黑客使用 Rootkit 在您的设备中隐藏持久的、看似无法检测到的恶意软件,这些恶意软件会默默地窃取数据或资源,有时会持续数年。它们还可以用于键盘记录方式,您的击键和通信被监视,为旁观者提供隐私信息。
在Microsoft Vista(Microsoft Vista)要求供应商对所有计算机驱动程序进行数字签名之前,这种特殊的黑客攻击方法在 2006 年之前更具有相关性。内核补丁保护(Kernel Patch Protection)( KPP ) 导致恶意软件编写者改变了他们的攻击方法,直到 2018 年的Zacinlo广告欺诈操作(Zacinlo ad fraud operation),rootkit 才重新成为人们关注的焦点。
早于 2006 年的 rootkit 都是专门基于操作系统的。Zacinlo情况是来自Detrahere 恶意软件家族的 rootkit,(Detrahere malware)它(Zacinlo)以基于固件的 rootkit 的形式给了我们更危险的东西。无论如何(Regardless),rootkit 仅占每年看到的所有恶意软件输出的 1% 左右。
即便如此,由于它们可能带来的危险,了解检测可能已经渗透到您系统的 rootkit 的工作原理是明智的。
在Windows 10(Windows 10)中检测 Rootkit (深入(In-Depth))
(Zacinlo)在被发现针对Windows 10(Windows 10)平台之前, Zacinlo实际上已经使用了将近六年。rootkit 组件具有高度可配置性,可以保护自己免受其认为对其功能构成危险的进程的影响,并且能够拦截和解密SSL通信。
它会将其所有配置数据加密并存储在Windows 注册表(Windows Registry)中,并在Windows关闭时,使用不同的名称将自身从内存重写到磁盘,并更新其注册表项。这有助于它逃避标准防病毒软件的检测。
这表明标准的防病毒或反恶意软件不足以检测 rootkit。虽然,有一些顶级反恶意软件程序会提醒您怀疑存在 Rootkit 攻击。
一款优秀的防病毒软件的 5 个关键属性(The 5 Key Attributes Of a Good Antivirus Software)
今天大多数著名的防病毒程序都将执行所有这五种著名的方法来检测 rootkit。
- 基于签名的分析(Signature-based Analysis)- 防病毒软件会将记录的文件与已知的 rootkit 签名进行比较。该分析还将寻找模仿已知 Rootkit 某些操作活动的行为模式,例如攻击性端口使用。
- 拦截检测(Interception Detection)——Windows操作系统(Windows)使用指针表来运行已知会提示 rootkit 采取行动的命令。由于 Rootkit 试图替换或修改任何被视为威胁的东西,这将使您的系统提示它们的存在。
- 多源数据比较(Multi-Source Data Comparison)- Rootkit(Rootkits)试图保持隐藏状态,可能会改变标准检查中呈现的某些数据。高级和低级系统调用的返回结果可能会泄露 rootkit 的存在。该软件还可以将加载到RAM中的进程内存与硬盘上的文件内容进行比较。
- 完整性检查(Integrity Check)——每个系统库都拥有在系统被认为“干净”时创建的数字签名。好的安全软件可以检查库中用于创建数字签名的代码是否有任何更改。
- 注册表比较(Registry Comparisons)——大多数防病毒软件程序都有这些预设时间表。干净的文件将与客户端文件进行实时比较,以确定客户端是否是或包含未请求的可执行文件 (.exe)。
执行 Rootkit 扫描(Performing Rootkit Scans)
执行 rootkit 扫描是检测 rootkit 感染的最佳尝试。大多数情况下,您的操作系统无法自行识别 Rootkit,因此难以确定其存在。Rootkit 是间谍大师,几乎在每一个转折点上都隐藏着自己的踪迹,并且能够保持隐藏在视线范围内。
如果您怀疑您的计算机上发生了 rootkit 病毒攻击,一个好的检测策略是关闭计算机电源并从已知的干净系统执行扫描。在您的计算机中定位 rootkit 的可靠方法是通过内存转储分析。当 rootkit 在机器内存中执行指令时,它无法隐藏它给您的系统的指令。
使用 WinDbg 进行恶意软件分析(Using WinDbg For Malware Analysis)
Microsoft Windows提供了自己的多功能调试工具,可用于对应用程序、驱动程序或操作系统本身执行调试扫描。它将调试内核模式和用户模式代码,帮助分析故障转储,并检查CPU寄存器。
一些Windows系统将附带已经捆绑的WinDbg。那些没有将需要从Microsoft Store下载它。WinDbg Preview是更现代的WinDbg版本,提供更直观的视觉效果、更快的窗口、完整的脚本以及与原始版本相同的命令、扩展和工作流程。
至少,您可以使用WinDbg分析内存或故障转储,包括蓝屏死机(Blue Screen)((Death) BSOD )(BSOD)。从结果中,您可以查找恶意软件攻击的指标。如果您觉得您的某个程序可能受到恶意软件的阻碍,或者使用的内存超出了所需,您可以创建一个转储文件并使用WinDbg来帮助分析它。
完整的内存转储可能会占用大量磁盘空间,因此最好执行内核模式(Kernel-Mode)转储或小内存(Memory)转储。内核模式转储将包含崩溃时内核的所有内存使用信息。小内存(Memory)转储将包含有关不同系统(如驱动程序、内核等)的基本信息,但相比之下很小。
小内存转储在分析发生(Memory)BSOD的原因时更有用。对于检测 rootkit,完整或内核版本会更有帮助。
