Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0

Author — Nicolay Grebennikov
Deputy Director,
Department of Innovative Technology
Kaspersky Lab

Introduction

The term ‘rootkit’ historically means a set of utilities for Unix that can increase an intruder’s privileges on a computer under attack. Over time, the term largely lost its association with Unix and it gained broader usage. It is now used to describe technologies that conceal the activity of certain software in a system.

In Windows, rootkit programs can be used to hide malicious programs from antivirus solutions. As a rule, rootkits themselves have no malicious functionality but are used by other types of malicious program to hide their activity in the system.

Currently, many types of spyware use rootkit technologies, as do viruses, although to a smaller degree. Rootkit technologies are very effective at concealing data.

This paper examines the protection against rootkits provided by Kaspersky® Internet Security 6.0 and uses Hacker Defender, one of the most effective rootkits, as an example.

Kaspersky® Internet Security successfully blocks a large number of existing rootkits, the most effective of which are listed below:

• Hacker Defender
• AFX Rootkit 2005
• FU
• Vanquish
• NTRootKit

General information about how to protect against rootkits can be found on viruslist: Rootkits and How to Combat Them

Hacker Defender

F-Secure, an antivirus developer, provides the following description of Hacker Defender:

Hacker Defender is one of the most widely deployed rootkits in the wild. It is a user-mode rootkit that modifies several Windows and Native API functions, which allows it to hide information (files, processes, etc.) from other applications. In addition, Hacker Defender implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means, like launching a remote port scan against the compromised machine.

For more information about this rootkit read the full article: www.f-secure.com/v-descs/hacdef.shtml.

Installation

The publicly available version of Hacker Defender consists of two files: an executable file (.exe) and a configuration file (.ini). The configuration file is used to determine which objects are to be hidden by the rootkit and contains the names of certain components of the rootkit after its installation in the system.

Administrator privileges are required to install Hacker Defender. The rootkit registers itself as an NT service. During installation, the rootkit installs a driver (.sys) in its root folder. As a result of installation, two keys are added to the system registry:

• HKLM\SYSTEM\CurrentControlSet\Services\[service_name]
• HKLM\SYSTEM\CurrentControlSet\Services\[driver_name]

In addition, Hacker Defender will ensure that it is automatically loaded in safe mode by creating two more keys in the system registry:

• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[service_name]
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[driver_name]

It should be noted that the [service_name] and [driver_name] templates can be defined in the rootkit’s configuration file (.ini).

It should also be noted that standard registry editors will not show the keys created by the rootkit while the rootkit is active.

Stealth technology

Hacker Defender ensures that the processes and files defined by a remote malicious user will be hidden from security solutions which are run on the system. Objects which can be hidden are defined in the rootkit’s configuration file. The rootkit is capable of hiding the following types of objects:

• files
• processes
• registry keys and values
• NT services and drivers
• memory areas
• object handles
• inbound and outbound TCP connections

Hacker Defender hides objects by modifying the execution path of over fifty system functions in the following libraries

• Ntdll.dll
• kernel32.dll
• AdvApi32.dll
• Ws2_32.dll

In addition, Hacker Defender installs and loads a driver, which the rootkit can use to implement certain user-mode functions.

Infection technique

The rootkit infects every process when it executes. To successfully infect the system the rootkit should have administrator privileges. The rootkit allocates memory from the process it is infecting, writes the functions that it uses to hide operating system objects into this memory, then installs inline function hooks to redirect the execution flow to the functions in the process’s memory allocated by the rootkit.

If the infected process loads any of the libraries listed above (see section 2.2) or creates a new process, the code in the process’s remotely allocated memory will ensure subsequent infection.

Effects of a rootkit on an unprotected system

Hidden files

The screenshot below shows the C:\0 folder, which contains rootkit files. The folder appears to be empty, even though this is known not to be the case.

Hidden processes

The screenshot below shows the Task Manager window, which does not display information about the rootkit process, even though the process is running.

Hidden system registry keys

The screenshot below shows the registry editor, which does not display the HackerDefender100 and HackerDefenderDrv100 keys created by the rootkit.

Blocking Hacker Defender

Detecting the rootkit during installation

During rootkit installation, Kaspersky® Internet Security 6.0 intercepts any attempts made by the rootkit to inject its code into processes.

Intercepting NT service and driver registration

As mentioned in section 2.1, the rootkit registers itself as an NT service and registers its driver in the system.

