Last week, I mentioned that I’d be discussing both Rootkits and Keyloggers in this issue. However, due to the unexpected size of the Rootkit Q&A, I’m going to defer the keylogger topic to next week. With that being said, let’s jump right into it!
Q.
What is a rootkit and can I purchase one at the local Wal-Mart?A. I seriously doubt that you’d be able to purchase one at your local Wal-Mart. However, if you’re not careful, you can certainly pick one up for “free” over the World Wide Web.
First, let’s be clear that rootkits are designed for malicious intent. They are a form of malware – which is a broad term that describes Trojans, Viruses, Worms, Ad-Ware, Spyware and the like. Typically, a rootkit takes the form of a Trojan. In its simplest form a Trojan is a malicious program that masks itself as something else in order to get you load it onto your system. You’ve probably heard of the Windows Anti-Spyware 2009 program that’s been corrupting computers for the past several months. This is actually a Trojan. It tells you that it found X number of spyware programs on your machine and if you download the program, it will wipe away all of your problems…how nice. Actually, Malwarebytes (a free anti-malware program) was one of the first and easiest ways to remove this Trojan from a computer.
http://www.malwarebytes.org/Okay, now back on topic…
Next, let’s discuss what the term “Root” actually means. Back during the dawn of the personal computing the term “root” was used to identify the highest level of administrative access within the UNIX operating system. When I say “administrative access” I’m referring to a user that has maximum privileges throughout the entire operating system. The reason that I bring up UNIX is because it was one of the first (early) widely used operating systems (pre-Windows era). In fact, UNIX beat the Windows OS to the internet by over a decade.
Therefore, when a hacker wanted to gain access to a UNIX machine it was difficult for them to install a file and run a procedure without being easily noticed. In order to escape detection they had to become stealthier and become totally invisible to the administrator or user of the to-be compromised machine. The process of gaining access with full administrative privileges is called “getting root”. Thus, rootkit technology is a stealthy or hidden process that runs “under the radar”.
To translate this into Windows terms…a rootkit sinks deep within the OS and adds malicious code to registry entries, .dlls, system files and so forth. There are many rootkits that even if you knew their file name and searched for it - you would not be able to find it. More on this later…
Q. How would I suspect that a rootkit might be installed on my computer?A. Immediate changes in your computers behavior patterns would be one cause for alarm. A couple examples might include:
• You start seeing CPU spikes and are unable to identify the process that’s responsible
• The fan on your computer runs so often you no longer rely on your furnace to keep warm during the winter
• Your computer becomes slower than it already is (I know – this a daily occurrence for many of us) This could mean that your CPU, RAM, and bandwidth is getting “shared” by an intruder
• You suddenly begin to see pop-up/warning messages from your outbound firewall stating that an unknown program is attempting to access the internet (depending on your firewall, you may/may not be alerted)
• The send/receive lights on your router or modem start flashing like the 4th of July and you aren’t causing it
• Law enforcement arrives at your front door with a warrant and mentions something about investigating you as a Spammer
Q. What is a rootkit actually capable of doing to my system?A. Many rootkits install a backdoor daemon, which is a program that runs under someone else’s control. This backdoor creates an opening (opens a port) allowing the hacker to take control of the computer whenever you have connectivity. Once inside your system, they have access to everything you do and more. Many times they’ll load other “helper” programs to catch your keystrokes (such as a keylogger) or send information back to their server surrounding what bank sites your hitting, etc.
In a nutshell…once a rootkit is installed on your computer the only limit lies in the imagination of the hacker. One thing to note is that there are several variations of a rootkit and each program has its own unique purpose.
Q. How can I protect myself from rootkits?A. Basically, there are two ways: Common sense computing and software. (And sometimes doing both might not matter). I’ll explain what I mean about both in the list below:
• Keeping your OS updated with current patches. Microsoft now updates and runs their
Malicious Software Removal Tool (MSRT) http://tinyurl.com/5lyxe during Patch Tuesday that searches for rootkits on your machine. This is done behind the scenes after you install the updates. You must then restart your computer for the scan to begin. No manual intervention is required by the user and this only runs once per update. You will not even be able to tell that this processes is running – but it is.
