www.it-ebooks.info
Rootkits
FOR
DUMmIES
www.it-ebooks.info
‰
www.it-ebooks.info
Rootkits
FOR
DUMmIES
‰
by Larry Stevenson and Nancy Altholz
www.it-ebooks.info
Rootkits For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,
Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at
http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the
Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United
States and other countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor
mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT
LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE
UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR
OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A
COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY
MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK
MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT
IS READ. FULFILLMENT OF EACH COUPON OFFER IS THE SOLE RESPONSIBILITY OF THE OFFEROR.
For general information on our other products and services, please contact our Customer Care
Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.
For technical support, please visit www.wiley.com/techsupport.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Library of Congress Control Number: 2006926390
ISBN: 978-0-471-91710-6
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1B/RS/QR/QX/IN
www.it-ebooks.info
About the Authors
Nancy Altholz (MSCS, MVP): Nancy is a Microsoft Most Valuable Professional
in Windows Security. She holds a master’s degree in Computer Science
and an undergraduate degree in Biology and Medical Technology. She is a
Security Expert, Rootkit Expert and Forum Lead, and Wiki Malware Removal
Sysop at the CastleCops Security Forum. She has also volunteered at other
online security forums. As Wiki Malware Removal Sysop, she oversees and
authors many of the procedures that assist site visitors and staff in system
disinfection and malware prevention. As a Security Expert and Rootkit
Expert, she helps computer users with a variety of Windows computer security issues, including malware removal. Nancy coauthored the Winternals
Defragmentation, Recovery, and Administration Field Guide for Syngress
Publishing which was released in June 2006. She has recently been asked to
write the foreword for a book authored by Mingyan Sun and Jianlei Shao,
(developers of the DarkSpy Anti-rootkit program), on advanced rootkit detection techniques. She was formerly employed by Medelec: Vickers’ Medical
and Scientific Division, as a Software Engineer in New Product Development.
Nancy’s interest in malware and rootkits evolved as a natural extension of
her interest in medicine and computers, due to the many parallels between
computer infection and human infection. Besides the obvious similarities in
naming conventions, both require a lot of detective work to arrive at the
correct diagnosis and enact a cure. Nancy enjoys investigating the malware
life cycle, and all the factors and techniques that contribute to it – in short,
she likes solving the puzzle, and of course, helping people, along the way.
Nancy lives with her family in Briarcliff Manor, NY.
Larry Stevenson: Larry has worked as a security consultant for over fifteen
years. His education is abundant, including continuing studies in computer
security, history, and fine arts. Larry works as an expert, volunteer moderator, and writer on staff at CastleCops, providing assistance and written
articles to all users. In 2005, he wrote weekly articles on computer security
topics for the Windows Security Checklist series. He helped develop, and
co-wrote the CastleCops Malware Removal and Prevention procedure. For these
published efforts he was given the MVP Award: Microsoft Most Valuable
Professional in Windows Security, 2006. Currently a co-founder with Nancy
Altholz of the CastleCops Rootkit Revelations forums, he continues to develop
ways for users to obtain assistance and information from rootkit experts.
A Canadian citizen, he is currently employed at a multi-function, governmentowned facility which includes private residences for people with special
needs, a senior citizens care home, daycare center, offices, a cafeteria and a
public access theater. For over seven years he has served as the Chief Steward
in the union local, negotiating contracts and solving workplace issues.
www.it-ebooks.info
www.it-ebooks.info
Dedications
To my mother, Jeanne Gobeo, for being my constant supporter and friend —
and to my sister, Rosie Petersen, for making this world a rosier place. — NA
To Lael and Ken Cooper, Tiffany and Kyla, Paul and Robin Laudanski,
also to my Muses, and my parents, Ruth and Hatton, for their faith and
encouragement. — LS
www.it-ebooks.info
www.it-ebooks.info
Authors’ Acknowledgments
We are grateful for the tremendous assistance and unstinting dedication of
the many people who contributed to this book, both at Wiley and CastleCops.
We would especially like to thank Paul and Robin Laudanski for their extraordinary contributions to computer security in general and the generous
ongoing support they extended during the writing of Rootkits For Dummies.
We give thanks to all the people on the Wiley team for their expertise and
patience, including Melody Layne, Rebecca Huehls, Laura Moss, Barry
Childs-Helton, James Russell, and Technical Editor Lawrence Abrams
(BleepingComputer) for the outstanding job he did. We offer heartfelt gratitude to the Advisors and Rootkit Research Team at CastleCops, every one an
expert in their field: Media Advisor Mahesh Satyanarayana (swatkat), Firefox
Advisor Abdul-Rahman Elshafei (AbuIbrahim), Firewall Advisor Allen C Weil
(PCBruiser), IE7 Advisor Bill Bright, and our Rootkit Research Team, including Don Hoover (Hoov), James Burke (Dragan Glas), Anil Kulkarni (wng_z3r0),
David Gruno (wawadave), and Michael Sall (mrrockford). We would like to
acknowledge Wayne Langlois, Executive Director and Senior Researcher at
Diamond CS in Australia, for devoting his time, knowledge, and expertise to
the “Tracking a RAT” section in Chapter 9. We’d like to thank Przemyslaw
Gmerek, developer of the GMER Anti-rootkit program, for freely sharing his
rootkit expertise and allowing us to distribute the GMER Anti-rootkit Program
on the Rootkits For Dummies CD. We’d like to thank Mingyan Sun, codeveloper
(along with Jianlei Shao) of the DarkSpy Anti-rootkit program, for freely sharing his in-depth technical knowledge of rootkit methodology and for giving us
permission to distribute the DarkSpy program on the Rootkits For Dummies CD.
We would like to recognize and extend a special thanks to Mahesh
Satyanarayana for sharing his exceptional technical expertise and so much
more, during the development of Rootkits For Dummies. Nancy would also
like to thank her family and friends for their patience and understanding
during the course of writing Rootkits For Dummies.
We give special thanks to Forensics Advisor Dave Kleiman (CAS, CCE, CIFI,
CISM, CISSP, ISSAP, ISSMP, MCSE), who provided valuable insights to our
network and forensics sections, and who also helped get this book up and
running by providing much needed hardware. Dave has worked in the
Information Technology Security sector since 1990. Currently, he is the owner
of SecurityBreachResponse.com, and lead litigation support technician for
Secure Discovery Solutions, LLC. As a recognized security expert, and former
Florida Certified Law Enforcement Officer, he specializes in litigation support,
computer forensic investigations, incident response, and intrusion analysis.
He is frequently a speaker at many national security conferences and is a
published author of computer books. He is also the Sector Chief for Information
Technology at the FBI’s InfraGard and Director of Education at the International
Information Systems Forensics Association (IISFA).
www.it-ebooks.info
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form
located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and
Media Development
Composition Services
Project Coordinator: Erin Smith
Project Editor: James H. Russell and
Rebecca Huehls
Senior Acquisitions Editor: Melody Layne
Layout and Graphics: Carl Byers,
Denny Hager, Barbara Moore,
Barry Offringa, Heather Ryan
Senior Copy Editor: Barry Childs-Helton
Proofreader: Christine Sabooni
Technical Editor: Lawrence Abrams
Indexer: Techbooks
Editorial Manager: Jodi Jensen
Anniversary Logo Design: Richard Pacifico
Media Development Specialists: Angela Denny,
Kate Jenkins, Steven Kudirka, Kit Malone
Media Project Supervisor: Laura Moss
Media Development Manager: Laura VanWinkle
Editorial Assistant: Amanda Foxworth
Sr. Editorial Assistant: Cherie Case
Cartoons: Rich Tennant
(www.the5thwave.com)
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Acquisitions Director
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Joyce Pepple, Acquisitions Director
Composition Services
Gerry Fahey, Vice President of Production Services
Debbie Stailey, Director of Composition Services
www.it-ebooks.info
Contents at a Glance
Introduction .................................................................1
Part I: Getting to the Root of Rootkits ............................7
Chapter 1: Much Ado about Malware ..............................................................................9
Chapter 2: The Three Rs of Survivable Systems .........................................................25
Part II: Resistance Is NOT Futile..................................35
Chapter 3: Practicing Good Computer Hygiene ...........................................................37
Chapter 4: Staying Secure Online ...................................................................................61
Chapter 5: Patching and Updating Your System and Software.................................101
Chapter 6: Blurring the Lines of Network Security ....................................................117
Part III: Giving Rootkits the
Recognition They Deserve..........................................149
Chapter 7: Getting Windows to Lie to You: Discovering How Rootkits Hide ..........151
Chapter 8: Sniffing Out Rootkits ...................................................................................179
Chapter 9: Dealing with a Lying, Cheating Operating System ..................................231
Part IV: Readying for Recovery..................................301
Chapter 10: Infected! Coping with Collateral Damage ...............................................303
Chapter 11: Preparing for the Worst: Erasing the Hard Drive ..................................323
Part V: The Part of Tens ............................................336
Chapter 12: Ten (Plus One) Rootkits and Their Behaviors.......................................337
Chapter 13: Ten (Plus Two) Security Sites That Can Help You ................................347
Appendix: About the CD ............................................355
Index .......................................................................367
www.it-ebooks.info
www.it-ebooks.info
Table of Contents
Introduction ..................................................................1
About This Book...............................................................................................1
Things You Should Know ................................................................................2
What You’re Not to Read.................................................................................3
Foolish Assumptions ......................................................................................3
How This Book Is Organized...........................................................................3
Part I: Getting to the Root of Rootkits .................................................4
Part II: Resistance Is NOT Futile ...........................................................4
Part III: Giving Rootkits the Recognition They Deserve ....................4
Part IV: Readying for Recovery.............................................................5
Part V: The Part of Tens.........................................................................5
Icons Used in This Book..................................................................................5
