There exists much confusion between the terms malware and rootkit. In the context of malware, the rootkit is a part of the malware which ensures that a cyber miscreant maintains his access to the infected system. Even if the main malware engine is removed from the infected system, it can be reinfected using the rootkit.
A typical example of a kernel mode rootkit is a kernel device driver file, say rootkit.sys. This file uses the registry to load itself during system boot, and then monitors for events like registry changes, new processes, registry of new file systems, and removable media like USB drives. Historically, the term originated when miscreants started to use modified binaries to maintain superuser access "root" on Unix systems.
A malware payload can often be removed by stopping the responsible Windows exe/DLL from functioning. This is usually achieved by booting Windows in Safe mode to clean registry keys and files responsible for the malware’s startup. However, rootkits are sophisticated pieces of modules hidden deep inside the operating system (OS) along with legitimate software (like device drivers necessary for OS operation). A few such examples are the TDL rootkits, as well as those used by the Cutwail family.
Enter the anti rootkit software
An anti rootkit is a tool designed to identify various threats like rogue and suspicious processes, hooks or modules, registry keys, modified files, and known/unknown rootkits. This is usually achieved through techniques like identification of process hooks, examination of device drivers, digital signatures and network activity on the system under observation. The usefulness of anti rootkit software is often driven by factors like:
Effectiveness: How regular are the anti rootkit’s updates?
Usage: How extensive is the anti rootkit software’s documentation?
Implementation specific: How effective are the anti rootkit’s techniques, with respect to the rapidly changing sophisticated root kits?
Skillsets: The user’s skill level and experience with respect to an operating system is perhaps the most important factor while using an anti rootkit.
Some methods used by anti rootkit software includes comparison of files, registry (to registry obtained from clean systems), kernel system call table (to its corresponding disk image), detection of use of alternate data streams, and kernel memory to known rootkit signatures.
Windows anti rootkit software can be divided into two categories:
1. Analytical and diagnostic
Usage of these sophisticated tools requires considerable knowledge about the Windows OS’ internals. These powerful tools aid experts with an overview of the infected system. A novice computer user is unlikely to make any sense out of these tools’ output (nor are these tools recommended for them). These anti rootkits are transparent enough to show a dissected view of the system. Almost all of these come with a usage warnings of ‘use at your own risk'. It is recommended to backup your data first or use it on a test machine. Since each tool deals with critical OS internals, any unintentional mistake could lead to an unstable system and loss of data. Few popular names are GMER, Rootkit Unhooker and RootRepeal.
2. Scan and fix
These are more of a quick fix category of anti rootkit tools. Meant for scanning and removal of rootkits, these anti rootkits function like traditional antivirus software. However the efficiency of such anti rootkit software is dependent on the frequency of their updates. For example, an anti rootkit tool released in 2007 will not be able to detect the notorious TDL rootkits (first detected in 2008).
Making a generic anti rootkit to counter all kinds of known rootkit threats can be a very difficult job. This is often a more suitable job for a full blown antivirus package, since anti rootkits are expected to be compact. A few popular examples of such solutions are Dr. Web CureIt, RootKitRevealer and F-Secure BlackLight.
Best anti rootkit software of the trade
GMER is among the best anti rootkit software available on the Internet. It scans for hidden processes, threads, modules, services, hidden files, alternate data streams and registry keys. GMER also monitors drivers hooking system service dispatch tables (SSDT), interrupt descriptor tables (IDT), IRP calls and inline hooks. It is a must have tool if you are interested in rootkit removal.
Root Repeal is another rootkit detector and removal tool. This anti rootkit tool scans for hidden drivers, files, processes, SSDT and stealth objects. It has a friendly interface and a good set of features.
3. VBA32 arkit
This is a powerful anti rootkit solution. It has a good feature which checks digital signatures of the scanned files.
4. Rootkit Unhooker
It is quite a popular anti rootkit.
Category: Scan and Fix
It is an effective and simple to use scan and removal tool. The anti rootkit software’s free edition is available only for home PCs and performs an express scan.
Sysreveal is another upcoming anti rootkit tool. It has features which allow viewing of processes, drivers, SSDT, IDT and various kinds of hooks.
IceSword scans and monitors processes, ports, kernel modules, startup programs, Windows services, logs processes and thread creation. It is an excellent tool for diagnostics and defeating rootkits. Since it has been written by a Chinese programmer, there’s only limited support for other languages like English.
Apart from these popular anti rootkit software, the following scan and fix anti rootkits are worth a mention.
- RootkitRevealer by Windows Sysinternals
- F-Secure BlackLight
- McAfee Rootkit Detective
- Panda Anti Rootkit
- Trend Micro Rootkit Buster
- Sophos Anti-Rootkit
About the author: Aditya Lad is a B.Tech graduate in Electrical Engineering from IIT Roorkee. Computer security is among his areas of interest. Currently Lad works as a software developer in a Bangalore-based software firm, and has been part of the null Bangalore chapter (www.null.co.in). He can be contacted on [email protected].