So over the last week we’ve started to get cases where Rootkit Revealer (having been downloaded by the customer) is not detecting any hidden files / folders / registry entries on the customers machine; yet our own rootkit tools we supply with our IR toolkit come back with hidden files / folders etc. and have no problem detecting evidence of a rootkit. Why the discrepancy? After all Mark’s tool works very similairly to some of ours which have worked fine for years . . .
We decided to investigate and collected some specimens and it turns out that Rootkit Revealer is rather easy to defeat if you’re using the Hacker Defender rootkit.
The Hacker Defender rootkit supports configuration through an INI file. The INI file has numerous sections in it that govern the behavior and operation of the rootkit / backdoor (just like a normal INI file would) and one of the sections that the miscreant can configure is entitled [Root Processes]. Here’s an explanation from the readme file that comes with the rootkit:
Root Processes is a list of programs which will be immune against
infection. You can see hidden files, directories and programs only with these
root programs. So, root processes are for rootkit admins. To be mentioned in
Root Processes doesn’t mean you’re hidden. It is possible to have root process
which is not hidden and vice versa.
Here’s the default settings for this part of the .INI file:
Here’s how Hacker Defender (hxdef) works. When the main .EXE is run – a device driver is extracted and code is subsequently injected into all running processes on the machine and the various user mode Win32 API’s listed in the readme file are then patched / hooked / detoured over to the rootkits code so that filtering can be performed etc. Root processes are immune to this however; when they start, they do not get hooked in any way – so they can ‘see’ all that would normally be hidden by the rootkit. The miscreants of course are all too familair with the operation of hxdef (I stand by my assertion that this is by far the most popular ‘in the wild’ rootkit with the biggest installed user base) and many seem to have added ‘rootkitrevealer.exe’ to the Root Processes section of the .INI file. Since rootkitrevealer.exe is a root process; it can see all the files / folders / registry entries that hacker defender is hiding and thus it does not flag them as hidden.
This is just another great example of the arms race we are locked in with the miscreants (some call it a cat and mouse game – but that’s far too innocent; I personally am at war with the miscreants and this is my arms race).
Advice: If you’re going to download and run Rootkit Revealer (and I encourage you to) – make sure you rename the .EXE to something unique, be creative. If you need a random file name use the random number generate from www.random.org or something like that and make the file name long and random. You’ll have much better success – until the miscreants counter this move and fire back with something more technically advanced.