Rootkit 初作戰

之前我就知道這會是個麻煩的事情，不過等到第二波才遇到這種問題已經算是謝天謝地了…

現在情況：
一、掃毒掃過了，沒有
二、SpyBot掃過了，沒有
三、用 Outpost （我沒有看到），看到 51.net 這個關鍵字
四、用
Process Explorer，沒有異常的 process（整個 process list 相當乾淨…）
改用 TCPView （守株待兔法）看到是 System:8 發出對 123.123.123.123 的連線
==>與此同時，Process Explorer/Fport 都沒有發現什麼異常

以 rootkit detect windows 作關鍵字搜尋，可以找到一些資料。
==>SysInternal的 RootkitRevealer 這個工具，不知道可不可以查到…說明很長，要用力了



以下是 RootkitRevealer 的說明部分，非完全轉載，全文要上SysInternal去找：


The term rootkit is used to describe the mechanisms and techniques whereby malware,
including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
==>簡單用「hide」來總括一切啊…


User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls 攔截法（有沒有辦法可以偵測？）
to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept
file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.
==>總而言之，就是攔截！


Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate 直接操縱
kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
==>user-mode/kernel mode的差別是很明顯的


How RootkitRevealer Works
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares 有對照組？
the results of a system scan at the highest level with that at the lowest level. 這個「low level」會在哪裡？

The highest level is the Windows API 高階是這個
and the lowest level is the raw contents 低階是這個；我咧這也太猛了吧…
of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures.
==>低階不是用 API 的話是用什麼？


Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.
==>真有自信


Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.


Using RootkitRevealer
RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks (on Windows XP and higher) privileges. The Administrators group is assigned these privileges by default.

Manual Scanning
To scan a system launch it on the system and press the Scan button. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. The options you can configure:

Hide NTFS Metadata Files: this option is on by default and has RootkitRevealer not show standard NTFS metadata files, which are hidden from the Windows API.
Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not perform a Registry scan.