Deleting "hidden" Rootkit Files

cj47

Using GMRE, HiJack This or any other program that detects 'hidden' Rootkit files and registry entries that don't show up in Windows even though you have "Show hidden files and folders" checked and "Hide protected operating systems files" unchecked, how can you deleted these 'rouge' files that these programs detect without booting into DOS and using command lines (that I'm not good at)?

Also, just how can a file be hidden from Windows in the first place?

alexcrist

A rootkit usually works by installing a system driver in your operating system that hooks up some system APIs (usually the file and process APIs). Then it monitors the calls to those APIs and, whenever a process tries to access a file that should be hidden, the rootkit just redirects the reqest, blocking any access to the "protected" files.

In simple words: files are stored on your HDD, and the references to the files are stored in an arborescent structure (called a file system, eg. NTFS, for Windows XP and newer).

For an application to view the filelist, it must traverse the file system. Like Explorer, before it displays the files and folders so you can see, it must first check the file system, take the references that it needs (for instance, the files in the current folder), and show them in a nice list.

This is done by calling a few Windows APIs (functions) which are responsible for traversing the file system. So Explorer takes the path of the current folder (the one you want to view) and sends it to an API. That API returns the list of requested files.

But, in Windows, an API can be hooked, so an application can monitor it's calls, and even tamper with the results. So the rootkit, installed as a driver, just monitors the calls to the APIs it needs and, when the API tries to access, in any way, one of the files that should be hidden, the rootkit blocks access to that file.

The same monitoring and tampering is also used in defense systems. Antivirus products, for instance, also monitor file accesses. And whenever an application tries to access a file, the antivirus temporarily blocks access to that file, scans it for threats and, if the file is deemed to be clean, the access is granted. Otherwise, the access is permanently denied.

Another example of good hooks are small pieces of software which protect certain files for unwanted access. Also, some computer vendors chose this method to hide from the user the Recovery Partition which comes with some systems (usually laptops).

Of course, what I said above is in very simple terms. The actual process is a lot more complicated and a lot more hard to understand. But it's enough to understand the basics

About how you can remove hidden files without reboot, that's hard to say. It depends a lot by the method of "protection" that rootkit has. For simple rootkits, using a program like Gmer to unhook the APIs and then simply deleting the files (along with the rootkit driver) should be enough. But for some more advanced rootkits, possibly with self protection, or with multiple components monitoring each-other, the situation is a lot trickier. The conclusion is that there's no simple answer to your question, because it's too general. If you have a certain problem, with a certain rootkit, please post some details, and a Virus Analyst can tell you exactly how to get rid of it.

Cris.

Venturer

Hello

I'm using BitDefender Total Security 2009 and i would like to make you a question about rootkits: On Gmer website there is a video about a rootkit claimed to be "undetectable" by many antivirus.

http://www.gmer.net/test.wmv

This video, i suppose, is old but i think it can be a concept for new rootkits generation. I would like to know what is Bitdefender behaviour about these rootkits. At the present time do exist rootkits that Bitdefender 2009 can't detect? I mean in normal operation mode, not with boot cd.

Thank you!

AndreiASM

Since a rootkit usually operates in kernel mode, there chances that BD will miss some of them. Why? A big part of the answer was already given by Cris; in kernel mode, you have absolute power over the computer; nothing stops the rootkit from making low-level hooks to various operating system functions; for example, any acces to the rootkit file cand be restricted, or, more funny, the rootkit can hide its files. It can also hook functions used to enumerate device drivers or services running on a system, making the roootkit invisible again. So, in practice, symptoms and behaviours may vary a lot.

cj47

Great replies.

1. Ok, when I open a Explorer window and go to the folder where the rootkit is in, this 'driver' stops Explorer (or whatever program is triung to 'see' the file) from showing this rootkit. Is that about it?

2, If so, how does GMER (or any other rootkit detection program) 'see' this file?

3. If these specilized programs can see the file(s) and regestry entries, why can't The O/S be made to do so with some 'helper' type of program (an extension of sorts) to Explorer or some other 3rd party Explorer type of program?

4. If these 'roorkits' are drivers, are they always in the 'Windows\System32\drivers' folder?

5. This 'hook' process and GMER, there isn't a 'delete' option, but there is a "IRP kooks" under Options. What's that?

6. Other than showing if there are any rootkits, can GMER delete them?

7. Can Registry entries be handeled the same way?

Thanks again.

alexcrist

1. Ok, when I open a Explorer window and go to the folder where the rootkit is in, this 'driver' stops Explorer (or whatever program is triung to 'see' the file) from showing this rootkit. Is that about it?

Yes, that's about it. With the exception that the rootkit doesn't "protect" just one folder. It can hide any file/folder, wherever they are.

2, If so, how does GMER (or any other rootkit detection program) 'see' this file?

