Rootkits are a very popular technique among intruders to hide themselves in compromised machines. Some rootkits are also used by Worms and DDoS tools to help hide themselves before they launch an attack. An intrusion can remain undetected for months when such a tool is used by an attacker. This all sounds very 1337, so why talk about it on a Scumware site? Well, the whole can of worms is about to explode.
Recently some versions of popular scumware have started to drop these rootkits on the host machines, making the victims unwilling FTP servers, DDoS launch pads or worse.
But viruses do this all the time, you may say. Well glad you did. The purpose of a rootkit is not to be a FTP server or any kind of server, it is designed to hide everything and anything. Rootkits intercept system API calls and fool Windows into thinking there is nothing there. Running processes, files, open ports, anything can be hidden from Windows. This means there is no easy way to discover a machine has a rootkit on it, no tell tale signs as there are with viruses and scumware. Some more subtle signs are hard drives reported as having free space being full or massive amounts of uploading taking place.
So why tell us this if we’re screwed? There is hope! Recently many companies have been working on rootkit detectors, and Sysinternals just released theirs earlier this month. Their free product, Rootkit Revealer, will scan a computer using the Windows API (which a rootkit will intercept and change) then perform a low level scan, and tell you the differences. It will reveal the hidden files, exes, services, registry keys, etc. Keep in mind that there are many hidden objects within NTFS as well that are not rootkits in any way.
You can read more and download Rootkit Revealer at:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
So if you think you have a rootkit, give Rootkit Revealer a try, if you do find a rootkit (such as HackerDefender) there are further steps you can take. You can boot into safe mode and delete the files/registry keys or boot using a bootable OS (Bart PE, Knoppix, etc) and remove the files by hand.