1 00:00:04,080 --> 00:00:10,390 Fortunately the stealth techniques used by rootkit creators are not flawless. 2 00:00:10,440 --> 00:00:14,550 The presence of a rootkit in their system can always be detected. 3 00:00:14,610 --> 00:00:15,780 How can you do this. 4 00:00:17,150 --> 00:00:23,290 First by verifying signatures having a database of programs that are known to be root kits and checking 5 00:00:23,290 --> 00:00:25,040 your system for their existence. 6 00:00:26,220 --> 00:00:30,600 The solution may not be very effective but it's easy to run. 7 00:00:30,630 --> 00:00:37,660 That's why it's become automated and now forms a part of the Microsoft Malicious Software Removal Tool. 8 00:00:37,680 --> 00:00:41,010 You can also detect anomalies in the operation of your system. 9 00:00:42,640 --> 00:00:48,770 A rootkit will modify the operation of a system by definition. 10 00:00:48,900 --> 00:00:55,870 It will try to hide something in the system this principle is the basis for Checker's and detectors 11 00:00:55,870 --> 00:00:59,920 like system virginity verifier provided by Joana read Kosko 12 00:01:03,180 --> 00:01:07,420 the tool can be used to evaluate the state of a system. 13 00:01:07,670 --> 00:01:14,040 If a system has been installed recently it has no anti-virus and no new drivers it will be evaluated 14 00:01:14,040 --> 00:01:19,910 as a 0 or 1 on the infection scale which means that the probability that the system is infected with 15 00:01:19,910 --> 00:01:21,640 a rootkit is very low. 16 00:01:23,680 --> 00:01:31,430 When you install an antivirus the system will probably move up on the level of the risk evaluation as 17 00:01:31,430 --> 00:01:37,020 you can see a system that had a rootkit installed was assessed as level 5 on the scale of 0 to 5. 18 00:01:38,450 --> 00:01:41,450 A change in the operation of the system was very apparent. 19 00:01:45,830 --> 00:01:52,490 The third method for detecting rockets was deployed by Mark Russinovich in the rootkit revealer this 20 00:01:52,490 --> 00:01:54,810 tool is another component of the system internals. 21 00:01:54,820 --> 00:02:03,630 We rootkit revealer works as shown in the picture the assumption behind it is that since a rootkit hide 22 00:02:03,630 --> 00:02:08,910 something in a system or a user mode program like rootkit revealer won't be able to see the hidden files 23 00:02:09,150 --> 00:02:16,920 processes accounts or services but a rootkit revealer sends the same query without consulting user mode 24 00:02:16,920 --> 00:02:21,210 in kernel mode API is what refers directly to low level structures. 25 00:02:21,210 --> 00:02:27,000 For example files on a disk it will be able to compare the results between the two calls and see a potential 26 00:02:27,000 --> 00:02:35,650 discrepancy the exposed difference must be due to something is due to a root kit hiding something from 27 00:02:35,650 --> 00:02:40,260 the first call. 28 00:02:40,260 --> 00:02:42,720 Let's now find out how this works in practice. 29 00:02:47,540 --> 00:02:54,290 Let's start by looking at the rootkit from the viewpoint of an attackers computer. 30 00:02:54,450 --> 00:03:00,520 The computer has hacker defender downloaded from the internet and installed the program's basic version 31 00:03:00,520 --> 00:03:02,420 is made up from only two files. 32 00:03:03,330 --> 00:03:09,580 A binary file and the c file which is in fact the root kit and the file which has the kids configuration 33 00:03:09,580 --> 00:03:12,680 file. 34 00:03:12,790 --> 00:03:17,890 If you take a look at the configuration file it turns out that it only requires to specify what objects 35 00:03:17,890 --> 00:03:25,850 are to be hidden in the target computer system that can include processes services registry entries 36 00:03:25,910 --> 00:03:30,880 free disk space open ports or files and directories. 37 00:03:31,100 --> 00:03:36,120 When hiding files in directories you need to remember that the use of wildcard characters can be dangerous. 