Where to Go from Here....................................................................................6
Part I: Getting to the Root of Rootkits.............................7
Chapter 1: Much Ado about Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Some Common Questions (and Answers) about Malware .........................9
Knowing the Types of Malware ....................................................................10
Viruses ...................................................................................................11
Worms ....................................................................................................11
Trojans ...................................................................................................11
Dialers ....................................................................................................12
Backdoors .............................................................................................12
Spyware (and malicious adware) .......................................................13
The Many Aims of Malware...........................................................................16
Rootkits: Understanding the Enemy ............................................................19
A Bit of Rootkit Lore.............................................................................19
New Technologies, New Dangers .......................................................21
Why do rootkits exist? .........................................................................22
www.it-ebooks.info
xiv
Rootkits For Dummies
Chapter 2: The Three Rs of Survivable Systems . . . . . . . . . . . . . . . . . .25
Formulating Resistance .................................................................................26
Hackers may not be smarter than you ..............................................26
Steps to a Better Security Posture .....................................................27
Practicing Recognition ..................................................................................30
Spotting signs of malware ...................................................................31
Recognizing when the problem isn’t malware..................................33
Suspecting that you’ve been compromised......................................33
Planning for Recovery ...................................................................................33
Part II: Resistance Is NOT Futile .................................35
Chapter 3: Practicing Good Computer Hygiene . . . . . . . . . . . . . . . . . . .37
Before Doing Anything. . ...............................................................................37
Using System Restore ..........................................................................38
Backing up your Registry ....................................................................42
Backing up your stuff with Windows Backup ...................................44
Cleaning Your Windows to Improve Security .............................................46
Everything and the kitchen sink: Loading
only what you need at startup ........................................................47
Removing unused programs ...............................................................50
Using the Windows Disk Cleanup Utility ...........................................51
Defragmenting your hard drive ..........................................................53
Using Registry cleaners .......................................................................57
Controlling Removable Devices ...................................................................58
Disabling AutoRun................................................................................58
Turning off AutoPlay on all external drives and devices ................59
Scanning boot sectors before using external media........................60
Chapter 4: Staying Secure Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Good Practices Are a Good Start .................................................................61
Choosing your contacts carefully ......................................................62
Surfing safely.........................................................................................63
Developing strong passwords.............................................................69
Establishing limited-access user accounts .......................................70
Using a HOSTS file ................................................................................72
Bashing Your Browser into Submission ......................................................73
Saying no to Java, JavaScript, and ActiveX.......................................74
Adding sites to your Trusted zone.....................................................76
www.it-ebooks.info
Table of Contents
Disable AutoComplete in Internet Explorer......................................77
Using the New Internet Explorer 7 .....................................................77
Surfing with Firefox instead ................................................................80
Staying ahead of the game with SiteAdvisor.....................................81
Must-Have Protections Online......................................................................82
Firewall first ..........................................................................................83
Scanners Next .......................................................................................95
Chapter 5: Patching and Updating Your System and Software . . . . .101
Preventing Rootkits by Patching Your Clothes ........................................102
Updating Your Operating System...............................................................103
Patching, updating, and Service Packing ........................................103
Looking at why you need updates ...................................................104
Knowing where you can get them ....................................................105
Taking advantage of Automatic Updates.........................................105
Guide to Windows Update and Microsoft Update..........................106
Patching and Updating Your Software.......................................................113
Ways to patch or update your applications....................................113
Watching Internet sources for known
problems with your applications..................................................114
Patching and updating shared computers in heavy use ...............114
Knowing When You Need a New Computer..............................................115
Chapter 6: Blurring the Lines of Network Security . . . . . . . . . . . . . . .117
A Checklist for Improving Security ............................................................118
Learning to Love Auditing...........................................................................119
Enabling security auditing ................................................................120
