Wiley Rootkits For Dummies Jan 2007 ISBN 0471917109 pdf
Rootkits
FOR
DUMmIES
‰by Larry Stevenson and Nancy Altholz Rootkits
FOR DUMmIES
‰
® Rootkits For Dummies Published by Wiley Publishing, Inc.
111 River Street Hoboken, NJ 07030-5774 Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-
ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,
Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the
Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United
States and other countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor
mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REP-
RESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT
LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CRE-
ATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CON-
TAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE
UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR
OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A
COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FUR-
THER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY
MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK
MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. FULFILLMENT OF EACH COUPON OFFER IS THE SOLE RESPONSIBILITY OF THE OFFEROR.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books. Library of Congress Control Number: 2006926390ISBN: 978-0-471-91710-6 Manufactured in the United States of America
About the Authors
Nancy Altholz (MSCS, MVP): Nancy is a Microsoft Most Valuable Professional
in Windows Security. She holds a master’s degree in Computer Science and an undergraduate degree in Biology and Medical Technology. She is a Security Expert, Rootkit Expert and Forum Lead, and Wiki Malware Removal Sysop at the CastleCops Security Forum. She has also volunteered at other online security forums. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention. As a Security Expert and Rootkit Expert, she helps computer users with a variety of Windows computer secu- rity issues, including malware removal. Nancy coauthored the Winternals Defragmentation, Recovery, and Administration Field Guide for Syngress Publishing which was released in June 2006. She has recently been asked to write the foreword for a book authored by Mingyan Sun and Jianlei Shao, (developers of the DarkSpy Anti-rootkit program), on advanced rootkit detec- tion techniques. She was formerly employed by Medelec: Vickers’ Medical and Scientific Division, as a Software Engineer in New Product Development. Nancy’s interest in malware and rootkits evolved as a natural extension of her interest in medicine and computers, due to the many parallels between computer infection and human infection. Besides the obvious similarities in naming conventions, both require a lot of detective work to arrive at the correct diagnosis and enact a cure. Nancy enjoys investigating the malware life cycle, and all the factors and techniques that contribute to it – in short, she likes solving the puzzle, and of course, helping people, along the way. Nancy lives with her family in Briarcliff Manor, NY.
Larry Stevenson: Larry has worked as a security consultant for over fifteen
years. His education is abundant, including continuing studies in computer security, history, and fine arts. Larry works as an expert, volunteer modera- tor, and writer on staff at CastleCops, providing assistance and written articles to all users. In 2005, he wrote weekly articles on computer security topics for the Windows Security Checklist series. He helped develop, and co-wrote the CastleCops Malware Removal and Prevention procedure. For these published efforts he was given the MVP Award: Microsoft Most Valuable
Professional in Windows Security, 2006. Currently a co-founder with Nancy
Altholz of the CastleCops Rootkit Revelations forums, he continues to develop ways for users to obtain assistance and information from rootkit experts. A Canadian citizen, he is currently employed at a multi-function, government- owned facility which includes private residences for people with special needs, a senior citizens care home, daycare center, offices, a cafeteria and a public access theater. For over seven years he has served as the Chief Steward in the union local, negotiating contracts and solving workplace issues.
