November 20, 2007

Anti-rootkit Windows Tools: Searching for the Hidden

Yesterday George Bakos, SANS ISC handler, posted an entry asking for tools for malware analysis and removal, something we are involved professionally, or personally with the family ;) Specially, we need to be ready for the holidays and have the incident handling jump bag (USB drive or CD) ready to go and cleanup all the computers around us. If you are interested, check the follow up by Kevin Liston on the SANS ISC handler's diary.

I was involved in some malware cleanup tasks this weekend, so I reviewed my toolkit. One set of tools that should be included in any jump bag are the anti-rootkit tools, given the amount of malware specimens that include rootkit capabilities today. The following list (alphabetically ordered) includes different FREE Windows tools provided by AV vendors or individuals for this specific purpose (we leave other OS (Linux, FreeBSD, etc) aside this time). The list contains the direct tool download link, the main tool web page and author, the current version (as 20/11/2007), and some other details:
The beauty of most of them (unless otherwise noted) is that they do not require any installation. They are single executable files that can be run, with Administrator privileges, from a USB dongle or CD to identify anomalies in the system, such as hidden processes, network connections, files and directories, registry entries, kernel hooks, drivers, etc. Most of these tools are integrated on the respective vendor commercial AV tool.

Rootkits are one of the most complex and advanced malicious software components today, so the tools are mainly focused on the identification phase. The successful removal of a (kernel) rootkit from a system is often a really complex task. For this same reason, you also need to familiarize yourself with the tools output, as it is common to get a few false positives from legitimate artifacts running inside Windows.

Get ready for the holidays! Download all (or a few of) them now, and include these tools on your jump bag. It is highly recommended to run at least 2-3 of these tools to compare the results, trying to find glitches in The Matrix. More information and tools about anti-rootkit technologies are available at antirootkit.com.

I've always been a great fan of rootkit and anti-rootkit technologies, publishing documents about Linux kernel rootkits and rootkits from a defensive perspective. If anyone (magazine, company, vendor, etc) is interested on getting me involved in the in-depth analysis and comparison of all (of several) of the above anti-rootkit products/technologies, let me know (raul DOT siles AT gmail DOT com).

Labels:

8 Comments:

Blogger Unknown said...

Cool! A nice addition to my toolkit :)

http://www.areino.com/herramientas-utiles/

3:47 PM  
Blogger James said...

Great article!

from my experience sophos anti rootkit is the best. I've been using it for over a year and its never let me down.


James

10:58 AM  
Anonymous Anonymous said...

There's also a whole bunch of freebie antirootkits at http://wiki.castlecops.com/Lists_of_freeware_antirootkit

3:13 PM  
Anonymous Anonymous said...

How could you leave out Gmer and Rootkit Unhooker ... probably two of the best ARKs out there. They're even listed at AntiRootkit.com as having 5 stars each. At least you mentioned IceSword! :)

Both AntiRootkit.com and CastleCops have great forums that deal with a lot of malware cleanup. Do a bit of searching and you'll learn a LOT from those places.

4:46 AM  
Blogger Raul Siles said...

Anon reader,
I left these two out on purpose:

- If you check the Rootkit Unhooker site, and if you have used these tools frequently, you'd have noticed that its Web page (http://rku.nm.ru/rkunhooker_v3/) is not available any more since several months back. So, I decided not to waste our readers time with broken links.

- Gmer was not available either at the time of my writing, so I applied the same philosophy. As the AntiRootkit.com site says now, the official site is back. If you try to use the tool, you'd see the gmer.zip doesn't contain the gmer.dll, so the tool does not work. I prefer not to recommend tools that do not work. If you get the author fix it, let me know and I'll add it to the list :)

Anyway, this is also why I added the AntiRookit.com reference at the end of the article, just in case any reader wants more tools in the future. There are other 5* tools there I didn't include either. Do a bit of researching and send us constructive comments. Thanks!

11:09 AM  
Anonymous Anonymous said...

OK, I just reread my comment and it doesn't read how I intended it to.

I *should* have said "For those that would like more information on ARK's, both CastleCops and AntiRootkit.com are excellent resources." That comment wasn't directed at you guys (the authors), though it reads like it was. :(

With regards to both Rootkit Unhooker and Gmer, I do highly recommend both of them. I have used them both and they each catch different things. Although RKU (Rootkit Unhooker) has been taken offline, if you can find one (from a very trusted source, if you even trusted the original) I would get it. As for Gmer, I wasn't aware that they removed the .dll from their package. I wonder what the reason is behind that?

Anyway, I just wanted to say that I really didn't mean to come off as being negative. I really hate those guys that think they're better than everyone else and that's how my comment sounded to me so for that, I apologize.

4:09 PM  
Blogger Raul Siles said...

Thanks for the clarification. Rectify is of wise people :)

6:18 PM  
Blogger Raul Siles said...

Seriously speaking, thanks for the additional comment. It says a lot about you the fact that you spent some time clarifying the situation. We really appreciate it!

6:31 PM  

Post a Comment

<< Home