Well, for one, hooks can be detected. Like when you use GMER, and press Scan on the Rootkit/Malware tab. Many things will appear in that list, most of them being legit. For instance, the entries with the type SSDT (System Service Descriptor Table) are most common hooks. If you have BitDefender installed, you'll see a few hooks there made by BitDefender Self-Protect system (used by BitDefender products to prevent changes in it's own files, and in protection of it's processes and services).

Also, the filesystem can be traversed in multiple ways. You could just skip System APIs and use some low-level programming (also best made through a driver) to traverse the filesystem, and so you might be able to "see" all files. Then, comparing the list of files with the one provided by System APIs, you can detect "invisible files and folders".

This is just one way, and it's not always successful. But the bottom line is that nothing can be hidden so that it can't be found. In any application (malware or not) there's a way to stop it, even if it means stoping the computer and rebooting in another OS.

3. If these specilized programs can see the file(s) and regestry entries, why can't The O/S be made to do so with some 'helper' type of program (an extension of sorts) to Explorer or some other 3rd party Explorer type of program?

Because Explorer is just a basic application. It's not designed to show hidden files. Also, as I said, this kind of behavior is also used in defense systems. Actually, this behavior was designed for defense systems and for future "addons" that can be brought to Windows OS. But, as always, anything that can be used for good, can also be used for bad.

As for "other 3rd party Explorer type of program"...that's what GMER is. It also has a tab where you can Explore the filesystem, and you'll be able to view all files (including the hidden ones...provided GMER can see them).

4. If these 'roorkits' are drivers, are they always in the 'Windows\System32\drivers' folder?

No.

Any driver can be loaded from anywhere. The drivers foder is just a folder that Microsoft created so that all generic drivers (and also most hardware drivers) can be installed. It's usually used by drivers which have no application attached (like the drivers you install for your graphics card, sound card, motherboard, etc...)

But most applications which use drivers just use their own installation folder to store the drivers (like BitDefender, which has multiple drivers, GMER uses the Temp folder, Proces###plorer also uses the Temp folder, etc...)

5. This 'hook' process and GMER, there isn't a 'delete' option, but there is a "IRP kooks" under Options. What's that?

6. Other than showing if there are any rootkits, can GMER delete them?

I have no idea. I'll look into it and get back to you on this ones.

7. Can Registry entries be handeled the same way?

The same thing can be applied to all System APIs, including:

- filesystem traversing and manipulation

- process exploring (running processes can be hidden so they won't appear in TaskManager)

- registry

- devices

- etc...

Basically anythig that's in the system can be hooked up and manipulated. I know, it sounds like a big dum thing made by Microsoft, but there are also many good parts about this process, parts that you use every day without even knowing about them.

Cris.

Venturer

Ok good points, but the master question is: At the present time in a clean system, if BitDefender is updated with the latest virus definitions, can it detect all rootkits variants BEFORE the infection and stop the infection?

edit: removed quote; sorry for that

cj47

I don't believe most/many AV programs can detect Rootkits.

alexcrist

Actually, inactive rootkits are detected by antivirus products like normal threats (by signature/heuristics/etc...). And any rootkit, after it reached a system, is inactive before loading up (at which point, it becomes active). So any antivirus should detect a rootkit before it loads up, provided it has a signature for it (or detects it through alternative methods).

Also, latest antivirus engines also include a behavioral scanner module (BitDefender has this since the release of the 2009 version) which should detect suspicious files by their behavior. And files which make system-wide hooks look pretty suspicious to me, so they should be also detected by behavioral scanners (of course, this process is very tricky, and is not always 100% reliable).

So the answer to this question:

At the present time in a clean system, if BitDefender is updated with the latest virus definitions, can it detect all rootkits variants BEFORE the infection and stop the infection?

is probably No

Like any other malware, a rootkit has to be signed before detection. Since BitDefender has shown a very high detection rate in the latest tests (both signature-based and heuristic scanning), I guess all BitDefender users are safe regarding latest threats.

As for active rootkits, there are many methods in which a rootkit can take action. So the answer to the question "can BD detect all active rootkits" is also probably no. There will always be methods to trick the detection and stealth malware.

But still, since BitDefender should detect most rootkits before they become active, there's shouldn't be a problem for the users who keep BitDefender enabled all times.

Cris.

Venturer

Also, latest antivirus engines also include a behavioral scanner module (BitDefender has this since the release of the 2009 version) which should detect suspicious files by their behavior. And files which make system-wide hooks look pretty suspicious to me, so they should be also detected by behavioral scanners (of course, this process is very tricky, and is not always 100% reliable).

Cris.

I think BD Total Security 2009 is a very good suite, but it's affected by some bugs. For example why bitdefender, updated to version 12.0.12, now detects every application i launch (internet explorer; Mozilla; games; office....every application) as malicious or suspect with behavioral scanner set to critical? Every time i have to give it the ok.

With previous BitDefender builds (i think this problem started from .11) this has never happened even in critical mode.

Thank you!