revealing rootkits - how? MD5SUM?

[VirtualLarry]

Can anyone give me a rundown how to detect rootkits from Windows, using something like MD5SUM? Is there a convenient version of MD5SUM that will: 1) recursively create sums, to a file, and 2) recursively verify sums, using a file. Barring that, as long as it recursively creates sums, then I can do a file-compare on the two output files.

 

[ForumMaster]

i think this might suit you better

only works on windows xp to server 2003 though.
you'll want to look here for windows 7.

 

[bononos]

Can anyone give me a rundown how to detect rootkits from Windows, using something like MD5SUM? Is there a convenient version of MD5SUM that will: 1) recursively create sums, to a file, and 2) recursively verify sums, using a file. Barring that, as long as it recursively creates sums, then I can do a file-compare on the two output files.

Rootkits are now way advanced and can probably intercept low level OS routines that generate checksums, or even modify executable data in memory vs modifying the files themselves. A homemade checksum prog is not going to cut it unfortunately. Get a few free rootkit detection progs.

 

[VirtualLarry]

Rootkits are now way advanced and can probably intercept low level OS routines that generate checksums, or even modify executable data in memory vs modifying the files themselves. A homemade checksum prog is not going to cut it unfortunately. Get a few free rootkit detection progs.

Somehow, I don't think that you get the picture. The point is to run a checksum scan over the filesystem, both while running as the active OS, and then from a known-clean system. Any discrepancies may be because of a rootkit hiding certain files.

I don't see how that wouldn't work.

 

[bononos]

Somehow, I don't think that you get the picture. The point is to run a checksum scan over the filesystem, both while running as the active OS, and then from a known-clean system. Any discrepancies may be because of a rootkit hiding certain files.

I don't see how that wouldn't work.

I wasn't clear enough earlier.
In laymans terms, rootkits can hide themselves from users by employing low level OS routines to remove all traces themselves from commonly used commands eg. ls or dir - so you have no chance of ever finding out which files have been modified or added. And so even sophisticated hashing routines are useless if used in the manner you are thinking of doing.

 

[VirtualLarry]

I wasn't clear enough earlier.
In laymans terms, rootkits can hide themselves from users by employing low level OS routines to remove all traces themselves from commonly used commands eg. ls or dir - so you have no chance of ever finding out which files have been modified or added. And so even sophisticated hashing routines are useless if used in the manner you are thinking of doing.

I still think that you don't get what I'm saying. Yes, rootkits "hide" files. That's kind of the point. You do an MD5SUM of the filesystem when booted, when the rootkit is hiding the file. Then you boot to a clean system, and then run an MD5SUM of the filesystem, and the files that show up, that didn't show up before, are likely to be the components of a rootkit.

At least that makes sense to me.

 

[Modelworks]

It will not work .
The reason is that the windows boot process alters small files like .log files and also changes things like date accessed on files. If you do a MD5 even on the same clean pc you will get a different MD5 with every boot. All it takes is one bit to change and that will alter the MD5.

The easiest way to find a rootkit is to look at the first 1024 sectors of the drive in question from another OS with a hex editor.

 

[bononos]

It will not work .
The reason is that the windows boot process alters small files like .log files and also changes things like date accessed on files. If you do a MD5 even on the same clean pc you will get a different MD5 with every boot. All it takes is one bit to change and that will alter the MD5.

The easiest way to find a rootkit is to look at the first 1024 sectors of the drive in question from another OS with a hex editor.

The problem with that(which I have been saying) is rootkits can also hide themselves by substituting the original unmodified copies (instead of the modified files) during user accesses. I would assume rootkits can do the same to the MBR.

To recap, rootkits can:
- hide added files from view
- modify code in memory which obviates the need to modify executables
- and/or feed in the old unmodified data in place of the modified executable

 

[Modelworks]

The problem with that(which I have been saying) is rootkits can also hide themselves by substituting the original unmodified copies (instead of the modified files) during user accesses. I would assume rootkits can do the same to the MBR.

To recap, rootkits can:
- hide added files from view
- modify code in memory which obviates the need to modify executables
- and/or feed in the old unmodified data in place of the modified executable

Nope , nothing can hide itself when it isn't running. The rootkit gets loaded from the boot sectors just like anything else. Use a clean OS and read the sectors and you can find any of them. If you know what a sector is supposed to look like rootkits are easily located. The difficult part is when you want to detect the rootkit from within an infected OS.

 

[wayliff]

here is a link to site I frequent a lot...
http://www.technibble.com/how-to-remove-a-rootkit-from-a-windows-system/

 

[Dravic]

Can anyone give me a rundown how to detect rootkits from Windows, using something like MD5SUM? Is there a convenient version of MD5SUM that will: 1) recursively create sums, to a file, and 2) recursively verify sums, using a file. Barring that, as long as it recursively creates sums, then I can do a file-compare on the two output files.

The best way is for you to scan the offending systems disk from a clean/different OS. You cannot trust any OS the rootkit has any interaction with. Most good rootkits are integrated at the kernel level, when you ask for an md5 sum its going to give you a valid md5.

The checksum program is just going to ask the OS for the criteria it needs to establish/compute the md5 hash. If the OS(rootkit) feeds the checksum program false information (what the non rootkit files would answer) then the derived checksum is going to be valid(match the backed up md5 number not the new false rootkit'd md5)

It still good to do file integrity monitoring, as you may catch some changes not hidden by the root kit. Tripwire exist for a very good reason.

Its not easy to scan a filesystem from a different OS, that's why most of the time you verify when doing forensics on a disk image of the infected system in something like encase.