Methodology for Anti-Rootkits Test for Malware Detection and Removal (December 2007)

There are two types of rootkit: User Mode and Kernel Mode. Kernel level rootkits are the most difficult to detect and, because they are not restricted in any way, are of more interest for testing purposes; user mode rootkits are restricted to system privileges, significantly restricting their actions. Today’s antivirus and anti-rootkit programs should have little problem detecting and deleting a rootkit’s concealed files, processes, etc. functioning in user mode.

Kernel mode rootkits use the following methods of concealment:

  • Masking a system function hook by substituting the function address in the table of system services. These hooks are the most widely used in various malicious programs with rootkit masking and are, therefore, easy to detect and neutralize.
  • Masking of modifications to a machine’s kernel code, so-called splicing. These types of hooks are difficult to detect and neutralize. The number of malicious programs using this type of hook is growing steadily.
  • Masking a hook as Int 2Eh and sysenter interrupts.
  • Using a filter driver. Rootkits of this type install their own driver which connects to the file system driver like a filter driver, allowing the hooking of IRP calls.
  • DKOM or manipulation with various kernel structures.

Rootkit samples were selected for testing on the basis of the concealment methods listed above. The main principle behind the selection process was making sure all the possible methods of masking on a system were included.

This resulted in 6 malicious programs with hidden rootkits and 4 proof-of-concept rootkits being selected by the group of experts at for use in the testing of antivirus and anti-rootkit programs.

The following additional criteria were also taken into consideration when the selection of malware was made:

  1. The samples had to avoid detection using one or more of the methods outlined above.
  2. Each sample had to make use of a different method of concealment.
  3. Overall, the samples had to reflect existing concealment technologies as closely as possible.
  4. The malware was gathered while it was circulating on the Internet (in-the-wild samples).
  5. The rootkits used must not have deliberate counter-attack functionality against antivirus/anti-rootkit programs, such as deletion of files, shutting down of processes, etc.

Taking all these factors into account, the following malicious programs were selected for the test:

  4. Monitor.Win32.EliteKeylogger.21
  5. Rootkit.Win32.Agent.ea
  6. Rootkit.Win32.Podnuha.a

As well as the following proof-of-concept rootkits:

  1. Unreal A (v1.0.1.0)
  2. RkDemo v1.2
  3. FuTo
  4. HideToolz

As can be seen, the main emphasis was on malicious programs when compiling the collection. It was decided to add several proof-of-concept rootkits to complete the overall picture of masking methods and to check for proactive detection (the detection of rootkits based on an analysis of system events/anomalies, i.e., without signatures).

Each of the selected malicious programs was checked for correct installation and operability on the test system.
The most popular antivirus programs with rootkit detection functionality were selected to participate in the test. Only specialized anti-rootkit programs capable of automatically detecting hidden files were included in the test.

The list of malware selected for the test remained a secret until the results were announced and were not communicated to any of the vendors whose antivirus and anti-rootkit products took part.

The test was performed on a specially-prepared VMware Workstation version 5.5.3 platform. A “clean” virtual machine with a Microsoft Windows XP SP2 operating system, with all the latest updates at the time of testing, was cloned for each malicious program sample.

The following antivirus programs participated in the test:

  1.  BitDefender Antivirus 2008
  2.  Dr.Web 4.44
  3.  F-Secure Anti-Virus 2008
  4.  Kaspersky Anti-Virus 7.0
  5.  McAfee VirusScan Plus 200
  6.  ESET NOD32 Anti-Virus 3.0
  7.  Symantec Anti-Virus 2008
  8.  Trend Micro Antivirus plus Antispyware 2008

The following anti-rootkit products also participated:

  1.   AVG Anti-Rootkit 1.1
  2.   Avira Rootkit Detection
  3.   GMER 1.0.13
  4.   McAfee Rootkit Detective 1.1
  5.   Panda AntiRootkit version 1.0
  6.   Rootkit Unhooker 3.7
  7.   Sophos Anti-Rootkit 1.3
  8.   Trend Micro RootkitBuster 1.6

A requirement for all the security software selected for testing was that it should include functionality not only for detecting rootkits in a system but also have the ability to remove them (deletion/renaming of files, deletion/renaming of registry keys/sections).

A rootkit was considered to be detected if the security software located its files, registry keys, processes or traces of its presence on the system (hooking API functions). A rootkit was considered to be neutralized if its system activity was completely eliminated by the security software.

Testing steps:

  1. Virtual machine was infected (activation of the malicious program);
  2. Verification that the virus has been successfully installed and is active;
  3. Multiple reboot of the infected system;
  4. Installation (launch) of the antivirus/anti-rootkit program to be tested and attempt to disinfect the system;
  5. Analysis of rootkit activity after antivirus/anti-rootkit clean-up.

A dedicated clean virtual machine was used for each selected malicious program sample (step 1). After launching the antivirus or anti-rootkit program and performing the disinfection, the virtual machine was restored to its initial state at step 3.

Testing steps with proof-of-concept rootkits:

  1. Installation of antivirus or anti-rootkit program and system reboot.
  2. Launch of proof-of-concept rootkit, selection of object to be masked if necessary. If the antivirus or anti-rootkit program is equipped with HIPS, then the ‘permit action’ option is selected to install the rootkit on the system, or actions are taken to hide the installation.
  3. System scan to detect rootkit objects.
  4. Results recorded (only the detection of a hidden process and/or file).

A dedicated clean virtual machine was used for each antivirus or anti-rootkit program (step 1). After the installation of a proof-of-concept rootkit and scanning, the machine was restored to its initial state.