38 00:03:37,540 --> 00:03:42,670 By typing for example w star you can hide the entire Windows System Folder from a user 39 00:03:45,600 --> 00:03:52,690 our version of hacker defender has additionally a client program this version is not only a rootkit 40 00:03:52,720 --> 00:03:56,780 but also a backdoor. 41 00:03:56,830 --> 00:03:59,500 What's more the back door is closed by the root kit. 42 00:04:02,790 --> 00:04:07,580 Let's now try to connect to a computer that already runs a hacker defender rootkit and the backdoor 43 00:04:07,610 --> 00:04:13,110 that it hides submit the IP address of a selected computer. 44 00:04:13,290 --> 00:04:16,790 The part that is listed on by the hidden back door and the password 45 00:04:26,460 --> 00:04:29,360 was successfully connected to the target computer. 46 00:04:30,920 --> 00:04:37,110 You can access the victim's command line interface. 47 00:04:37,130 --> 00:04:40,580 The last thing we'll do is taking a look at the contents of Cecils desktop 48 00:04:43,190 --> 00:04:47,460 Sissel is a user who logged onto the attacked computer. 49 00:04:47,670 --> 00:04:53,520 Note that the user's desktop resides folders like auto runs contains a zip archive and a folder named 50 00:04:53,580 --> 00:05:02,070 Ajax def and A-check stuff 100 our folder and a zip archive of the same name. 51 00:05:02,180 --> 00:05:08,250 A lot of suspicious elements you can plainly see that they can be found in the user's desktop. 52 00:05:13,150 --> 00:05:22,110 Let's see now what the user sees will switch to Windows XP where we're logged in is Cecil some objects 53 00:05:22,110 --> 00:05:23,690 are invisible in this view. 54 00:05:26,050 --> 00:05:30,820 To give you a better picture of the situation let's create a new folder and create a file inside of 55 00:05:30,820 --> 00:05:31,190 it. 56 00:05:34,790 --> 00:05:35,990 Everything's in order. 57 00:05:37,070 --> 00:05:38,430 We'll create a second file 58 00:05:42,610 --> 00:05:47,080 as you remember the hacker defender rootkit was set to hide objects that have the name starting with 59 00:05:47,120 --> 00:05:53,060 A-check def will change the file name so that it includes that string. 60 00:05:56,900 --> 00:06:00,270 After the window is refreshed it seems like the file is gone. 61 00:06:05,070 --> 00:06:08,870 Let's now change the file name of the second file to A-check stuff 11. 62 00:06:08,880 --> 00:06:11,980 Or a similar name. 63 00:06:12,090 --> 00:06:16,640 The name doesn't seem to change after you refresh the window. 64 00:06:16,660 --> 00:06:18,260 The file disappears. 65 00:06:19,140 --> 00:06:23,630 The rootkit hides all objects that have the same name that starts with A-check stuff just as it was 66 00:06:23,640 --> 00:06:24,240 set to 67 00:06:27,920 --> 00:06:34,120 the folder we created is visible in the desktop but seems to be empty. 68 00:06:34,130 --> 00:06:39,210 We know though that the folder does contain some files. 69 00:06:39,390 --> 00:06:45,810 What can be done in this case Barker's signal which is rootkit revealer comes to the rescue. 70 00:06:49,770 --> 00:06:54,270 Clicking on the scan button will make the tool check if the system contains some objects that are hidden 71 00:06:54,270 --> 00:06:58,560 from users and administrators run the scanner. 72 00:06:58,600 --> 00:07:06,770 The scan shouldn't take too long the first result and the 0 byte registry keys the alarms are probably 73 00:07:06,770 --> 00:07:07,820 false positives 74 00:07:11,220 --> 00:07:16,460 rootkit revealer shows them since have a registry key has emptied the Windows Registry Editor Raggatt 75 00:07:16,470 --> 00:07:18,020 it will not display it. 76 00:07:21,850 --> 00:07:26,830 This serves as a reason for hiding data in zero byte registry keys which happens quite often. 