Dedications
To my mother, Jeanne Gobeo, for being my constant supporter and friend — and to my sister, Rosie Petersen, for making this world a rosier place. — NA To Lael and Ken Cooper, Tiffany and Kyla, Paul and Robin Laudanski, also to my Muses, and my parents, Ruth and Hatton, for their faith and encouragement. — LS
Authors’ Acknowledgments
We are grateful for the tremendous assistance and unstinting dedication of the many people who contributed to this book, both at Wiley and CastleCops. We would especially like to thank Paul and Robin Laudanski for their extra- ordinary contributions to computer security in general and the generous ongoing support they extended during the writing of Rootkits For Dummies. We give thanks to all the people on the Wiley team for their expertise and patience, including Melody Layne, Rebecca Huehls, Laura Moss, Barry Childs-Helton, James Russell, and Technical Editor Lawrence Abrams (BleepingComputer) for the outstanding job he did. We offer heartfelt grati- tude to the Advisors and Rootkit Research Team at CastleCops, every one an expert in their field: Media Advisor Mahesh Satyanarayana (swatkat), Firefox Advisor Abdul-Rahman Elshafei (AbuIbrahim), Firewall Advisor Allen C Weil (PCBruiser), IE7 Advisor Bill Bright, and our Rootkit Research Team, includ- ing Don Hoover (Hoov), James Burke (Dragan Glas), Anil Kulkarni (wng_z3r0), David Gruno (wawadave), and Michael Sall (mrrockford). We would like to acknowledge Wayne Langlois, Executive Director and Senior Researcher at Diamond CS in Australia, for devoting his time, knowledge, and expertise to the “Tracking a RAT” section in Chapter 9. We’d like to thank Przemyslaw Gmerek, developer of the GMER Anti-rootkit program, for freely sharing his rootkit expertise and allowing us to distribute the GMER Anti-rootkit Program on the Rootkits For Dummies CD. We’d like to thank Mingyan Sun, codeveloper (along with Jianlei Shao) of the DarkSpy Anti-rootkit program, for freely shar- ing his in-depth technical knowledge of rootkit methodology and for giving us permission to distribute the DarkSpy program on the Rootkits For Dummies CD. We would like to recognize and extend a special thanks to Mahesh Satyanarayana for sharing his exceptional technical expertise and so much more, during the development of Rootkits For Dummies. Nancy would also like to thank her family and friends for their patience and understanding during the course of writing Rootkits For Dummies.
We give special thanks to Forensics Advisor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE), who provided valuable insights to our network and forensics sections, and who also helped get this book up and running by providing much needed hardware. Dave has worked in the Information Technology Security sector since 1990. Currently, he is the owner of SecurityBreachResponse.com, and lead litigation support technician for Secure Discovery Solutions, LLC. As a recognized security expert, and former Florida Certified Law Enforcement Officer, he specializes in litigation support, computer forensic investigations, incident response, and intrusion analysis.
He is frequently a speaker at many national security conferences and is a
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form
.Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development
Project Editor: James H. Russell and Rebecca Huehls
Senior Acquisitions Editor: Melody Layne Senior Copy Editor: Barry Childs-Helton Technical Editor: Lawrence Abrams Editorial Manager: Jodi Jensen Media Development Specialists: Angela Denny,
Kate Jenkins, Steven Kudirka, Kit Malone Media Project Supervisor: Laura Moss Media Development Manager: Laura VanWinkle Editorial Assistant: Amanda Foxworth Sr. Editorial Assistant: Cherie Case Cartoons: Rich Tennant
(www.the5thwave.com) Composition Services
Project Coordinator: Erin Smith Layout and Graphics: Carl Byers, Denny Hager, Barbara Moore, Barry Offringa, Heather Ryan
Proofreader: Christine Sabooni Indexer: Techbooks Anniversary Logo Design: Richard Pacifico
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C. Corder, Editorial Director
Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director
Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services
Contents at a Glance
Introduction .................................................................1
Part I: Getting to the Root of Rootkits ............................7
Chapter 1: Much Ado about Malware ..............................................................................9 Chapter 2: The Three Rs of Survivable Systems .........................................................25 Part II: Resistance Is NOT Futile..................................35 Chapter 3: Practicing Good Computer Hygiene ...........................................................37 Chapter 4: Staying Secure Online ...................................................................................61 Chapter 5: Patching and Updating Your System and Software.................................101 Chapter 6: Blurring the Lines of Network Security ....................................................117 Part III: Giving Rootkits the Recognition They Deserve..........................................149 Chapter 7: Getting Windows to Lie to You: Discovering How Rootkits Hide ..........151 Chapter 8: Sniffing Out Rootkits ...................................................................................179 Chapter 9: Dealing with a Lying, Cheating Operating System ..................................231 Part IV: Readying for Recovery..................................301 Chapter 10: Infected! Coping with Collateral Damage ...............................................303 Chapter 11: Preparing for the Worst: Erasing the Hard Drive ..................................323 Part V: The Part of Tens ............................................336 Chapter 12: Ten (Plus One) Rootkits and Their Behaviors.......................................337 Chapter 13: Ten (Plus Two) Security Sites That Can Help You ................................347 Appendix: About the CD ............................................355Index .......................................................................367
Table of Contents
Introduction..................................................................1
About This Book...............................................................................................1 Things You Should Know ................................................................................2 What You’re Not to Read.................................................................................3 Foolish Assumptions ......................................................................................3 How This Book Is Organized...........................................................................3
Part I: Getting to the Root of Rootkits .................................................4 Part II: Resistance Is NOT Futile ...........................................................4 Part III: Giving Rootkits the Recognition They Deserve ....................4 Part IV: Readying for Recovery.............................................................5 Part V: The Part of Tens.........................................................................5 Icons Used in This Book..................................................................................5 Where to Go from Here....................................................................................6