• Using antivirus software on a regular basis. Note: AV software has been losing the battle with rootkits mostly because the malware identification logic is based mostly on ‘signatures’ and heuristics. A rootkit might mask itself as a ‘normal’ system file and the AV software will skip right over it.
• Using a software firewall, preferably one that has strong ‘outbound’ protection (Vista is OK, XP not so good – try something like Comodo). The reason you want good outbound protection is to keep malicious programs from ‘calling home.’ A rootkit is only effective when it’s able to send the information that its captured back to the hacker.
• Stay behind a router to stealth your IP and you will also benefit from the routers hardware firewall.
• If you’re really concerned about malware you can use Host Intrusion Protection System (HIPS) software – I’ll be talking more about this in a future issue.
• Browse the Web using Sandboxie
www.sandboxie.com/ (see issue #8). Out of all the programs that I’ve ever used – this is my personal favorite security tool for browsing.
• Don’t open any attachments from senders that you don’t know (this is where the common sense piece comes into play)
• Copy and paste hyperlink/URLs (from emails) into your browser versus clicking the stand alone link
• Be cautious when you’re on social engineering sites like Facebook, twitter, MySpace etc. Due to the massive number of users, malware writers love to “test” new code on these sites.
• Most major antivirus companies have some level of rootkit detection included in their software. However, it might not always be “on” by default, so check and make sure the settings are properly configured properly before running it.
• Don’t save any important passwords in your browser’s cache, i.e. bank account passwords ‘n such
• Use Secunia’s PSI application (free) to keep other 3rd party apps up to date.
http://secunia.com/vulnerability_scanning/ (I highly recommend this!)
• Be cautious when downloading free applications from unfamiliar sites – many of these programs carry rootkits along with them
Q. Couldn’t I spot the rootkit process in the Windows Task Manager Utility or find it by doing a search?A. Great question, but the answer is no. You typically won’t see a well written rootkit in Task Manager. Even if you downloaded a more robust tool such as Process Explorer (from Sysinternals) it still wouldn’t show up.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspxAs I stated earlier, the MO of a rootkit is to remain stealthed/cloaked so that it can perform the evil bidding of its creator.
Also, since a rootkit compromises the operating system kernel, it can intercept the search response coming back to you and essentially “skips” the rootkit file name that you’re searching for. Therefore, you would never be able to find it by using the Windows search feature.
More on how it works – A rootkit digs deep down into the operating system level and creates its own running process at that level. Ultimately, it alters how the OS behaves and can even mask itself as valid program. Some rootkits are so deeply embedded within the OS that if you do happen to remove them, it could break other critical pieces of functionality and you might be forced to completely reinstall Windows.
Q. What’s the easiest and quickest way for me to see if I have a rootkit installed? I don’t want to spend a lot of time on this, so I’m looking for the simplest path.A1. Download
Avira's free anti-virus application.
http://tinyurl.com/8m2cc8Avira provides you with as much protection as any other software product on the market today.
A2. Use
Rootkit Revealer from Sysinternals
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx One of the reasons that Rootkit Revealer is so effective is that is actually uses rootkit technology. “It takes a rootkit to find a rootkit.”
Rootkit Revealer is a free tool and is only around 230KB in size. The link above also provides a page full of rootkit information. The only downside to this application is that once the scan finishes, you might not be able to immediately tell if a rootkit has been installed.
(might take some 'Googling' to research the returned results). There are numerous other rootkit detection software options on the Web, but to keep it simple, free, and most importantly effective…go with
Avira.
Comments from Mark Russinovich's blog at technet.com
“Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden.”I think this is about as far as I want to take the topic of rootkits – at least for now. The bottom line is that since rootkits are so difficult to detect and they open up a backdoor into your system, they are probably one of the worst pieces of malware that you can get on your computer.
