Wednesday, April 20, 2005

Rootkits and RATs, the new menace...

Trojans and Spyware have already become the cause of most computer problems; but, they pale in comparison to a new generation of slime rapidly spreading across the internet.  The difference with RATs or Rootkits is their power to completely hide their very existence; once infested you cannot see the files in Explorer, the process does not appear in the task manager, and even their entries in the registry are hidden from view. 

If you have, or have encountered, a system that refuses to be cleaned, despite using Hijack This, Spybot S&D, Ad-AwareHousecall, and Microsoft AntiSpyware, there's a good chance you have seen a Rootkit and didn't know it.  The first one I found was on a Windows Server that refused to install a needed service pack.  I could see the file it was complaining about on a workstation; but, not on the Server where the file was located! 

The trick to accomplishing this feat is for the malware to install part of itself as a driver, after which it is loaded during the boot process and truly has control of the system. 

Finding the beggars is a trick unto itself.  Luckily, so far, the root driver used to hide the scumware has not, itself, been hidden, meaning that if you find the .sys file and eliminate it, the balance will become visible when you reboot. 

So far, the best tool I have found is Drivers.exe from the Windows Resource Kit and it's output file will list the culprit.  Because it is a command line tool, I have added instructions on how to use it:

Download the Installer and run it.
Copy the file, Drivers.exe from C:\Program Files\Resource Kit to C:\ using Windows Explorer
Do Start -> Run -> CMD<enter> to open a Command window
Type CD\<enter>
Type Drivers > Driverlst.txt<enter>
Type Exit<enter> to close the Command window.

Driverlst.txt can now be opened with Notepad and examined.  The far right hand column lists the date each driver was added to the kernel.  Locate the newest; then do a Google search on its filename.  Many rootkits are too new to get a hit and that, itself, will make it suspicious.  If it is a legitimate driver, your search will reveal that, too; so move on to the next newest, and so forth. 

Once located, search for the filename in the registry.  There may be multiple entries, so be thorough.  Delete the keys, reboot, and instantly rerun all of the utilities I mentioned earlier.  This time you will probably succeed. 

Because Rootkits and RATs represent a threat that could, potentially, thwart every effort to eradicate them, I have begun to act proactively.  WinPatrol does a nice job of warning about changes before they happen and it now goes onto every system I get close to.  ERUNT has long been a must have in my book and it's ability to restore an uninfested registry may prove crucial as the year progresses.

As always, should you have any questions or problems, please feel free to contact me by Email or by phone.


Davis M McCarn
184 Eaglecrest Drive
Matthews, NC 28104Mouse Copyright 2004 Davis M McCarn
(704) 882-7551 or
(704) 609-1970 cell

© Davis M McCarn 2005 All Rights Reserved
| Home | Contact Us | References | Rates |