SANS ISC: Day 20 - Eradicating a Rootkit

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Yesterday we started with the Eradication phase of the Incident Handling process. If the incident involves the usage of a rootkit, there is a first question that always needs to be answered:

To rebuild or not to rebuild, that is the question! ;)

One of the main internal ISC debates we had when we started planning the Cyber Security Awareness Month was discerning if today's and tomorrow's topics will lead to effective actions apart from rebuilding affected systems.

Almost a year ago we wrote about Family Incident Response,and provide a few links for rootkit detection tools. I took the opportunity to compile a good set of free Windows related tools at my personal blog, RaDaJo. Sometime ago, AV vendors started to add anti-rootkit capabilities to their main products, considering rootkits as another malware category. In fact, the key reason for this were the rootkit capabilities embedded in several malware specimens. On my post, I said something that I would like to ratify today:

Rootkits are one of the most complex and advanced malicious software components today, so the tools are mainly focused on the identification phase. The successful removal of a (kernel) rootkit from a system is often a really complex task.

When refering to the most prevalent type of rootkits today, kernel-based rootkits, the main issue is that even if you get full knowledge of the rootkit capabilities (imagine you are able to get a copy of its source code and had time to analyze it in-depth), the rootkit is hooked so deep in the system (at the kernel level) that the attacker was capable of performing any modification on the compromissed system. The main question in this real-world scenario is: Is it well worth to spend time trying to remove the rootkit and clean up the system versus rebuilding it from scratch?

Imagine an irreplaceable system was compromissed and a rootkit was installed. What methodology can you follow and what specific actions (and tools) can you take (and use) to eradicate the rootkit? There are a few situations were you can find yourself in this kind of scenario, dealing with high availability systems that have unique hardware components that cannot be easily installed on another node (for example, in the medical sector), or situations where a working backup is not available.

If you have been involved in incidents that required removing rootkits and have any anecdotes or ideas you can share, please send them to us via our contact page. Please, be sure to put something in the subject like "Security Tip, day 20" to make it easier for us to sort them. We will update this diary with your comments and thoughts throughout the day, so start sending them in.

--
Raul Siles
www.raulsiles.com