Rootkits are one of the anti-forensic techniques that attackers use to hide data, malicious files, and processes. This software is intended to hide processes that could reveal an attack from the OS itself. Rootkits allow viruses and malware to “hide in plain sight” by concealing files in ways that antivirus software might overlook them, disguising files as legitimate system files, through unlinking processes, and even hiding from detection by the OS,
Rootkits themselves are not harmful, but they store and hide malware, bots, and worms. They are one of the challenges to forensic investigators.
Related Product : Computer Hacking Forensic Investigator | CHFI
Detecting Rootkits
Following are the rootkit detection techniques: signature, heuristic, integrity, cross view-based, and runtime execution path profiling.
1. Integrity-Based Detection
Integrity-based detection is a substitute to both signature- and heuristic-based detection. Initially, the attacker runs tools such as Tripware, AIDE, etc. on a clean system. These tools create a baseline of clean system files and store there in a database. Integrity-based detection functions by comparing a current file system, boot records, or memory snapshot with the trusted baseline. They notify the evidence or presence of malicious activity based on the dissimilarities between the current and baseline snapshots.
2. Signature-Based Detection
Signature-based detection methods work as a rootkit fingerprint. The sequence of bytes from a file can be compared with another sequence of bytes that belong to a malicious program. The method mostly scans the system files. It can easily detect invisible rootkits by scanning the kernel memory. The success of signature-based detection is less due to the rootkit’s tendency to hide files by interrupting the execution path of the detection software.
3. Heuristic/Behavior-Based Detection
Heuristic detection works by identifying deviations in normal OS patterns or behaviors. This kind of detection is also known as behavioral detection. Heuristic detection is capable of identifying new, previously unidentified rootkits. This ability lies in being able to recognize deviants in “normal” system patterns or behaviors. Execution path hooking is one such deviant that causes heuristic-based detectors to identify rootkits.
4. Runtime Execution Path Profiling
The runtime execution path profiling technique compares runtime execution path profiling of all system processes and executable files. The rootkit adds new code near to a routine’s execution path to destabilize it. The method hooks number of instructions executed before and after a certain routine, as it can be significantly different.
5. Cross View-Based Detection
Cross view-based detection techniques function by assuming that the attackers have disrupted the OS in some way. This enumerates the system files, processes, and registry keys by calling common APIs. These tools compare the gathered information with the data set obtained through the use of an algorithm traversing through the same data. This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the OS APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.
Steps for Detecting Rootkits
There are many tools available in the market to detect the presence of rootkits on the target system. But sometimes tools come up short as the malware writers always find ways to counter these automated rootkit detectors; some of theft latest efforts are able to even evade it. Therefore, it is better to detect the rootkits manually. Manual detection of rootkits requires time, patience, perseverance, and expertise,
Examine the file system and registry of the system to detect the rootkits manually. Refer the slide for steps to detect rootkits by examining file system.
Following are the steps to detect rootkits by examining the registry:
- Run exe from inside the potentially infected OS.
- Export HKEY_LOCALMACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format.
- Boot into a clean CD (such as WinPE).
- Run exe.
- Create a new key such as HKEY_LOCAL_MACHINE\Temp.
- Load the Registry hives named Software and System from the suspect OS. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system.
- Export these Registry hives in text file format, (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.)
- Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).
Note: There can be some false positives. In addition, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
Questions related to this topic
- What is a rootkit attack?
- What are the characteristics of a rootkit?
- Can antivirus detect rootkits?
- Are rootkits common?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com