Part I: Getting to the Root of Rootkits.............................7
Chapter 1: Much Ado about Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Some Common Questions (and Answers) about Malware .........................9 Knowing the Types of Malware ....................................................................10 Viruses ...................................................................................................11 Worms ....................................................................................................11 Trojans ...................................................................................................11 Dialers ....................................................................................................12 Backdoors .............................................................................................12 Spyware (and malicious adware) .......................................................13 The Many Aims of Malware...........................................................................16 Rootkits: Understanding the Enemy ............................................................19 A Bit of Rootkit Lore.............................................................................19 New Technologies, New Dangers .......................................................21 Why do rootkits exist? .........................................................................22Rootkits For Dummies
Chapter 2: The Three Rs of Survivable Systems . . . . . . . . . . . . . . . . . .25 Formulating Resistance .................................................................................26 Hackers may not be smarter than you ..............................................26 Steps to a Better Security Posture .....................................................27 Practicing Recognition ..................................................................................30 Spotting signs of malware ...................................................................31 Recognizing when the problem isn’t malware..................................33 Suspecting that you’ve been compromised......................................33 Planning for Recovery ...................................................................................33 Part II: Resistance Is NOT Futile .................................35 Chapter 3: Practicing Good Computer Hygiene . . . . . . . . . . . . . . . . . . .37 Before Doing Anything. . ...............................................................................37 Using System Restore ..........................................................................38 Backing up your Registry ....................................................................42 Backing up your stuff with Windows Backup ...................................44 Cleaning Your Windows to Improve Security .............................................46 Everything and the kitchen sink: Loading
only what you need at startup ........................................................47 Removing unused programs ...............................................................50 Using the Windows Disk Cleanup Utility ...........................................51 Defragmenting your hard drive ..........................................................53 Using Registry cleaners .......................................................................57
Controlling Removable Devices ...................................................................58 Disabling AutoRun................................................................................58 Turning off AutoPlay on all external drives and devices ................59 Scanning boot sectors before using external media........................60
Chapter 4: Staying Secure Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Good Practices Are a Good Start .................................................................61 Choosing your contacts carefully ......................................................62 Surfing safely.........................................................................................63 Developing strong passwords.............................................................69 Establishing limited-access user accounts .......................................70 Using a HOSTS file ................................................................................72 Bashing Your Browser into Submission ......................................................73 Saying no to Java, JavaScript, and ActiveX.......................................74 Adding sites to your Trusted zone.....................................................76
Table of Contents
Disable AutoComplete in Internet Explorer......................................77 Using the New Internet Explorer 7 .....................................................77 Surfing with Firefox instead ................................................................80 Staying ahead of the game with SiteAdvisor.....................................81
Must-Have Protections Online......................................................................82 Firewall first ..........................................................................................83 Scanners Next .......................................................................................95
Chapter 5: Patching and Updating Your System and Software . . . . .101 Preventing Rootkits by Patching Your Clothes ........................................102 Updating Your Operating System...............................................................103 Patching, updating, and Service Packing ........................................103 Looking at why you need updates ...................................................104 Knowing where you can get them ....................................................105 Taking advantage of Automatic Updates.........................................105 Guide to Windows Update and Microsoft Update..........................106 Patching and Updating Your Software.......................................................113 Ways to patch or update your applications....................................113 Watching Internet sources for known
problems with your applications..................................................114 Patching and updating shared computers in heavy use ...............114
Knowing When You Need a New Computer..............................................115