创建内核模式转储文件(Creating A Kernel-Mode Dump File)
可以通过三种方式创建内核模式转储文件:(Kernel-Mode)
- 从控制面板(Control Panel)启用转储文件以允许系统自行崩溃
- 从控制面板(Control Panel)启用转储文件以强制系统崩溃
- 使用调试器工具为您创建一个
我们将选择第三个选项。
要执行必要的转储文件,您只需在WinDbg的(WinDbg)命令(Command)窗口中输入以下命令。
将FileName替换为转储文件的适当名称和“?” 用f。确保“f”是小写的,否则您将创建不同类型的转储文件。
一旦调试器运行完毕(第一次扫描需要相当长的时间),就会创建一个转储文件,您将能够分析您的发现。
了解您要查找的内容,例如易失性内存 ( RAM ) 使用情况,以确定是否存在 rootkit 需要经验和测试。尽管不建议新手使用,但可以在实时系统上测试恶意软件发现技术。要做到这一点,将再次需要对WinDbg(WinDbg)工作的专业知识和深入了解,以免意外地将活病毒部署到您的系统中。
有更安全、对初学者更友好的方法来发现我们隐藏得很好的敌人。
其他扫描方法(Additional Scanning Methods)
手动检测和行为分析也是检测 Rootkit 的可靠方法。尝试发现 rootkit 的位置可能会很痛苦,因此,您可以寻找类似 rootkit 的行为,而不是针对 rootkit 本身。
您可以在安装期间使用高级(Advanced)或自定义(Custom)安装选项在下载的软件包中查找 rootkit 。您需要查找详细信息中列出的任何不熟悉的文件。这些文件应该被丢弃,或者您可以在线快速搜索任何对恶意软件的引用。
防火墙及其日志报告是发现 rootkit 的一种非常有效的方法。如果您的网络受到审查,该软件会通知您,并应在安装前隔离任何无法识别或可疑的下载。
如果您怀疑 rootkit 可能已经在您的计算机上,您可以深入了解防火墙日志报告并查找任何异常行为。
查看防火墙日志报告(Reviewing Firewall Logging Reports)
您需要查看当前的防火墙日志记录报告,从而使具有防火墙日志过滤功能的开源应用程序(如IP Traffic Spy)成为一个非常有用的工具。报告将向您显示发生攻击时需要查看的内容。
如果您有一个带有独立出口过滤防火墙的大型网络,则不需要IP Traffic Spy 。相反,您应该能够通过防火墙日志查看到网络上所有设备和工作站的入站和出站数据包。
无论您是在家庭还是小型企业环境中,您都可以使用您的ISP提供的调制解调器,或者如果您拥有个人防火墙或路由器,您可以使用个人防火墙或路由器来提取防火墙日志。您将能够识别连接到同一网络的每台设备的流量。
启用Windows 防火墙日志(Windows Firewall Log)文件也可能是有益的。默认情况下,日志文件被禁用,这意味着没有信息或数据被写入。
- 要创建日志文件,请按Windows key + R打开运行(Run)功能。
- 在框中键入wf.msc并按Enter。
- 在Windows 防火墙(Windows Firewall)和高级安全(Advanced Security)窗口中,突出显示左侧菜单中的“本地计算机上具有高级安全(Advanced Security)性的Windows Defender 防火墙”。在“操作”下的最右侧菜单上,单击“属性(Properties)” 。
- 在新的对话窗口中,导航到“Private Profile”选项卡并选择“ Customize ”,可以在“Logging”部分找到。
- 新窗口将允许您选择要写入的日志文件的大小、您希望将文件发送到的位置,以及是否只记录丢弃的数据包、成功的连接,还是两者兼而有之。
- 丢弃(Dropped)的数据包是Windows 防火墙(Windows Firewall)代表您阻止的数据包。
- 默认情况下,Windows 防火墙(Windows Firewall)日志条目将仅存储最后 4MB 的数据,并且可以在%SystemRoot%\System32\LogFiles\Firewall\Pfirewall.log
- 请记住,增加日志数据使用的大小限制可能会影响计算机的性能。
- 完成后按确定。(OK)
- 接下来,重复您刚刚在“私人资料”选项卡中执行的相同步骤,只是这次是在“公开资料”选项卡中。
- 现在将为公共和私人连接生成日志。您可以在记事本(Notepad)等文本编辑器中查看文件或将它们导入电子表格。
- 您现在可以将日志文件导出到IP Traffic Spy等数据库解析器程序中,以过滤和排序流量,以便于识别。
请留意日志文件中的任何异常情况。即使是最轻微的系统故障也可能表明存在 rootkit 感染。当您没有运行任何要求太高或根本没有运行任何东西时,CPU或带宽使用过多的情况可能是一个主要线索。
How to Detect Rootkits In Windows 10 (In-Depth Guide)
Rootkits are usеd by hackers to hide perѕistent, seemingly undetеctable malware within your device that will silently steal data or resources, sometimes over the course of multiple yearѕ. They can alѕo be used in keylogger fashion where your keystrokes and communications are surveilled proνiding the onlooker with privacy information.
