Rootkits are used by hackers to hide persistent, seemingly undetectable malware on your device that steals data or resources quietly, sometimes for years. They can also be used in keylogger mode, where your keystrokes and communication are tracked, providing the viewer with privacy information.
This particular hack was highly relevant until 2006, when, prior to Microsoft Vista, vendors were required to digitally sign all computer drivers. Kernel Patch Protection (KPP) has pushed malware authors to change their attack methods, and it was only recently, in 2018, that rootkits were back in the spotlight with Zacinlo’s ad fraud operation.
All rootkits released prior to 2006 were specifically based on operating systems. The situation with Zacinlo, a rootkit from the Detrahere malware family, gave us something even more dangerous in the form of a firmware-based rootkit. However, rootkits account for only about one percent of all malware detected annually.
However, because of the danger they can pose, it would be wise to understand how detecting rootkits that may have already infiltrated your system works.
Detecting rootkits in Windows 10 (in depth)
In fact, Zasinlo played for almost six years before it was discovered targeting the Windows 10 platform. The rootkit component was highly configurable and protected itself from processes it deemed dangerous to its functionality, and was capable of intercepting and decrypting SSL connections.
It will encrypt and store all of its configuration data in the Windows registry and, while Windows is shutting down, overwrite itself from memory to disk using a different name and update its registry key. This helped to avoid detection by the standard anti-virus program.
This suggests that standard anti-virus or anti-malware software is not enough to detect rootkits. However, there are several top-tier anti-malware programs that will alert you to suspected rootkit attacks.
The 5 essential features of a good antivirus
Most well-known antivirus programs today will perform all five of these well-known methods to detect rootkits.
- Signature-based analysis – Antivirus software will compare logged files against known rootkit signatures. The analysis will also look for behavioral patterns that mimic certain actions of known rootkits, such as aggressive port usage.
- Hijacking Detection – The Windows operating system uses pointer tables to execute commands known to request a rootkit. play. As rootkits try to replace or modify anything that is considered a threat, this will indicate their presence on your system.
- Comparison of data from multiple sources – Rootkits, in an attempt to remain hidden, can change certain data presented in the standard exam. The returned results of high-level and low-level system calls may indicate the presence of a rootkit. The software can also compare the process memory loaded in RAM with the contents of the file on the hard drive.
- Integrity check – each system library has a digital signature that is generated during the review of the system “Clean”. Good security software can check libraries for any changes to the code used to create a digital signature.
- Comparison of registries. Most antivirus programs have them on a predefined schedule. The clean file will be compared against the client file in real time to determine if the client is an unsolicited executable (.exe) file or contains one.
Perform rootkit scans
Performing a rootkit scan is the best attempt at detecting rootkit infestations. More often than not, your operating system cannot be trusted to identify a rootkit on its own, and this makes it difficult to determine if it exists. Rootkits are real spies, covering their tracks at almost every step and able to remain unnoticed in plain sight.
If you suspect that your computer has been attacked by a rootkit virus, shutting down your computer and performing a scan from a known clean system is a good detection strategy. A surefire way to find a rootkit on your computer is to analyze a memory dump. A rootkit cannot hide the instructions it gives your system when it executes them in the machine’s memory.
Use WinDbg for Malware Analysis
Microsoft Windows has provided its own multi-functional debugging tool that you can use to perform debug scans for applications, drivers, or the operating system itself. It will debug kernel and user mode code, help analyze crash dumps, and check CPU registers.
Some Windows systems will ship with WinDbg already built in. Those who do not have it will need to download it from the Microsoft Store. WinDbg Preview is a more modern version of WinDbg, providing better visuals, faster windows, full scripts, and the same commands, extensions, and workflows as the original one.
At a minimum, you can use WinDbg to analyze a memory dump or crash dump including Blue Screen of Death (BSOD). Based on the results, you can search for indicators of a malware attack. If you feel that one of your programs might be hampered by malware or is using more memory than required, you can create a dump file and use WinDbg to analyze it.