Using Windows Access Control..................................................................126
Editing policies and configuring security........................................126
Making your own security-analysis utility ......................................127
Testing your system against a security template...........................127
Customizing a security template for a network .............................135
Preventing Attacks by Limiting Access .....................................................139
Limiting and controlling physical access........................................140
Using limited-access user accounts.................................................140
Limiting access on networks ............................................................141
Making a business security plan ......................................................143
Fooling Rootkits with Virtual Operating Systems ....................................144
Planning Your Defense Against Rootkits ...................................................145
Establishing a baseline ......................................................................146
Preparing Recovery Discs .................................................................147
www.it-ebooks.info
xv
xvi
Rootkits For Dummies
Part III: Giving Rootkits the
Recognition They Deserve ..........................................149
Chapter 7: Getting Windows to Lie to You:
Discovering How Rootkits Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Discovering How Rootkits Hide and Survive............................................151
Keys to the Kingdom: Privileges ................................................................153
Knowing the Types of Rootkits ..................................................................154
User-mode versus kernel-mode rootkits .........................................155
Persistent versus non-persistent rootkits.......................................157
Hooking to Hide............................................................................................157
How hooking works............................................................................158
Knowing the types of hooks..............................................................159
DLLs and the rootkits that love them ..............................................160
Privileged hooks .................................................................................166
Using Even More Insidious Techniques to Hide Rootkits .......................171
Direct kernel-object manipulation ...................................................171
Trojanized utilities .............................................................................174
Looking into the Shady Future of Rootkits ...............................................175
Hiding processes by doctoring the PspCidTable ...........................175
Hooking the virtual memory manager.............................................176
Virtual-machine-based rootkits ........................................................177
Chapter 8: Sniffing Out Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Watching Your Network for Signs of Rootkits ..........................................179
Watching logs for clues......................................................................180
Defending your ports .........................................................................183
Catching rootkits phoning home......................................................192
Examining the firewall........................................................................193
Trusting Sniffers and Firewalls to See What Windows Can’t ..................199
How hackers use sniffers...................................................................200
Using sniffers to catch hackers at their own game ........................200
Testing to see whether your NIC is in promiscuous mode ...........201
Sniffers you can use ...........................................................................202
Investigating Lockups and Other Odd Behavior......................................206
Accessing Event Viewer.....................................................................206
Making some necessary tweaks to streamline logging..................207
Inspecting event logs with Windows Event Viewer .......................210
Upgrading to Event Log Explorer .....................................................217
Trying MonitorWare...........................................................................219
Checking Your System Resources..............................................................222
Matching activity and bandwidth ....................................................223
Examining active processes ..............................................................224
Monitoring CPU cycles ......................................................................228
www.it-ebooks.info
Table of Contents
Chapter 9: Dealing with a Lying, Cheating Operating System . . . . .231
Rooting Out Rootkits ...................................................................................232
Cleaning a network.............................................................................233
Before doing anything . . ...................................................................234
The best overall strategy ..................................................................234
Scanning Your OS from an External Medium............................................234
Microsoft WinPE .................................................................................235
Non-Microsoft bootable CDs.............................................................236
File-System Comparison from Full Boot to Safe Mode ............................238
Checkpointing Utilities with Offline Hash Databases ..............................240
Verifying files with FileAlyzer............................................................240
Verifying file integrity with other utilities .......................................243
Rootkit-Detection Tools...............................................................................244
Autoruns: Aiding and abetting rootkit detection ...........................246
Rootkit Revealer .................................................................................247
F-Secure BlackLight Beta ...................................................................251
IceSword ..............................................................................................253
UnHackMe ...........................................................................................260
Malicious Software Removal Tool ....................................................261
AntiHookExec......................................................................................262
VICE ......................................................................................................269
System Virginity Verifier (SVV).........................................................270