Chapter 6: Blurring the Lines of Network Security . . . . . . . . . . . . . . .117 A Checklist for Improving Security ............................................................118 Learning to Love Auditing...........................................................................119 Enabling security auditing ................................................................120 Using Windows Access Control..................................................................126 Editing policies and configuring security........................................126 Making your own security-analysis utility ......................................127 Testing your system against a security template...........................127 Customizing a security template for a network .............................135 Preventing Attacks by Limiting Access .....................................................139 Limiting and controlling physical access........................................140 Using limited-access user accounts.................................................140 Limiting access on networks ............................................................141 Making a business security plan ......................................................143 Fooling Rootkits with Virtual Operating Systems ....................................144 Planning Your Defense Against Rootkits ...................................................145 Establishing a baseline ......................................................................146 Preparing Recovery Discs .................................................................147
Rootkits For Dummies
Part III: Giving Rootkits the Recognition They Deserve ..........................................149 Chapter 7: Getting Windows to Lie to You: Discovering How Rootkits Hide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Discovering How Rootkits Hide and Survive............................................151 Keys to the Kingdom: Privileges ................................................................153 Knowing the Types of Rootkits ..................................................................154 User-mode versus kernel-mode rootkits .........................................155 Persistent versus non-persistent rootkits.......................................157 Hooking to Hide............................................................................................157 How hooking works............................................................................158 Knowing the types of hooks..............................................................159 DLLs and the rootkits that love them ..............................................160 Privileged hooks .................................................................................166 Using Even More Insidious Techniques to Hide Rootkits .......................171 Direct kernel-object manipulation ...................................................171 Trojanized utilities .............................................................................174 Looking into the Shady Future of Rootkits ...............................................175 Hiding processes by doctoring the PspCidTable ...........................175 Hooking the virtual memory manager.............................................176 Virtual-machine-based rootkits ........................................................177 Chapter 8: Sniffing Out Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 Watching Your Network for Signs of Rootkits ..........................................179 Watching logs for clues......................................................................180 Defending your ports .........................................................................183 Catching rootkits phoning home......................................................192 Examining the firewall........................................................................193 Trusting Sniffers and Firewalls to See What Windows Can’t ..................199 How hackers use sniffers...................................................................200 Using sniffers to catch hackers at their own game ........................200 Testing to see whether your NIC is in promiscuous mode ...........201 Sniffers you can use ...........................................................................202 Investigating Lockups and Other Odd Behavior......................................206 Accessing Event Viewer.....................................................................206 Making some necessary tweaks to streamline logging..................207 Inspecting event logs with Windows Event Viewer .......................210 Upgrading to Event Log Explorer .....................................................217 Trying MonitorWare...........................................................................219 Checking Your System Resources..............................................................222 Matching activity and bandwidth ....................................................223
Table of Contents
Chapter 9: Dealing with a Lying, Cheating Operating System . . . . .231 Rooting Out Rootkits ...................................................................................232 Cleaning a network.............................................................................233 Before doing anything . . ...................................................................234 The best overall strategy ..................................................................234 Scanning Your OS from an External Medium............................................234 Microsoft WinPE .................................................................................235 Non-Microsoft bootable CDs.............................................................236 File-System Comparison from Full Boot to Safe Mode ............................238 Checkpointing Utilities with Offline Hash Databases ..............................240 Verifying files with FileAlyzer............................................................240 Verifying file integrity with other utilities .......................................243 Rootkit-Detection Tools...............................................................................244 Autoruns: Aiding and abetting rootkit detection ...........................246 Rootkit Revealer .................................................................................247 F-Secure BlackLight Beta ...................................................................251 IceSword ..............................................................................................253 UnHackMe ...........................................................................................260 Malicious Software Removal Tool ....................................................261 AntiHookExec......................................................................................262 VICE ......................................................................................................269 System Virginity Verifier (SVV).........................................................270 Strider GhostBuster ...........................................................................273 Rootkitty ..............................................................................................274 RAIDE ...................................................................................................275 DarkSpy................................................................................................276 GMER....................................................................................................283 Detecting Keyloggers...................................................................................289 Types of keyloggers ...........................................................................289 Detecting keyloggers with IceSword ................................................290 Detecting keyloggers with Process Explorer ..................................291 Tracking a RAT: Using Port Explorer to trace Netbus 1.60 ...........293 Part IV: Readying for Recovery ..................................301 Chapter 10: Infected! Coping with Collateral Damage . . . . . . . . . . . .303 Deciding What to Do if You’re Infected .....................................................303 Knowing when to give up and start from scratch ..........................305 What happens when the patient can’t be saved ............................307 Do you want to track down the rootkit-er, or just recover?..........307 Taking measured action.....................................................................308
