Tuesday, February 22, 2005

More thoughts on GhostBuster, etc.

I'll be one of the first to agree that the GhostBuster approach to rootkit detection is sound.

However, there are several caveats that need to be mentioned and understood.

First, rootkits are available. Without question. 'Nuff said on that.

Second, GhostBuster is NOT available. To get Windows PE, you need to pay money. There is no ISO image, nothing. BartPE is available, but it is limited, as well (ie, see #4).

Third, GhostBuster must be used locally. This may not be an option for those organizations with remote sites with no admin (or for those with admins, but such things are beyond their skill sets).

So, what are your options. I know what some of you are going to say, and yes, Knoppix and it's variants are freely available, but the first phase of the scan isn't an immediate option. A way around this might be using something like Helix (thanks for all you work and effort, Dru!)...put the CD in a Windows system, run a batch file with the appropriate commands, and then boot to the Linux distro and continue from there...you will most likely have to have some sort of script (Perl!!) to modify the output of your "ls" command so that it can more easily be diff'ed against the 'dir /s /ah c:\*' command you used in your batch file.

Yet there may be another option. Rootkits work well when viewing the Registry and/or file system locally, but how about remotely? I found that AFX Rootkit 2003 hid Registry keys locally, but when the Registry was viewed remotely, the "hidden" keys were visible. The same thing applies to the file system in cases I've looked at. So, in situations where you can't reboot a system, or where you can't go to the machine and insert a CD, you might consider using psexec.exe from SysInternals.

To use this tool, make an Administrator connection to the remote system (via net.exe) and use psexec to run the local copy of reg.exe on that system (reg.exe ships with XP and above). Then, use reg.exe on your system to run a remote query for the same key, and compare the two outputs.

The first command will look something like this:

C:\>psexec \\computername reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The second command will look something like this:

C:\>reg query \computername\HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Note: The above syntax is taken directly from running 'reg query /?' on an XP system.

Of course, you'll want to redirect the output of each command to a file and then run diff on the two files. Or you may want to wrap the entire thing in Perl so that only the differences are observed.

Now, the same thing applies to the file system...use psexec.exe to run the 'dir' commands locally, then map the root of the C:\ drive, run the commands again against the mapped drive, and diff the output of the files.

This isn't guaranteed to work with all rootkits because to be honest, I haven't seen all possible rootkits. However, this is the same behaviour-based approach I talked about in my book.

No comments: