Diagnostic Software

When I’m diagnosing a computer, I’m trying to determine the severity of the infestation (the presence of a rootkit). I use Gmer and Radix early in my diagnostics to identify a rootkit infection as soon as possible. (Unfortunately, as of 5/11 they have not been updated to work on 64-bit systems).

You should use these PC diagnostic tools to support what you see (or don’t see) in the Event View and Task Manager.

I believe that a rootkit can only be fully removed or repaired by doing a fresh installation of the Windows operating system and a CLEAN hard drive.

Why?

Anything that can modify the functions of the Windows kernel or embed itself in the Master Boot Record (MBR) can easily avoid detection.

How many times have you spent hours/$$ repairing your system only to have the symptoms return?  Why not cut to the chase – if there’s a rootkit, go straight to data backup and Repair.

Start with a clean system and protect it so you don’t have to repair it.

These tools are powerful and will report many things that are NOT rootkits.  Things like antivirus programs, copy protection, internet security utilities, etc. These programs use similar techniques, like system hooks, that rootkits use.

Gmer Rootkit Detector scans for:

  • hidden processes
  • hidden threads
  • hidden modules
  • hidden services
  • hidden files
  • hidden disk sectors (MBR)
  • hidden Alternate Data Streams
  • hidden registry keys
  • drivers hooking SSDT
  • drivers hooking IDT
  • drivers hooking IRP calls
  • inline hooks

One of the most common methods rootkits use is to inject into program executables their commands to modify the Windows functions.  The program will execute at startup, inject their code into the Windows functions forcing the program (using the JMP command) to execute from a memory location controlled by the rootkit.

The telltale sign for this type of rootkit is the JMP instruction.

rootkit infection

Rootkit infection

 

Gmer also has a command line utility that checks the MBR and displays the modules called by the MBR. Often modules will be listed as <<UNKNOWN>> or <<random hex>>.

Here is output of an mbr log file (mbr -t) showing the rootkit module (nvata.sys) called by the MBR during boot.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK

Radix Anti-Rootkit is an awesome piece of software.  I have found that when Gmer scans come up clean (usually because of an MBR rootkit), Radix will detect it.  It may not be able to detect the MBR infection, but it will usually find enough evidence of the rootkit to make a positive determination of it.

Radix Rootkit Detector:

  • Detects and removes Rootkits
  • Detects and repairs drivers modified by Rootkits
  • Detects and repairs computer processes modified by Rootkits
  • Detects MBR Rootkits
  • Removal of “locked” or “unremovable” processes and files
  • Shows the Global Descriptor Table (GDT) for advanced Rootkit Detection capabilities
  • Shows the Import Address Table (IAT) for advanced Rootkit Detection capabilities
  • Shows the Interrupt Descriptor Table (IDT) for advanced Rootkit Detection capabilities
  • Shows and fixes rootkits found in the Service Dispatcher/Descriptor Table (SDT)
  • Shows hidden Registry Keys
  • Command line mode for power users, or graphical tool for regular users
  • Terminates all kind of Windows Handles
  • Allows removal scripts to be run
  • Detects SYSENTER Rootkits
  • Detects hidden Services
  • Detects hidden Handles and Registry Callbacks
  • Object handling Routines
  • Windows 7 support (32-bit)

This is a screen shot from a computer that came into the shop today (5/28/10):

rootkit infection

This machine also had many hidden registry keys and values revealed in the saved logfile. This is just one of the infected modules:

Information for module PCIIDEX.SYS:
——————————————————————————-
Index:        13
Base address:    F7707000
Size:        00007000
Flags:        0D004000
Load count:    4
Imagename:    \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Name:        Microsoft® Windows® Operating System
Version:    5.1.2600.5512
Company:    Microsoft Corporation
File Version:    5.1.2600.5512 (xpsp.080413-2108)
Description:    PCI IDE Bus Driver Extension
Possible path:    C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Signed:        YES

* Majorfunction 16 (IRP_MJ_POWER) hooked at F7707692 by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

* Majorfunction 17 (IRP_MJ_SYSTEM_CONTROL) hooked at F770B46E by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

* The DriverUnload function points to another module than the start routine.
* Unload routine is at F770B6DC by C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

66 \Driver\Pcmcia                 84AB5478 pcmcia.sys
67 \Driver\HdAudAddService        848E8F38 CHDAud.sys        –[HOOKED]–
This might be a false positive, as I was unable to check.
* Majorfunction 03 (IRP_MJ_READ) hooked at F66DFEA2 by C:\WINDOWS\system32\DRIVERS\ks.sys

 

Even though Radix can effectively “turn off” the rootkit changes allowing the computer to be disinfected, it is still my firm belief that once the presence of a rootkit is detected, it is better to back up data and proceed to clean the hard drive (zero-fill to remove the MBR) and reinstall the OS.

Avast now has a rootkit scanner (aswMBR) that works in Win7-64bit (yes!). Designed to scan for the TDL4/3, MBRoot/Sinowal and Whistler rootkits, it is very helpful in identifying others. aswMBR can identify the common Windows MBRs (Win7, XP) and will state that there is an “unknown MBR’ on the machine if it detects the MBR has been modified. It will also list the modules (files) called by the MBR….very useful!