This particular hacking method saw more relevance pre-2006, prior to Microsoft Vista requiring vendors to digitally sign all computer drivers. The Kernel Patch Protection (KPP) caused malware writers to change their attack methods and only recently as of 2018 with the Zacinlo ad fraud operation, did rootkits re-enter the spotlight.
The rootkits pre-dating 2006 were all specifically operating system-based. The Zacinlo situation, a rootkit from the Detrahere malware family, gave us something even more dangerous in the form of a firmware-based rootkit. Regardless, rootkits are only around one percent of all malware output seen annually.
Even so, because of the danger they can present, it would be prudent to understand how detecting rootkits that may have already infiltrated your system works.
Detecting Rootkits in Windows 10 (In-Depth)
Zacinlo had actually been in play for almost six years before being discovered targeting the Windows 10 platform. The rootkit component was highly configurable and protected itself from processes it deemed dangerous to its functionality and was capable of intercepting and decrypting SSL communications.
It would encrypt and store all of its configuration data within the Windows Registry and, while Windows was shutting down, rewrite itself from memory to disk using a different name, and update its registry key. This helped it to evade detection by your standard antivirus software.
This goes to show that a standard antivirus or antimalware software is not enough for detecting rootkits. Although, there are a few top tier antimalware programs that will alert you to suspicions of a rootkit attack.
The 5 Key Attributes Of a Good Antivirus Software
Most of the prominent antivirus programs today will perform all five of these notable methods for detecting rootkits.
- Signature-based Analysis – The antivirus software will compare logged files with known signatures of rootkits. The analysis will also look for behavioral patterns that mimic certain operating activities of known rootkits, such as aggressive port use.
- Interception Detection – The Windows operating system employs pointer tables to run commands that are known to prompt a rootkit to act. Since rootkits attempt to replace or modify anything considered a threat, this will tip off your system to their presence.
- Multi-Source Data Comparison – Rootkits, in their attempt to remain hidden, may alter certain data presented in a standard examination. The returned results of high and low-level system calls can give away the presence of a rootkit. The software may also compare the process memory loaded into the RAM with the content of the file on the hard disk.
- Integrity Check – Every system library possesses a digital signature that is created at the time the system was considered “clean”. Good security software can check the libraries for any alteration of the code used to create the digital signature.
- Registry Comparisons – Most antivirus software programs have these on a preset schedule. A clean file will be compared with a client file, in real-time, to determine if the client is or contains an unrequested executable (.exe).
Performing Rootkit Scans
Performing a rootkit scan is the best attempt for detecting rootkit infection. Most often your operating system cannot be trusted to identify a rootkit on its own and presents a challenge to determine its presence. Rootkits are master spies, covering their tracks at almost every turn and capable of remaining hidden in plain sight.
If you suspect a rootkit virus attack has taken place on your machine, a good strategy for detection would be to power down the computer and execute the scan from a known clean system. A surefire way to locate a rootkit within your machine is through a memory dump analysis. A rootkit cannot hide the instructions it gives your system as it executes them in the machine’s memory.
Using WinDbg For Malware Analysis
Microsoft Windows has provided its own multi-function debugging tool that can be used to perform debugging scans on applications, drivers, or the operating system itself. It will debug kernel-mode and user-mode code, help analyze crash dumps, and examine the CPU registers.
Some Windows systems will come with WinDbg already bundled in. Those without will need to download it from the Microsoft Store. WinDbg Preview is the more modern version of WinDbg, providing easier on the eyes visuals, faster windows, complete scripting, and the same commands, extensions, and workflows as the original.