“My Computer Did What?!” .........................................................................310
Rootkits For Dummies
Preparing for Recovery ...............................................................................318 Cutting off network connection before cleaning out the rootkit..................................................................319 Planning your first reboot after compromise .................................320
Chapter 11: Preparing for the Worst: Erasing the Hard Drive . . . . . .323 Don’t Trust System Restore After Rootkit Compromise .........................323 When a Simple Format and Reinstall Won’t Work ...................................325 Erasing Your Hard Drive and Installing the Operating System ..............327 What you need before you begin this procedure ..........................328 Erasing, partitioning, and formatting ..............................................329 Installing Windows XP .......................................................................331 After you install . . . ............................................................................333
. . . And beyond ...................................................................................333
Part V: The Part of Tens .............................................336 Chapter 12: Ten (Plus One) Rootkits and Their Behaviors . . . . . . . . .337 HackerDefender............................................................................................338 NTFShider .....................................................................................................339 Elite Toolbar .................................................................................................339 Apropos Rootkit ...........................................................................................340 FU — the Malware That’s Also an Insult ...................................................341 FUTo...............................................................................................................342 MyFip .............................................................................................................342
eEye BootRoot ..............................................................................................343 FanBot............................................................................................................343 pe386..............................................................................................................344 Shadow Walker .............................................................................................345
Chapter 13: Ten (Plus Two) Security Sites That Can Help You . . . . .347 Aumha............................................................................................................348 Bleeping Computer ......................................................................................348 CastleCops Security Professionals.............................................................349 Geeks to Go ...................................................................................................350 Gladiator Security Forum............................................................................351 Malware Removal .........................................................................................351 Microsoft Newsgroups.................................................................................352 Sysinternals Forum (Sponsor of Rootkit Revealer Forum).....................352 SpywareInfo .................................................................................................352 SpywareWarrior............................................................................................353 Tech Support Guy Forum ............................................................................353
Table of Contents Appendix: About the CD.............................................355
System Requirements ..................................................................................355 Using the CD with Microsoft Windows......................................................356
Installing the DART CD applications................................................356 How to burn an ISO image to CD ......................................................357
What You’ll Find on the DART CD ..............................................................357 Bonus Chapters ..................................................................................358 Anti-malware utilities and scanners ................................................358 Backup and imaging applications ....................................................359 System-analysis programs.................................................................360 Rootkit-detection-and-removal applications ..................................361 Password protectors and generators ..............................................362 Downloading tools for compromised hard drives .........................362
Troubleshooting ...........................................................................................363
Index........................................................................367
Rootkits For Dummies
Introduction
elcome to Rootkits For Dummies, a book written for regular folks who need a better understanding of what rootkits are, what we can do to
W
protect our computers and networks against them, and how to detect and remove them. Like Sergeant Schultz on Hogan’s Heroes, you may be among those who know “nothing, nothing” at all about them. Even the name rootkit may be unfamiliar to you — but soon everyone with a computer and Internet access will know how dangerous these malware programs can be. First, a bit of myth-busting: Rootkits have a scary reputation — just because they’re designed to escape detection by ordinary methods, supposedly they can’t be seen or extracted. For most of them, that’s balderdash. Rootkits are an extraordinary bit of deviance, to be sure, but they can be detected — and removed — using tools developed specifically for those tasks. You may still need the help of an expert, but cleaning out those nasty beasties is possible.