News of the Week:
AVG notes: 200,000-300,000 NEW sites (per day) are hosting malicious code
http://tinyurl.com/cp8959
100-0 basketball victory…and the winning coach gets FIRED!http://tinyurl.com/bjf2tc
White House email crashhttp://tinyurl.com/bwodrdInternet tops 1 billion usersIn December 2008, more than one billion people used the internet. That's according to comScore an internet marketing research company. China represented the largest online audience with 180 million users, followed by the United States and Japan. No word on how many of those users were on compromised machines.
Microsoft delays release of SP2 for VistaMicrosoft will deliver a Release Candidate of Windows Vista Service Pack 2 in March and not in February. Also, Microsoft will send the service pack build to OEM (original equipment manufacturers) and retailers only in the second quarter of 2009 and not in April.
Update---Additional details on the Microsoft layoffs
Microsoft is planning to reduce its workforce by 5 percent over the next eighteen months, starting with a reduction in force of 1,400 by the end of Jan. But the roughly 5,000 jobs are far less than the 15,000 job cuts rumored prior to the announcement over a week ago.
What isn’t being mentioned is the rate of employee growth in recent years. Since 2005, Microsoft has grown its staff more than 12 percent each year. In fact, Microsoft plans to continue hiring in what it considers strategically important areas.
Other changes announced are pay freezes, reduction in the contractor force of up to 15 percent, delayed construction projects, and budget cuts in a number of “discretionary” areas.
Tip of the Week:Create RSS feed for any websitehttp://feedity.com/
Gadget of the Week:USB 3.0 The specs for USB 3.0 are officially been complete. This now paves the way for manufacturers to begin building and releasing these devices. Some new features include:
• Greater data transfer rates – 480Mbps was the ceiling for USB 2.0, however; 3.0 will support transfer speeds up to 4.8Gbps (10 times faster than 2.0) Quite impressive I must admit.
• Backward compatible with USB 2.0
• Simultaneous read/write capability
• Power management – allowing devices to sleep, idle, suspend, etc.
• It will also include larger cables that are capable of carrying more power. Translation: your iPod, cell phone, or whatever else you charge won’t take as long to power up!
• Look for devices to be released in early 2010
Free Tool of the Week:Ad-AwareAd-Aware celebrates 10 years of Malware protection. Get the free anniversary edition as they are boasting the following numbers:
• Uses 74% less memory than Ad-Aware 2008.
• Uses nearly 60% fewer resources than the previous version, and considerably less than each competitor product tested, including AVG, Kaspersky, Norton, and PC Tools.
• Scans 36 MB per second – faster than each competitor product tested, and over 4 times faster than AVG’s.
Okay, so I’m sure that most of you have heard of this tool and many you have probably used it at some point. Personally, I’ve been running Ad-Aware for over a year and it has always been a resource bear. My CPU use would shoot through the roof whenever I’d run a scan. After trying out the newest version I was quite impressed. My “Smart Scanning” run time decreased from 28 to 10 minutes. CPU use was never higher than 7% and I hardly could tell it was running. Overall, I’m much happier with Lavasoft’s new version and feel comfortable recommending it as a free Anti-Spyware tool.
http://www.lavasoft.com/products/ad_aware_free.phpRandom Facts of the Week: (for your next Trivial Pursuit game)
Did you know?• The current land speed record for a manned rocket car is 763 mph
• The current land speed record for an unmanned rocket sled (on rails) is 6,453 mph or Mach 8.5
• During re-entry back into the Earth’s atmosphere the Space Shuttle reaches speeds up to 17,500 mph. This makes it the fastest manned vehicle in the world.
Videos of the Week:
Rufus the slingshot master!http://tinyurl.com/8zw72l
The secret megalopolis of the ants (the farm was abandoned)
It starts off a little slow, but it gets much better after about 1 minute in.
http://tinyurl.com/9fbtkkBushismsRegardless of whether you love him or hate him…‘W’ has assembled some “pretty darn good” Bushisms that will entertain the YouTube generation for years to come.
http://tinyurl.com/7dfvy5And finally the…
Website of the Week:Sitonomy – The Anatomy of a website.
Tells you what underlying technologies are used on each site.
http://www.sitonomy.com/
Posts
