Antirootkit Rootkit

Rootkits, if you are not familiar with them, are programs that, when on a machine, place themselves in between the user and the operating system.  This program intercepts input and output from the system to you the user, concealing running processes, files and system data.  Log files and other processes used to show what is running and happening on a machine are also altered by the rootkit.  For example, when you request to see all files on the hard drive, that command is changed to "give me all files on the hard drive except those owned by the rootkit".  Rootkits can be very hard to detect but there are some programs that can detect them.  A bigger problem, however, is removing them.  Once a rootkit is installed on a machine, the usual removal method is formatting the machine.

I pondered this problem for a while and did not come up with a solution, only thoughts.  Here is one.  What if I detect a rootkit by placing rootkit associated files on a system.  If the rootkit is installed, it should see its files and hide them from the user.  If my files magically disappear, I know that I have that specific rootkit on the system.  The next step would be to place rootkit files that the rootkit would accept and take ownership of on the system but these files would be modified to undo what the rootkit does.  How would I undo the rootkit actions?  Well, once I figure out how the rootkit operates, I can counter it.  For research purposes, I would need to log the actions of the rootkit from this file I place on the system.  Think of it as if I are placing a trojan horse on my own machine that gives us a back door into the realm of the rootkit.

There is also the possibility of accessing the system remotely or accessing the drives of a system through a removable hard drive kit or forensics kit.  This would allow you to scan the data on the drive with a system that has not been comprimised.  If this approach was successful, I could set up agents that act as a buddy system scanning the nodes around them to ensure that they have not been comprimised and rejecting communication from those that have been comprimised.  The agent could be included in antivirus software or as yet another package. 

More thoughts for you.  I welcome comments on them. 

Leave a Reply

Your email address will not be published. Required fields are marked *