Detection Example: DSE vs NT Rootkit
Description: NT Rootkit is the original kernel-mode rootkit for Windows. Created by renowned rootkit researcher Greg Hoglund as an open-source proof-of-concept project, NT Rootkit helped demonstrate some of the earliest kernel-mode tricks that rootkits use. It has long since been discontinued, but is one of the main reasons that helped encourage a growth in rootkit & anti-rootkit technologies.
Detection: The first thing we notice is that if we look in the Driver List tool we can see the rootkit driver, and the fact that NO, it doesn't seem to exist (ie. it's either been deleted or is being hidden):
And if we look at the System Service Table we can see that the rootkit driver is indeed hooking into quite a few important system API functions:
Likewise it has also hooked the 2E Interrupt, which is the NT Native API interrupt:
Here we can easily see its keyboard hook:
NT Rootkit also registers itself as a network driver interface, which DSE has no problems seeing:
NT Rootkit also hides processes if their filename begins with "_root_", so we copied the Windows\system32\calc.exe program to c:\ntrootkit\_root_calc.exe, ran it, and had a look in DSE to see what we could see.
Firstly, if we check the Process List tool we can see it sticking out like a sore thumb, with both the file and process apparently hidden:
The Hidden Processes scan shows the process in much greater detail:
And as is usually the case, hidden processes usually have hidden threads:
Now that's thorough detection coverage!
Copyright © 1999 - 2010, Diamond Computer Systems Pty. Ltd. All rights reserved.