The Proactive Detection Module (PDM) in Kaspersky® Internet Security 6.0 intercepts attempts made by the rootkit to register itself and activates the following window:

For more detailed information about the process, the user should click on “Details” which will cause the following window to be displayed:

When an attempt is made to register the driver the PDM will cause the following window to be displayed:

For more detailed information about the process, the user should click on “Details” which will cause the following window to be displayed:

Intercepting attempts to inject code into a process

As described above, the rootkit attempts to inject its code into every process.

When an attempt is made to inject code into a process, the PDM activates the following window:

For more detailed information about the process, the user should click on “Details” which will cause the following window to be displayed:

Kaspersky® Internet Security 6.0: Self-protection

If a rootkit attempts to inject its code into Kaspersky® Internet Security 6.0, the product will protect itself, as shown in the screenshot below:

Installation results

Warning of hidden files

If Kaspersky® Internet Security 6.0 has been used to prevent a rootkit from injecting its code into processes, the rootkit files will remain visible to any system process. However, if the user has not done this, the files will be visible only to Kaspersky® Internet Security 6.0.

Self-protection technology enables Kaspersky® Internet Security 6.0 to detect hidden files in any situation. This protects processes which belong to Kaspersky® Internet Security 6.0 from rootkit injection.

For instance, if a user had initiated antivirus scanning, Kaspersky® Internet Security 6.0 would have activated the window shown below, which asks the user to choose an object to be scanned:

As the screenshot shows, Kaspersky® Internet Security 6.0 is able to see all the files which the rootkit attempted to hide.

Warning of processes hidden by a rootkit

If Kaspersky® Internet Security 6.0 is used to prevent a rootkit from injecting itself into processes (see 3.1.2), the rootkit process will remain visible to other system processes. However, if Kaspersky® Internet Security 6.0 was not used to prevent the rootkit from injecting itself into processes, the rootkit process will only be visible to Kaspersky® Internet Security 6.0, thanks to the self-protection technology.

In addition to protecting itself, Kaspersky® Internet Security 6.0 also protects Windows Task Manager processes from infection. This helps Windows Task Manager see all processes, as is shown in the screenshot below:

It should be noted that there is no user associated with the rootkit process.

Warning of hidden system registry keys

If Kaspersky® Internet Security 6.0 has been used to prevent a rootkit from injecting itself into processes (see 3.1.2), registry keys which are created by the rootkit will remain visible to all processes. If Kaspersky® Internet Security 6.0 has not been used, the processes will be visible only to Kaspersky® Internet Security 6.0.

Kaspersky® Internet Security 6.0’s self protection mechanism enables the product to see all registry keys.

Combating rootkits

Detecting hidden processes

The PDM will detect all hidden processes without exception, making it possible for Kaspersky® Internet Security 6.0 to detect malicious code without using signature databases.

If the PDM detects a hidden process, it will activate the window shown below:

Scanning and disinfection procedure

If when scanning startup objects Kaspersky® Internet Security detects rootkit files, it will launch the disinfection routine:

For more detailed information about the disinfection routine see Appendix A.

If the user agrees to launch the disinfection routine, Kaspersky® Internet Security 6.0 will start scanning to find rootkit processes and files, as shown in the screenshots below:

Once scanning is finished, Kaspersky® Internet Security 6.0 will reboot the system, and directly after this, the rootkit’s executable file will be deleted.

The screenshot below shows the directory which previously contained rootkit files. As can be seen, it now only contains a configuration file (.ini).

Appendix A

Advanced disinfection: how it works

Today’s malicious programs are far more sophisticated than their predecessors. In contrast to earlier malware, they are multi-functional and capable of penetrating the very lowest level of the system which makes disinfection using standard tools almost impossible.

Kaspersky® Lab has developed an advanced disinfection method which makes it possible to neutralize malicious code in 100% of cases, regardless of how deeply the code has penetrated the operating system.

Advanced disinfection launches a disinfection process each time a malicious process is detected in RAM or in startup objects. The screenshot below shows the window which is activated when an active infection routine is detected:

When this window is displayed, the user is strongly recommended to launch the advanced disinfection routine by clicking “OK”.

It should be noted that as the advanced disinfection routine will automatically reboot the computer, the user should save all work and close all applications as soon as an active infection routine is detected.

It is not permitted to create new processes or startup objects while the advanced disinfection routine is running:

Once scanning is finished, the computer will automatically reboot.

Once the computer has rebooted, the advanced disinfection routine will delete the malicious program files:

Once disinfection has been completed, the user is strongly recommended to perform a full scan of the computer in order to delete any remaining inactive files left by the malicious program.