Re: Hidden Applications and rootkits for Windows
From: Wayne - diamondcs.com.au (wayne_at_DIAMONDCS.COM.AU)
Date: Tue, 1 Mar 2005 18:00:07 +0800 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
RootkitRevealer by SysInternals is an excellent demonstration of using this differential analysis technique to detect hidden objects, but perhaps it is easier for rootkits to circumvent this technique than is currently thought - at least in this implementation. To perform the 'raw' scanning, RootkitRevealer calls CreateFile on "\\.\C:" to open a handle to the drive. Considering the current abilities of rootkits it would be fairly trivial for them to intercept such calls and prevent a handle from being opened, but there are issues the rootkit developer would have to consider such as legitimate programs that need to open that handle. Plus, preventing read access would no doubt result in a suspicious error message from the program that failed to open the drive, which would tip the user off that something wasn't right. However it would stop the scan from being used, so the rootkit itself would remain hidden and the scanner tool rendered useless.
On the related note of PREVENTING rootkit infections, ProcessGuard (http://www.diamondcs.com.au/processguard/) has a feature called "Block Rootkit/Driver/Service Installation" which allows you to prevent unauthorised installation of drivers and services. All of the main rootkits for Windows (such as Hacker Defender, fu, and so on) install a driver in order to 'get root', so they are easily blocked by this simple but effective method. An example of ProcessGuard blocking the installation of the fu rootkit can be seen here: http://www.diamondcs.com.au/processguard/index.php?page=attack-rootkits