Introduction to pentesting: Maintaining Access with Backdoors and Rootkits

Detecting and defending against rootkits

Let’s break from the normal convention of this course and take a minute to discuss a few defensive strategies for dealing with rootkits. That’s quite simple:

  • Closely monitor the information you put onto the Internet.
  • Properly configure your firewall and other access controls.
  • Patch your systems.
  • Install and use antivirus software.
  • Make use of an intrusion detection system.

Although the list ain’t nearly complete, it’s a good starting point for defending systems. However, even with all of those processes in place, rootkits can still pose a danger.

Defending against and detecting rootkits takes a few extra steps. It is important to understand that to configure and install a rootkit, administrative access is required. So the first step in avoiding rootkits is to deprivelege your users. It isn’t uncommon to find networks that are loaded with Windows machine where every user is a member of the administrator group. Usually when inquiring as to why every user is an administrator, the system admins simply just shrug or provide some lame excuse about the user needing to be administrators to run a particular piece of software. Really? Come on, this ain’t 1998. There are very few legitimate reasons for allowing your users to run around with full admin rights. With most moderns operating systems, you have the ability to temporarily elevate your with the “su” or “Run As” commands.

Although it is true that many rootkits function at the kernel level and have the ability to avoid detection by antivirus software, installing, using and keeping the software up-to-date is critical. Some rootkits, especially the older and less sophisticated versions can be detected and cleaned by modern antivirus software.

Monitor the traffic coming into and going out of your network. Many administrators are great at monitoring and blocking traffic as it flows into the network. They spend days and even weeks honing their rules sets to block incoming traffic. At the same time, many of these admins completely ignore all outbound traffic. They become so focused on the incoming traffic that they forget to watch what is leaving. Monitoring outbound traffic can be vital in detecting rootkits and other malware.

Another good tactic for detecting rootkits and backdoors is to regularly port scan your systems. Make note of each open port on each of your systems. If you find a system with an unknown port open, be sure to track down the PC and identify the rogue service.

Tools like Rootkit Revealer, Vice and F-Scure’s Blacklight are some great free options for revealing the presence of hidden files and rootkits. Unfortunately, once a rootkit has been installed, it can be very difficult to remove, or at least to remove completely. Sometimes, rootkit removal requires you to boot your machine into an alternate operating system and mount your original hard drive. By booting your machine to an alternate operating system or mounting the drive to another machine, you can scan the drive more thoroughly. Because the original operating system won’t be running and your scanner won’t be using API calls to an infected system, it’s more likely you’ll be able to discover and remove the rootkit. Even with all this, your best bet is to simply wipe the system, including a full format, and start over.