Rootkits For Dummies can help you gain insight into the realm of malware,
giving you the knowledge and abilities to assess and develop your own plan to prevent this scourge from ruining your day (or week, or year). Whether you have a standalone computer or have a business network to run as an administrator, this book will show you what you can do about rootkits — and help you secure your system against cyber-criminals and all malware, online and off.
You are about to begin a journey from the basics of malware in general to the complex processes of rootkits. We are your guides, with you every step of the way, as you move toward greater computer security competency. We have done our best to provide the most effective tools available, and we’ve left markers along the path so you won’t get lost. In short, this book is both your passport and roadmap to a new beginning in the never-ending saga of Internet security.
About This Book
In Rootkits For Dummies, we offer a handy reference guide. You’re not expected to read it from cover to cover — although you’re welcome to do so, as it’s
Rootkits For Dummies
just start reading from there. The 15 chapters (including two bonus chapters on disc), the appendix, and the accompanying DART-CD (which means
Dummies Anti-Rootkit Toolkit, a CD of tools and utilities to help you protect
and clean your computer) provide all the topics and tools essential to dealing with rootkits and their payloads. We wrote each chapter so it could be read on its own; feel free to open the book anywhere and start reading.
Things You Should Know
Although this book comes with a glossary so you can look up what a lot of stuff means, we have some special terms and items we’d like to point out for you just in case there’s any confusion or controversy over what things mean in the contexts where we use them.
⻬ Blackhats, whitehats, and some maybe gray: In the old Western movies, the bad guys wore black hats and the good guys wore white ones; it’s the same thing here. When we call something black in this book, we usually mean it’s bad (if it isn’t, we’ll tell you); white is good, and gray is slimy. ⻬ Hackers and geeks: These guys are not all created equal. Nothing is wrong with being one, it just depends on what’s done with the knowledge of how to hack. We mean no disparagement of these many fine individu- als who are good people with brains and skills; if we occasionally use the term “hacker” to refer to a blackhat hacker (see the next bullet), don’t hate us. In the old days, to be a hacker was a matter of pride and accomplishment. Rather than get involved in these old issues, we decided to be upfront about it from the start. We consider ourselves whitehat hackers, too, and we know they exist and help protect us from the blackhats.
⻬ Blackhat hackers: We consider these to be cyber-criminal hackers, people who use hacker tech and skills for evil purposes, compromising and hijacking people’s computers and invading networks with malware and rootkits. These creeps give regular hackers and whitehat hackers a bad name.
Black hat conferences: These shindigs are now held every year (since
1997) at various locations around the globe –– featuring cutting-edge security research provided by top business professionals, government security experts, and members of the anonymous hacking communities. These are good guys, not a bunch of blackhat hackers! Learn more at the following URL:
Introduction What You’re Not to Read Not that we’d dictate that. It’s just that we know your time is precious.
