Detecting Rootkits on a PC

Imagine malware so sophisticated that it not only disappears from the Windows Task Manager and your antivirus software but also modifies the code that undergirds the operating system in such a way that it’s virtually impossible to detect.

Does such a thing exist?

I think we should all give homage to the AV vendors out there.  These guys are busting their balls trying to keep us protected but Rootkits are an entirely different threat.

Today I’m going to help you understand exactly what a rootkit is and show you how you can detect the most evasive malware known to man.

Rootkits

The first part in the word rootkit is “root“.  In Linux nomenclature, gaining “root access” is tantamount to administrative access on a PC.

Root is basically Godmode for your computer.

The “kit” part of phrase means you have a collection of tools.

So a rootkit is a collection of tools that gives you root access on a computer.

The problem is that rootkits are almost always for nefarious purposes.  It’s used by cybercriminals to hoodwink unsuspecting users into revealing sensitive information.

Understanding Rootkits

To understand rootkits we need to peer into the mind of a malicious hacker.

When she attacks your PC, she may want to install a rootkit so that she can bilk the operating system from knowing about her plans.  She could covertly inject malicious software on your machine and open a backdoor for remote access.

Now here’s the question I have for you:

If there was a rootkit running on a computer would you know about it?  Heck, is one installed on your computer right now?

99% of the time you wouldn’t know.

Most rootkits are sophisticated.  For example, Kernel-level rootkits can actually warp the fundamental code that runs the operating system. This means you’ll never find it using software running in the operating system.

Listing files or using Process Explorer will never expose a well written rootkit.  You can either hotly disagree with me or get serious and and pay attention.

Detecting Rootkits

The best way to discover rootkits is to install special rootkit discovery software on a bootable CD or USB drive and then boot from that drive.

This will give you the high ground on ignoble hackers because the rootkit can’t hid itself when it isn’t running.

And since the rootkit can only run inside the confines of the operating system, by booting to an operating system running off a CD you can see if your machine is infected.

Now there is one small quandary: rootkit developers know about the rootkit detectors so the bad guys are constantly evolving rootkits to evade even the best rootkit detectors.  The bad guys test their software against rootkit scanners and tighten their code to make their malware impervious to detection.

But don’t let this fact forestall your efforts of rootkit detection.  We can still win we just need to be vigilant in our battle against the bad guys.

Get going with Kali Linux

I’m going to show you one reliable way to find rootkits on your PC.

First you need to burn a Kali Linux Live CD so you can boot to it.

Instead of booting into Windows, pop the CD in to force a boot into the Kali environment.  On most computers you can type Esc, F1, F2 or F11 to change the boot media on start up.

Once we get into Kali Linux operating system we need update and install the latest packages.

Open a terminal and type:

apt-get update
apt-get upgrade

apt-get update downloads all the latest software packages and apt-get upgrade installs those updates.

Onece you do that we can run either chkrootkit or rkhunter to search and destroy any rootkits on your PC.

To see if you already have rkhunter or chkrootkit in Kali Linux, just type:

dpkg -l | grep chkrootkit

chkrootkit

So let’s find the file:

locate chkrootkit

locate chkrootkit

So it looks like the executable is in /usr/sbin

We can type:

echo $PATH

to see if the /usr/sbin: path is known to the command interpreter.

Default Linux Path

Ah yes!  Since Linux has a default path to this directory we can probably run chkrootkit by typing the name:

chkrootkit

chkrootkit results

Incidentally, if chkrootkit doesn’t show up you can install it with apt-get.

apt-get install chkrootkit

or

apt-get install rkhunter

If chkrootkit displays a rootkit on your system, take a deep breath and try to corroborate it with rkhunter.  Then Google the name for tips on how to remove it.

Furthermore, if you really do have a rootkit you should seriously change all your passwords.  Not just some but all and use something like LastPass to manage them.  I would also closely monitor your credit card statements for any fraudulent activity.

The Bottom Line

I hope I’ve helped you understand this increasingly popular attack vector.  Rootkits are becoming more common especially because the public erroneously believes that having updated antivirus scanners keeps them hermetically sealed from all digital threats.  This simply isn’t true.  You need to augment your virus scanning regimen with periodic rootkit scans.

Trust me 15 minutes of inconvenience could save you 15 months of hell.  Don’t procrastinate this one.

About

Connect with Vonnie on Twitter

Posted in Linux, Security, Windows, Windows 10, Windows 8.1 Tagged with: , , , ,