Rootkit Detection

Adam Jones - Systems Engineer

I was recently working on a server with a nasty virus infection that we determined to be a rootkit. A rootkit, in short, is software that is intended to cloak or hide another malicious software package, process or activity on a computer.  They can operate on the user level by deploying a DLL which allows it to execute inside of a target process. They can also operate at the Kernel level by installing themselves as a device driver which allows them to function on the same security level as the OS. Rootkits are able to avoid detection by inserting code into core components of the operating system and running within a trusted process or driver which returns an “all good here” response to antivirus and antispyware scanning software. In our situation the rootkit was effectively disabling the antivirus software, erasing the Windows event logs and unregistering the Microsoft Management Console! Not very stealthy but quite effective!

Since normal virus removal techniques weren’t going to do the trick we had to deploy several rootkit detection utilities. The two that proved to be the most useful were RootRepeal and GMER because they were able to detect presence of a Master Boot Record infection as well as several SSDT hooks and a bogus driver. I was able to remove the malicious hooks and the driver with a few clicks but cleaning the MBR was going to require a bit more work. Both of these tools boast the ability to fix the MBR but my comfort lies in the Windows recovery console for such a task. In fact, RootRepeal itself suggested running fixmbr instead of using the utility provided. Once I fired up the RC and executed the fixmbr command I was confident that the rootkit was removed and now it became a matter of cleaning up with the usual suspects such as Malwarebytes and CCleaner.  

A rootkit infection can be a real hassle but if you are able to identify its presence there are some great tools out there to help you regain control of your computer. If you suspect a rootkit or any virus infection on your PC feel free to Contact a TES support representative and we would be glad to help!