To get the essential goods on rootkits and the malware they lug around with them, you don’t have to read every single word in this book. Understanding rootkits does take some time, so go ahead and flip through the book. Sidebars and special-information items are provided to help you, but may not be essential to your overall understanding of rootkits — or they may simply be over-the-top technical (you’ll know those when you see the Technical Stuff icon). If you’re a beginner, or have no immediate interest in this extra material, skip it. (Of course, many techies reading this book will be delighted by these tidbits — and to them we say, bon appetit.)
Foolish Assumptions
Most everyone has heard that line about pleasing (or fooling) all of the people all of the time. Well, we aim to please — no fooling — but we also had to make a few practical assumptions about our readers when we started this book. We assumed that you
⻬ Are familiar with using Windows computers. ⻬ Know why you need a firewall and antivirus software. ⻬ Have encountered some form of malware at some point in your adven- tures with computers, or at least have heard of someone who has.
⻬ Are getting worried about Internet security on your personal computer or network.
How This Book Is Organized
We have arranged the chapters in this book in five parts. Each part focuses on a particular area of concern to you, the computer user, when you’re deal- ing with malware and rootkits. The book is set up to be eclectic; no need to plow through it in a linear, plodding-along fashion. Play hopscotch with the parts, if you choose: this book was written as a reference, not as a textbook. That said, there is a logical order to the book’s parts and chapters; preven- tion is discussed early on; the identification of rootkits and dealing with the havoc of an infected system are topics introduced later. If you want a full
Rootkits For Dummies
Part I: Getting to the Root of Rootkits The book starts by introducing you to malware, rootkits, and the issues they
create: what you can expect from rootkits and malware, where you will find it lurking on your system or network, and why you need to know these things. Most networks and standalone computers are ill-equipped to handle the fullest implications of malware and blackhat hacking today. So this part makes no bones about the bad news; you’ll discover the plethora of opportunities that cyber-criminals have at their whim, with little or nothing to deter them. Laws have geographical boundaries — unfortunately the Internet does not. This part provides an overview of the many attacks and malware being encountered on the Internet every day. Before you can secure your com- puter or network, you need to know what you’re up against — malware and rootkits — and the cyber-criminals who use them.
Part II: Resistance Is NOT Futile This part details the challenges of shoring up your defenses and hardening
your computer and network security. From cleaning up the junk languishing in the dark recesses of your computer’s file system to using anti-malware applications, you get a handle on what all the geeks and techies already know: By maintaining a clean, balanced, and hardened computer, you can save yourself a lot of hassle, both electronic and financial. For those who have often felt mystified about how to set up security policies — using either the Local Security Policy Editor (for standalone Windows XP Professional computers) or the Security Configuration Manager (for global network policies), this part is for you.
Part III: Giving Rootkits the Recognition They Deserve . . . which is to say, efficient detection, speedy removal, and savvy defense. For both standalone and networked computers, this part shows you how to
detect, determine, and remove rootkits. For those of you who like to cut to the chase, here you find the meat of the matter — and an edge you can apply to it (we can already hear you groaning out there!): Here we reveal how root- kits do their special dance, how you can discover them, and how you can put
Introduction
Part IV: Readying for Recovery Rootkits are nobody’s harmless prank; they’re often used by cyber-criminals
seeking nefarious financial gain. Due to their nature, rootkits can make it diffi- cult to trace the blackhat hacker who put them there. And if they entangle your computer or network as part of a criminal enterprise, you’ve got poten- tial big trouble. So this part details your options if a rootkit has taken up residence — and shows you what to do about it once you decide on a course of action.
Okay, it had to happen sooner or later: Some rootkits and their malware payloads can so thoroughly compromise a computer that (short of a direct missile strike) they’re impossible to remove by conventional means. Even now, many security people claim that you need only reformat your hard drive and reinstall your operating system to get rid of rootkits. Unfortunately, that doesn’t work if you have rootkits squatting in the bad sectors of your hard drive. So this part shows you how you really can remove even those tough nuts — no missile required — and start over with a clean hard drive.
Part V: The Part of Tens Every For Dummies book has a Part of Tens, and this one is no exception. In this part, you get a look at some of the most current rootkits (and a few