A complete memory dump can take up significant disk space, so it might be better to perform a kernel mode dump or a small memory dump. A kernel mode dump will contain all information about the kernel memory usage at the time of the crash. A small memory dump will contain basic information about various systems like drivers, kernel, etc., but it is tiny by comparison.
Small memory dumps are more useful in analyzing the causes of BSODs. For rootkit detection, the full version or kernel version is more useful.
Create a Kernel-Mode dump
There are three ways to create a kernel-mode dump file:
- Include the dump file from Control Panel so that the system will automatically crash.
- Including a dump file from Control Panel to crash the system.
- Use a debugger tool to build one for you.
We will choose the third option.
To execute the required dump file, you only need to enter the following command into the WinDbg command window.
Replace FileName with the appropriate dump file name and “?” with f. Make sure the letter “f” is lowercase, otherwise you will create a different type of dump file.
After the debugger finishes its work (the first scan will take many minutes), a dump file will be generated and you can analyze your results.
It takes experience and testing to understand what you need, such as using volatile memory (RAM), to determine if a rootkit is present. It is possible, although not recommended for newbies, to test malware detection methods on a live system. This will again require experience and in-depth knowledge of how WinDbg works to avoid accidentally deploying a live virus on your system.
There are safer and more beginner-friendly ways to uncover a well-hidden enemy.
Additional Scanning Methods
Manual detection and behavioral analysis are also reliable methods for detecting rootkits. Trying to locate a rootkit can be a major problem, so instead of targeting the rootkit itself, you can instead look for rootkit-like behavior.
You can search for rootkits in downloaded software packages using the Advanced or Custom installation options during installation. You will need to look for any unfamiliar files listed in the details. These files should be removed, or you can quickly search the Internet for any links to malware.
Firewalls and their log reports are an incredibly effective way to detect rootkits. The software will notify you if your network is under control and must quarantine any unrecognizable or suspicious downloads prior to installation.
If you suspect that a rootkit may already be on your computer, you can dive into the firewall log reports and look for unusual behavior.
Review firewall log reports
You will want to review your current firewall log reports by making an open source application like IP Traffic Spy with firewall log filtering capabilities a very useful tool. The reports will show you what to see in the event of an attack.
If you have a large network with a standalone outbound filtering firewall, you won’t need an IP traffic spy. Instead, you should be able to see the incoming and outgoing packets for all devices and workstations on the network through the firewall logs.
Whether you are at home or in a small business, you can use a modem provided by your ISP or, if you have one, a personal firewall or router to retrieve the firewall logs. You will be able to define traffic for each device connected to the same network.
It can also be helpful to include the Windows Firewall log files. By default, the log file is disabled, which means that no information or data is written.
- To create a log file, open Run by pressing Windows + R keys.
- Type wf.msc in the field and press Enter.
- In the Windows Firewall and Advanced Security window, highlight Windows Defender Firewall with Advanced Security on Local Computer in the left side menu. In the far-right menu, under Actions, click Properties.
- In the new dialog, go to the Personal Profile tab and select Configure under Logging.
- In a new window, you can select the size of the log file to write to where you want to send the file and only log dropped packets, successful connection, or both.
- Dropped packages are those packages that Windows Firewall has blocked on your behalf.
- By default, only the last 4 MB of data is stored in Windows Firewall log entries, which can be found in the% SystemRoot% System32 LogFiles Firewall Pfirewall.log folder
- Please note that increasing the data size limit for logs can affect the performance of your computer.
- Click OK when finished.
- Then repeat the same steps you just followed in the Private Profile tab, only this time in the Public Profile tab.
- Logs will now be generated for both public and private connections. You can view the files in a text editor such as Notepad, or import them into a spreadsheet.
- You can now export your log files to a database parser such as IP Traffic Spy to easily filter and sort your traffic. identification.
Watch out for anything unusual in the log files. Even the slightest system error can indicate a rootkit infection. Something like overusing CPU or bandwidth when you’re not using something too demanding or not working at all can be a major clue.