Re: Rootkit Revealer

John Carter wrote:

I ran Rootkit Revealer from the WIN SYSUTILS package I downloaded from
Microsoft TECHNET site.

It did find some suspect files, but only gave me a list of them which I
saved. I then looked at the info given with the software, but it
really doesn't give me a clue as to how to determine wheteher or not I
should delete the suspects.

My system is Windows XP Pro SP3 plus all auto updates. My system has
been stable not showing any signs of "funnies" going on, no strange
files, no strange activity, etc.

Being of the "If you don't know anything about it, don't mess with it"
philosophy, I haven't tried to tamper with anything given in the list.
Does anyone here have any guidance as to what to do with rootkit
suspect files?

Thanks for any and all replies.
John Carter

This utility merely shows you items that are missing when using the
standard file I/O calls through the system API versus finding them
through a raw interface to the file system (using their user-mode file
I/O driver that they dynamically install when you run the program). It
is up to YOU to know how to dig further if you want to take any action
against these files and it is up to YOU to know how to identify what are
these files. It identifies. You investigate. If you don't have the
wherewithal to figure out what the files are for then you should be
touching them or using such low-level utilities.

I'll give an example. Say you install Daemon-Tools which is a CD/DVD
drive emulator. It lets you load .iso files to make them look like the
discs were inserted into a CD/DVD drive. This makes them available but
the files within the .iso image are really on your hard disk. You don't
have to go searching for the discs when an Office update or a change in
Office configuration via Add/Remove Programs entry for Office with its
Change button, for examples, asks you for the disc. You already have it
in an emulated CD/DVD drive. Daemon-Tools installs a kernel-mode driver
(sptd) for it to do some of its magic. It doesn't do this for the
emulated drive device. It does this to thwart some virulent seeker copy
protection schemes that try to hunt down if the program (usually a game)
is on a real CD/DVD disc or from an image of one (whereupon they attempt
to disable those emulated devices or simply refuse to start the
program). When you scan with a rootkit utility, it shows you this
"hidden" driver file (because it won't show up in system calls for file
I/O from the system API). Is it bad? Obviously not because *YOU*
installed Daemon-Tools to do what it does: emulate drives and attempt to
thwart [some] copy protection. But it is up to YOU to know that this
program installed a device driver that it deliberately hides from the
system API (hoping that those programs that use the system API won't
find their driver).

This utility will also report embedded nulls in registry key names. Is
that bad? Depends on what the registry key is for. Some games or
applications use security keys to validate an authorized install.
SecuROM, for example, will save its licenses in the registry. Even if
you uninstall the program, these licenses are left in the registry
(under the presumption that, gee, you might want to reinstall the
program so they leave the key there to pollute your registry). You have
to regdelnul utility from SysInternals to remove these null characters
(because regedit.exe won't handle them during a write/update operation:
it parses the key name with the nulls but doesn't keep the nulls so what
it tries to write back doesn't match the hex value for the name). Some
keys use embedded nulls to prevent accidental deletion of some very
important data. So, again, unless you know what you are doing in the
registry, don't putz around in there to remove the embedded nulls so you
can delete the keys. If you're not qualified to do heart surgery then
don't.

Sony had their debacle awhile ago where they were installing a
rootkit-like copy protection scheme. It was a stupid scheme where they
would simply hide some of their executables in a folder that was hidden
to the system API's file I/O calls. You couldn't see that folder or its
file when using Windows Explorer. There was a big stink about it and
Sony removed that stupidity and provided a utility to remove the hiding
(http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_protection_scandal).
Do you need SysInternals Rootkit? Well, all that does is tell you about
the hidden folder. It won't do any cleanup for you.

Once you get a list of suspects, just how are you going to eradicate
them? RootkitRevealer just shows you a list of what it found. It won't
do anything to "fix" those suspects. It is helpful but, as with online
anti-virus scans that might find a pest (or soothe your anxiety that you
don't have a pest [that it can detect]) but don't eradicate anything,
the task of taking any action is up to YOU. And if you don't know the
information being presented then you shouldn't do anything and probably
can't do anything (it's outside your expertise). You could go searching
to anti-rootkit tools, figure out how to use them, hope they don't screw
up your operating system or applications, but all that requires you
first understand what is being reported to you.

Start with reading all the help already included with RootkitRevealer.
Many security products, like anti-virus programs that have evolved to
include anti-malware features, including rootkit scanning and might
attempt repair. So maybe you need better security software. Otherwise,
you're off to follow the yellow brick road in finding the Oz's castle of
rootkit cleanup utilities while hoping that the man behind the curtain
providing the cleanup apps can give you a brain that still works after
disinfection.

http://www.google.com/search?q=%2Brootkit+%2Bcleanup

Even I get lost in trying to figure it all out. Often you need to be an
operating system programmer to know how to eradicate a pest, or hope a
utility doesn't do worse to your system than the suspect, and hope you
didn't go off on a wild goose chase because you really didn't know that
the suspect was okay and part of something you want.
.