All rootkits (hacking devices known as ‘trojans’) employ a wide range of disguises to avoid detection. They have ‘roots’ in the operating system kernel, and control capable of certain command functions, some that can even have the ability disable lesser anti-virus searches. Originally (first in the early ’90’s with Unix), the term ‘rootkit’ referred to a collection of legitimate system tools used by the Administrator, later subverted by hackers for intrusion and control purposes. Anti-virus and anti-malware programs need to perform what is forensically known as ‘live box analysis’ – real-time scans of the live system. The fact that rootkits constantly hide, or can disrupt some cleaning/security software, makes them difficult to find and potentially dangerous to data integrity and system stability.
Most rootkits are used in combination with other malware such as virus, other trojans, worms to enhance their capabilities. These different elements hide in different ways and varying places on the system so developers have created a number of detection approaches. Advanced detection/security software will use a combination of the following:
- Firewalls – these filter network traffic and detect suspicious activity at ports;
- IDS (Intrusion Detection Systems) – these locate and remove any previously installed rootkits;
- IPS (Intrusion Prevention Systems) – that identify and then neutralize or quarantine suspected rootkits;
- Memory Dump analysis – viewing of a static snapshot of memory (RAM) to detect active resistance by a rootkit.
Different Methods Used by Software to Detect of Rootkits
There are several methods of detecting rootkits widely currently used by security software:
Signature-based Analysis
This method compares files with known signatures of rootkits and is used in most anti-virus packages. This analysis also examines behavioral patterns relating based on certain operating activities of known rootkits, such as the aggressive use of ports).
Detecting Interceptions
Windows employs pointer tables to run commands that are known to prompt a rootkit to act. As rootkits try to replace or modify anything that looks like a threat, they will react to these test commands and betray their presence.
Data Comparison from Different Sources
To remain hidden, rootkits may alter certain data presented in an examination (by substituting high-level API’s with their own handlers). Therefore, it’s possible to detect them by comparing results returned with high-level and low level system calls. Another variation of this technique is to compare the process memory loaded into the RAM with the content of the file on the hard disk.
Integrity Check
A digital signature (with a cryptographic hash function) is created for every system library at the beginning (at the initial registry, when the system was clean). Libraries can be checked for any alteration of the code by security software.
Registry Comparisons
This is carried out by software on a preset schedule, or in real-time by comparing a clean specimen file with the client file to determine if it is (or contains) an unrequested exe. (rootkit).
Five Easy Ways to Detect Rootkits:
- Firewalls
An effective firewall will act as your perimeter, or boarder control. This software will notify you if your network is under scrutiny, though in the case of rootkits it should advise you as soon as you come near to any questionable malware, or if not recognized straight away, it should quarantine any suspicious download for further examination before installation.
- Download ‘Hygiene’
Manually detecting potential rootkits in downloaded bundles of software is possible by using Advanced or Custom install options for installation. Any unfamiliar files listed in the details provided prior to the installation should either discarded, or checked by search online for any references as malicious software. This routine should always be followed, even for downloads from previous trusted ‘sites as infections may have been bundled in since your last visit.
- WinDbg
This is a multi-function debbugging tool on Microsoft Windows and can be used to perform de-bugging scans on applications, drivers or the operating system itself and provides a coherent user display. Look for this application in Programs and follow the on-screen instructions. If this isn’t included in your system, you can download at the Microsoft website.
- Anti-virus/malware – Free Trials
There are a number of good products that will offer free trials of software prior to purchase. These are worth trying if you think that you need a scan – though only use a product with reviews and history to back it up – and only from the official website!! (there are many rogue anti-virus programs that will bring nothing but trouble, so do your research into the company!).
- Installation of an Anti-virus Program
This is the best and most effective option. There are many tested and trusted packages available on the market, and some that combine several or all of the above approaches and methods providing real-time monitoring when browsing and regular system checks. Always choose a product that has good reviews and most importantly, good back-up for customer service and regular updates. And of course, after making your choice – only download a full, licensed version directly from THE COMPANY’S website – and get to the root of the rootkit problem!!