At the bare minimum, you can use WinDbg to analyze a memory or crash dump, including a Blue Screen Of Death (BSOD). From the results, you can look for indicators of a malware attack. If you feel that one of your programs may be hindered by the presence of malware, or is using more memory than is required, you can create a dump file and use WinDbg to help analyze it.
A complete memory dump can take up significant disk space so it may be better to perform a Kernel-Mode dump or Small Memory dump instead. A Kernel-Mode dump will contain all memory usage information by the kernel at the time of the crash. A Small Memory dump will contain basic information on varying systems like drivers, the kernel, and more, but is tiny in comparison.
Small Memory dumps are more useful in analyzing why a BSOD has occurred. For detecting rootkits, a complete or kernel version will be more helpful.
Creating A Kernel-Mode Dump File
A Kernel-Mode dump file can be created in three ways:
- Enable the dump file from Control Panel to allow the system to crash on its own
- Enable the dump file from Control Panel to force the system to crash
- Use a debugger tool to create one for you
We’ll be going with choice number three.
To perform the necessary dump file, you only need to enter the following command into the Command window of WinDbg.
Replace FileName with an appropriate name for the dump file and the “?” with an f. Make sure that the “f” is lowercase or else you’ll create a different kind of dump file.
Once the debugger has run its course (the first scan will take considerable minutes), a dump file will have been created and you’ll be able to analyze your findings.
Understanding what it is your looking for, such as volatile memory (RAM) usage, to determine the presence of a rootkit takes experience and testing. It is possible, though not recommended for a novice, to test malware discovering techniques on a live system. To do this will again take expertise and in-depth knowledge on workings of WinDbg so as not to accidentally deploy a live virus into your system.
There are safer, more beginner-friendly ways to uncover our well-hidden enemy.
Additional Scanning Methods
Manual detection and behavioral analysis are also reliable methods for detecting rootkits. Attempting to discover the location of a rootkit can be a major pain so, instead of targeting the rootkit itself, you can instead look for rootkit-like behaviors.
You can look for rootkits in downloaded software bundles by using Advanced or Custom install options during installation. What you’ll need to look for are any unfamiliar files listed in the details. These files should be discarded, or you can do a quick search online for any references to malicious software.
Firewalls and their logging reports are an incredibly effective way to discover a rootkit. The software will notify you if your network is under scrutiny, and should quarantine any unrecognizable or suspicious downloads prior to installation.
If you suspect that a rootkit may already be on your machine, you can dive into the firewall logging reports and look for any out of the ordinary behavior.
Reviewing Firewall Logging Reports
You’ll want to review your current firewall logging reports, making an open-source application like IP Traffic Spy with firewall log filtering capabilities, a very useful tool. The reports will show you what is necessary to see should an attack occur.
If you have a large network with a standalone egress filtering firewall, IP Traffic Spy will not be necessary. Instead, you should be able to see the inbound and outbound packets to all devices and workstations on the network via the firewall logs.
Whether you’re in a home or small business setting, you can use the modem provided by your ISP or, if you own one, a personal firewall or router to pull up the firewall logs. You’ll be able to identify the traffic for each device connected to the same network.
It may also be beneficial to enable Windows Firewall Log files. By default, the log file is disabled meaning no information or data is written.
- To create a log file, open up the Run function by pressing the Windows key + R.
- Type wf.msc into the box and press Enter.
- In the Windows Firewall and Advanced Security window highlight “Windows Defender Firewall with Advanced Security on Local Computer” in the left side menu. On the far right side menu under “Actions” click Properties.
- In the new dialog window, navigate over to the “Private Profile” tab and select Customize, which can be found in the “Logging” section.
- The new window will allow you to select how big of a log file to write, where you’d like the file sent, and whether to log only dropped packets, successful connection, or both.
- Dropped packets are those that Windows Firewall has blocked on your behalf.
- By default, Windows Firewall log entries will only store the last 4MB of data and can be found in the %SystemRoot%\System32\LogFiles\Firewall\Pfirewall.log
- Keep in mind that increasing the size limit on data usage for logs can impact your computer’s performance.
- Press OK when finished.
- Next, repeat the same steps you just went through in the “Private Profile” tab, only this time in the “Public Profile” tab.
- Logs will now be generated for both public and private connections. You can view the files in a text editor like Notepad or import them into a spreadsheet.
- You can now export the logs’ files into a database parser program like IP Traffic Spy to filter and sort the traffic for easy identification.
Keep an eye out for anything out of the ordinary in the log files. Even the slightest system fault can indicate a rootkit infection. Something along the lines of excessive CPU or bandwidth usage when you’re not running anything too demanding, or at all, can be a major clue.
