“A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.” (Greg Hoglund, James Butler in ‘Rootkits: subverting the Windows kernel’.)
Rootkits are some of today’s most difficult threats to detect and remove. A rootkit can hide itself and other components from the Windows file system APIs, therefore being totally invisible to the end user.
Here is a little exercise I tried to detect rootkits:
The approach I chose is “difference-based” detection, used by some anti-rootkit tools such as RootkitRevealer whose purpose is to compare the same item based on two different data sources.
A local file system enumeration will be compared to a remote file system enumeration for differences. The point is that any discrepancy may be directories and files hidden on the rooted machine.
First, we need to be running a PC with a Linux distribution. Note that it is possible to run a Virtual Machine with Linux inside a Windows Operating System and yet achieve the same results.
In order to perform the remote file system enumeration, we will be mounting the Windows file system as an SMB share, connecting over Port 445 (SMB protocol) while activating the Windows ‘File and Printer Sharing’ service.
File and Printer Sharing is a service (or daemon) that enables file/folder and print shares to be made available to clients using the SMB protocol (Server Message Block) also known as CIFS (Common Internet File System).
SMB operates as an application-layer network protocol within the OSI 7 layer model:
| Application (7) |
| Presentation (6) |
| Session (5) |
| Transport (4) |
| Network (3) |
| Data Link (2) |
| Physical (1) |
Below is the network traffic from a file system enumeration over an SMB share:
The setup:
On Linux, we must mount the remote file system as a samba share:
mount -t cifs -o username=$adminname,password=$adminpassword //$ipaddress/$rootletter ~/Desktop/mnt/$ipaddress
On Windows, we need to set up a few settings to allow for the external connection:- ‘Use simple file sharing‘ must be disabled.
– Share the root drive.
– File and Printer Sharing must be enabled with TCP 445 active.
The results:
After infecting the Windows machine with several rootkits, we enumerate the file system from Linux, and then compare it with the one from within the infected Windows machine:
We can see files that are hidden from the Windows API. 
Malware researchers will recognize them as rootkits.
I have attempted some removal procedures but not with complete success. This is due mainly to the fact that the remote Windows machine is ‘live’ and therefore the active malware can revert changes 
Some rootkits can be removed by first killing the open handles, other rootkits have failsafe tricks and require more tools to get rid of them.
Jerome Segura
Leave a reply
