“Pulling Back the Curtain” – Rootkit Detection and Removal

by | Jul 31, 2019 | Malware, Malware Incident Response, Rootkit, Uncategorized

Rootkits may use any of a number of techniques to gain control of a system. We touched on this in “Man Behind the Curtain” introduction to Rootkit Malware, that rootkits come in different makes and models, and the type of rootkit will determine the choice of attack vector.

We also touched on the fact that rootkits are typically designed to operate from the top-level “root” of an operating system, often hiding in the computer programming known as the “kernel,” the core of a computer’s operations, the place that governs the whole system. The other major category of rootkits is known as the user-mode rootkits, but they are detectable by antivirus software running at the kernel-level. For this article we will focus our attention on the harder-to-detect, and harder-to-eliminate, kernel rootkit.

Kernel Rootkits: How they Lurk

Rootkits act behind the scenes. This does not mean, however, that rootkits don’t have to disguise themselves. They do, and they have some very effective cloaking devices. Kernel-mode rootkits take on the appearance of being just another device driver running in kernel mode. This helps them to appear as if they are an intended part of the operating system, and antivirus programs are less likely to detect them if they are using this cloaking method.
Rootkits do not merely obscure their looks, but they also do a great job of obscuring their behavior. They can be designed to hide running processes from system-monitoring mechanisms. They can prevent the operating system from taking notice of certain system files being controlled by the rootkit, along with other configuration data. Just like in the Greek Watergate rootkit attack, where audit logs were disabled, rootkits can disable the event logging capacity of an operating system. The reason for this is to cover its tracks. Finding a rootkit is largely an exercise of sleuthing out its whereabouts based on the evidence it leaves behind, yet rootkits have the capacity to hide the evidence of its presence and the attacks it performs.

Removing Kernel-mode Rootkits

For all these reasons, detecting and extracting a kernel-mode rootkit can be a major operation. Here are some of the procedures that might help reveal your potential root kit problem, and eliminate it from your operating system.

Rootkit Detection and Removal

As mentioned, rootkits use your operating system as a cloaking device, so using the same operating system to detect and reveal the rootkit won’t work. An alternative measure must be employed. Here are some of the top ways of doing it:

Boot from an alternative trusted medium.

A kernel-based rootkit uses a running operating system to cloak itself. If you effectively disable the OS, rootkits have trouble hiding. Shutting down an OS, then, and booting it up with a trusted “rescue” CD-ROM or USB, will make the rootkit easier to distinguish.

Use rootkit-detecting software.

There are different methods by which a rootkit-detecting software may engage the task of identifying potential kernel-based rootkits. Depending on the software, it may be able to work while the infected OS is running, or it may work with the infected OS disabled. Here are three common types:

Behavior-based detection with system profiling.

This method of detection is helpful for finding rootkits that execute operations in a manner that would be considered unusual. In crypto-mining rootkits, for example, it will be able to detect the high frequency of GPU processes being transmitted to the internet. This behavior is fairly unique to crypto-mining, which makes this method of detection especially useful for systems hijacked by crypto-mining operations. Yet behavior-based detection is not without risks: perfectly legitimate system behaviors can be flagged accidentally. Proceed with caution.

Signature-based detection.

Every type of software file ever created comes complete with a signature that identifies it as unique. Signature-based detection is useful against rootkits that have been identified and flagged. This is not so useful against rootkits with signatures that have not been yet recognized by the registries that manage these flagged files.

Difference-based detection.

Instead of comparing signatures, it is also possible to compare files with “trusted” raw data. Difference-based detection means observing the operating system version of a data set with what is on-disk, or results returned from a file system can be checked against raw structures. It literally looks at the binary 1’s and 0’s and compares the meta data. But like behavior-based detection, it is possible to have false-positives. It is also possible for a rootkit to side-step this kind of detection system.

Network users can unknowingly download malware and rootkits hidden in clickbait on the internet.

Stop Rootkit Malware

Found it! Now What? – Rootkit Removal

Manual removal of a rootkit is very difficult. It is not recommended for a typical computer user to try this on his or her own. In fact, some rootkits are so deep into the system that they can contaminate the hard drive’s boot sector and RAM. There are, regrettably, situations where you may have to say last rites and start over with a new system. If it is possible, however, to save an OS from a kernel-based rootkit infection, a technician well-versed in operating systems and remediation from malware infection is worth your time and money. Determining the right detection procedure and strategy for removal, so as to not make an already bad situation worse, is best done by those who know what they are doing. They will have the know-how to clean it up, perform forensic examination if necessary, and save your data to the best degree.

Rootkit prevention is worth a pound of cure… and we can help with that.

Hybrid VDI - Total Economic Impact of VMWare End User Computing