How RootKits Works & How To Detect Rootkits?

How Rootkits Works?

How RootKits Works & How To Detect Rootkits? – System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode.

Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll.dll) placing an instruction so that any process calls hit the rootkit first.

Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the “system” process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access to the \Device\Physical Memory Object. It hide a process by unlinking it from the process list.

How RootKits Works & How To Detect Rootkits?

How to Detect RootKits?

We have seen how attackers make use of various rootkits to hide files and their presence on the target system. Now It’s time to discuss various detection methods for the rootkit detection from a security perspective. Basically, type of rootkit detection techniques are signature, heuristic, integrity, cross view-based, and Runtime Execution Path Profilling.

Integrity-Based Detection

Integrity-Based detection can be regarded as a substitute to both signatures and heuristics based detection. Intially, the user runs tools such as Tripware, AIDE, etc on a clean system. these tools create a baseline of clean system files and store them in a database.

Integrity-Based Detection functions by comparing a current file system, boot records, or memory snapshot with that trusted baseline. They notify the evidence or presence of malicious activity based on the dissimilarities between the current and baseline snapshots.

Signature-Based Detection

Signature-based detection methods work as a rootkit fingerprint. It compares characterstics of all system processes and executable files with a database of known rootkit fingerprints. you can compare the sequence of bytes from a file compared with another sequence of bytes that belong to a malicious program.

The method mostly scans the system files. It can easily detect invisible rootkits by scanning the kernel memory. The success of signature-based detection is less due to the rootkit’s tendency to hide files by interrupting the execution path of the detection software.

How RootKits Works & How To Detect Rootkits?

Heuristic/Behavior-based detection

Heuristic detection works by identifying deviations in normal operating system patterns or behaviors. This kind of detection is also known as behavirol detection. Heuristic detection is capable of identifying new, previously unindetified rootkits.

This ability lies in being able to recognize deviatiants in “normal” system patterns or behaviors. Execution path hooking is one such deviant that causes heuristic-based detectors to identify rootkits.

Runtime Execution Path Profilling

The Runtime Execution Path Profilling technique compares runtime execution path profilling of all system processes and executable files. The rootkit adds new code near to a routine’s execution path to destablize it. The method hooks a number of instructions executed before and after a certain routine, as it can be significantly different.

Cross View-Based Detection

Cross view-based detection techniques function by assuming the operating system has been subverted in some way. This enumerates the system files, processes, and registry keys by calling common APIs. The tools compare the gathered information with the data set obtained through the use of an algorithm traversing through the same data.

This detection techniques relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.

Steps For Detecting Rootkits

There are many tools avaiable in the market to detect the prsence of rootkits on the target system. But sometimes tools come up short as the malware writers always find ways to counter these automated rootkit detectors and some of thier latest efforts are able to even evade it. So, it is better to detect the rootkit manually. Manual detection of rootkits require time, patience, perserverance, and expertise.

  • Steps to detect rootkits by examining the file system
    1. Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results.
    2. Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results.
    3. Run a clean version of WinDiff on the the two sets of results to detect file-hiding ghostware (i.e invisible inside, but visible from outside)
  • Steps to detect rootkits by examining the registry
    1. Run regedit.exe from inside the potentially infected operating system.
    2. Export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format.
    3. Boot into a clean CD (such as WinPE)
    4. Run regedit.exe
    5. Create a new key such HKEY_LOCAL_MACHINE\Temp.
    6. Load the Registry hives named Software and system from the suspect operating system. The default location will be C:\windows\system32\config\software and c:\windows\system32\config\system.
    7. Export these Registry hives in text file format. (the Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.)
    8. Lauch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e invisible inside, but visible from outside.)
Note: There can be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors. Alteranate Data Streams, and so on.

How RootKits Works & How To Detect Rootkits?

If You Like This Blog Please Like And Comment for more blogs

If You Want Hacking Blogs Click Here

Related posts

Leave a Comment