77 00:07:29,030 --> 00:07:31,240 But the next results should never be here. 78 00:07:32,480 --> 00:07:36,980 The next rows reveal a discrepancy between what is visible for the user and what's really found in the 79 00:07:36,980 --> 00:07:37,550 system 80 00:07:42,610 --> 00:07:47,950 or user can't see registry keys that as you can gather from their names are related to hacker defender 81 00:07:51,410 --> 00:07:52,860 the directory and zip archive. 82 00:07:52,880 --> 00:07:57,600 We mentioned before is invisible to the user. 83 00:07:57,640 --> 00:08:06,840 You can also see here the files that we hit a moment before we changed their names detecting a rootkit 84 00:08:06,840 --> 00:08:08,340 is possible as you can see. 85 00:08:08,670 --> 00:08:11,920 But removing it from a system is a much more demanding task. 86 00:08:15,090 --> 00:08:22,830 Before we move on it's worth taking note of the race between hacker defender and rootkit revealer as 87 00:08:22,830 --> 00:08:27,120 you've seen rootkit revealer is able to successfully expose a hacker defender rootkit 88 00:08:30,350 --> 00:08:31,800 knowing about this discovery. 89 00:08:31,850 --> 00:08:36,560 The hacker defender developer tried to get the better of the scanner and hide the root kit again. 90 00:08:38,900 --> 00:08:46,730 How can you defeat rootkit revealer a hacker defender root kids configuration file contains a section 91 00:08:46,730 --> 00:08:50,150 where you can specify processes that the rootkit will not hide from 92 00:08:53,320 --> 00:08:57,620 the section names rootkit revealer as one of the such processes by default. 93 00:08:58,650 --> 00:09:00,530 What is the purpose of this action. 94 00:09:03,510 --> 00:09:05,780 Scanning a computer with rootkit revealer. 95 00:09:05,850 --> 00:09:11,660 The program sees all the objects in the system there'd be no discrepancies. 96 00:09:11,870 --> 00:09:18,970 And the programs would report that there's no difference Markson of who wasn't working for Microsoft 97 00:09:18,970 --> 00:09:24,280 at the time was notified about this move by the tech support staff who detected this in their customers 98 00:09:24,280 --> 00:09:25,000 machines 99 00:09:27,650 --> 00:09:33,640 a counteraction is hiding rootkit revealer from the hacker defender. 100 00:09:33,760 --> 00:09:37,640 The scanner creates services with pseudorandom names and so on. 101 00:09:37,660 --> 00:09:40,100 This is in fact a no win situation. 102 00:09:42,530 --> 00:09:45,860 You can create new defense mechanisms and bypasses for both sides. 103 00:09:45,860 --> 00:09:47,150 Ad infinitum. 104 00:09:48,820 --> 00:09:55,560 If you bought a Sony BMG CD several years back and played it on the computer your machine was infected 105 00:09:55,560 --> 00:09:59,710 with a Sony rootkit. 106 00:09:59,770 --> 00:10:03,040 The company has copy protection measures ended in a real nightmare 107 00:10:06,890 --> 00:10:08,520 to protect their digital rights. 108 00:10:08,540 --> 00:10:13,010 Sony included in their CDs a piece of software that operated exactly like a rootkit 109 00:10:16,060 --> 00:10:22,690 the software would install and hide in the system to track and prevent copying the music. 110 00:10:22,800 --> 00:10:28,230 After the scandal was made public by Mark Russinovich Sony admitted to making a mistake and withdrew 111 00:10:28,230 --> 00:10:30,160 the rootkit infected CDs. 112 00:10:33,600 --> 00:10:38,160 Coming back to the main issue what steps can you take if you detect a rootkit. 113 00:10:39,810 --> 00:10:45,420 If you're able to find legitimate sounding guidelines for the rootkit removal on the Internet you can 114 00:10:45,420 --> 00:10:48,680 well follow them. 115 00:10:48,690 --> 00:10:54,000 Unfortunately it's far more probable that eliminating the rootkit will involve disk formatting and reinstalling 116 00:10:54,000 --> 00:11:01,120 the system removing some files or changes made by the rootkit doesn't mean that all changes have been 117 00:11:01,130 --> 00:11:02,320 founded and deleted.