Strider GhostBuster ...........................................................................273
Rootkitty ..............................................................................................274
RAIDE ...................................................................................................275
DarkSpy................................................................................................276
GMER....................................................................................................283
Detecting Keyloggers...................................................................................289
Types of keyloggers ...........................................................................289
Detecting keyloggers with IceSword................................................290
Detecting keyloggers with Process Explorer ..................................291
Tracking a RAT: Using Port Explorer to trace Netbus 1.60 ...........293
Part IV: Readying for Recovery ..................................301
Chapter 10: Infected! Coping with Collateral Damage . . . . . . . . . . . .303
Deciding What to Do if You’re Infected .....................................................303
Knowing when to give up and start from scratch ..........................305
What happens when the patient can’t be saved ............................307
Do you want to track down the rootkit-er, or just recover?..........307
Taking measured action.....................................................................308
“My Computer Did What?!” .........................................................................310
Saving evidence to reduce your liability .........................................310
www.it-ebooks.info
xvii
xviii
Rootkits For Dummies
Preparing for Recovery ...............................................................................318
Cutting off network connection before
cleaning out the rootkit..................................................................319
Planning your first reboot after compromise .................................320
Chapter 11: Preparing for the Worst: Erasing the Hard Drive . . . . . .323
Don’t Trust System Restore After Rootkit Compromise .........................323
When a Simple Format and Reinstall Won’t Work ...................................325
Erasing Your Hard Drive and Installing the Operating System ..............327
What you need before you begin this procedure ..........................328
Erasing, partitioning, and formatting ..............................................329
Installing Windows XP .......................................................................331
After you install . . . ............................................................................333
. . . And beyond ...................................................................................333
Part V: The Part of Tens .............................................336
Chapter 12: Ten (Plus One) Rootkits and Their Behaviors . . . . . . . . .337
HackerDefender............................................................................................338
NTFShider .....................................................................................................339
Elite Toolbar .................................................................................................339
Apropos Rootkit ...........................................................................................340
FU — the Malware That’s Also an Insult ...................................................341
FUTo...............................................................................................................342
MyFip .............................................................................................................342
eEye BootRoot ..............................................................................................343
FanBot............................................................................................................343
pe386..............................................................................................................344
Shadow Walker .............................................................................................345
Chapter 13: Ten (Plus Two) Security Sites That Can Help You . . . . .347
Aumha............................................................................................................348
Bleeping Computer ......................................................................................348
CastleCops Security Professionals.............................................................349
Geeks to Go ...................................................................................................350
Gladiator Security Forum............................................................................351
Malware Removal .........................................................................................351
Microsoft Newsgroups.................................................................................352
Sysinternals Forum (Sponsor of Rootkit Revealer Forum).....................352
SpywareInfo .................................................................................................352
SpywareWarrior............................................................................................353
Tech Support Guy Forum ............................................................................353
Tom Coyote Security Forum .......................................................................354
www.it-ebooks.info
Table of Contents
Appendix: About the CD.............................................355
System Requirements ..................................................................................355
Using the CD with Microsoft Windows......................................................356
Installing the DART CD applications................................................356
How to burn an ISO image to CD ......................................................357
What You’ll Find on the DART CD ..............................................................357
Bonus Chapters ..................................................................................358
Anti-malware utilities and scanners ................................................358
Backup and imaging applications ....................................................359
System-analysis programs.................................................................360
Rootkit-detection-and-removal applications ..................................361
Password protectors and generators ..............................................362
Downloading tools for compromised hard drives .........................362
Troubleshooting ...........................................................................................363
Index........................................................................367
www.it-ebooks.info
xix
- Xem thêm -