

Hidden from Windows API discrepancies are the ones exhibited by most rootkits, however you should expect to see a number of such entries on any NTFS volume since NTFS hides its metada files, such as $MFT and $Secure, from the Windows API. In addition, there are a number of Registry keys that are inaccessible from the Windows API and will report as access-denied discrepancies.

This explains all of the listed entries except for the last one(the $BADCLUS entry is due to missing clusters, like the previous poster said, and you need to do a scandisk). Your last entry is there because you had Firefox open when you ran the scan. Again from the help file:

Files or Registry data created after a scan starts will also show up as discrepancies, so run RootkitRevealer on an idle system.

You're fine, although your reaction will be similar to many other users who will see the same thing and freak out similarly, because they don't understand NT internals... I think this is not a good tool to release to the masses, and should only be used by sysadmins, just like how HijackThis is really good for detecting spyware, but only to someone who knows something about Windows systems.

Not to mention that if you have a rootkit installed, you better be prepared to wipe your system clean and reinstall the OS, because otherwise there's no way of knowing if you have the whole thing removed.

In other news...

[eatjello]

Microsoft purchases SysInternals this week; new Microsoft rootkit exposer available via Windows Update.

Re:I wonder how well this would work.

[Xenna]

Polymorphic: Useless because the scanner would check for the original binaries. If the checksum doesn't match a know good list -> alert. Viruses don't bother with polymorphism anymore since scanner manufacturers defeat these schemes easily these days.

Stealth: ALL rootkits are stealth (hide their presence). That's the whole point of a rootkit.

Dead space: Rubbish, data in dead space is never executed. It would have to be bootstrapped by normally visible code which is detected in the usual ways.

Bad sector: See dead space

Virtual system: See stealth

All in all I'd say your post is somewhat overrated ;)

Re:halting problem

[johndiii]

Your point is good (particularly the virus/scanner "arms race"), but not because of the halting problem. What you meant to say was the undecidability of the halting problem. Even so, to write off all automated analysis of software on that basis is a gross mis-generalization of the halting problem. The undecidability of the halting problem is a very narrow statement, and depends completely on the use of an algorithm to analyze a representation of itself. It is a theoretical statement of the power of an slgorithm, and has never been applied in a practical circumstance (to my knowledge, anyway; any such example would be eagerly anticipated). In fact, per the Wikipedia article, there is a generalized algorithm to solve the halting problem for any finite machine (though it is so inefficient as to be useless).

Re:Call to arms

[Phisbut]

Good idea, but i'm waiting for the first batch of viruses or whatever to disable this rootkit.

Other than nothing that RootkitRevealer is not a rootkit itself, it's also nice to see that Sysinternals knows the weakness of their products, how it can be exploited, and how it is very very unlikely that it will be.

It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

The complete opposite of security by obscurity. I like that.

Rootkits and the Sysinternals product.

[os2fan]

Root

In australia, root has several meanings, not at all nice. The sense is similar to f**k.

• to have sex for the animal pleasure
• to stuff up

Accordingly something like root user has the connetation of one that roots your system.

SysIntern RootKitRevealer

I have a fairly typical multi-boot system, with two FAT16 partitions, a FAT32 partition, a reserved BeOS partition, a HPFS partition, and the usual swag of NTFS partitions.

The disk has been showing signs of corruption [bad sectors], and a replacement is in hand: already bought, but there are some backup questions.

RootRevealer had problems scanning registry. (i suspect one of the registristry hives is not well placed on the filesys). On the other hand, i ran the thing from BartPE, (it works), it revealed a whole swag of OS/2 binaries, but i don't know if OS/2 or Windows placed them there. They were meant to be there, by the way. Apart from the metadata files in each partition, there were error messages from non-accessable partitions (like F: (hpfs) and H: (unformatted = beos).)

memory hog

[v1x]

I suppose this program loads the entire system hives into the memory at the same time, but my task manager is showing this program using 89Mb RAM & 82Mb virtual memory right now while the scan is running.

Now, if I had to defeat this detection utility, maybe all I need is something that monitors processes that use RAM in this fashion.