Methodology for Anti-Rootkits Test for Malware Detection and Removal (April 2010)

Preparing for the test 

As we already know, there are two types of rootkits:

• User Mode
• Kernel Mode

Kernel mode rootkits are the most difficult to detect as their abilities are not limited and thus they are the most interesting for testing whereas user mode rootkits are limited in their privileges and their abilities are quite limited as well.

The following criteria were taken into consideration for selecting the tested malware applications as well as for testing antiviruses for active infection cleaning: 

1. the used malware applications were collected during their spreading via Internet, i.e. they are ITW-samples (In The Wild);
2. every sample must use different masking methods;
3. in the aggregate all the samples must reflect completely the existing masking technologies;
4. the used rootkits must not have the functional of aimed anti-rootkits fighting such as file deleting, processes shut down, etc.

Priority was given to the most complicated types meeting all the abovementioned criteria. 

Thus, Anti-Malware.ru expert group selected 12 famous malwares with rootkit-masking for anti-rootkit testing: 

1. TDL (TDSS, Alureon, Tidserv)
   Trojan Horse. KernelMode rootkit. During installation creates aliserv3.sys driver in \WINDOWS\system32\drivers and alil.dll library in the system catalogue. A rootkit driver is a filter for a file system driver affording to achieve masking on a disk. Blocks volume opening. Masks itself in the register by wiretapping in the kernel and the memory using DKOM-method. Uses LockFile function to block its files reading.

1. Sinowal (Mebroot)
   Trojan spyware. When running modifies the hard disk master boot record (MBD) aimed at its driver reboot before the operation system start. The driver is stored in the unlabelled disk area. Wiretaps IRP driver handlers placed in a stack next to \Device\Harddiskx\DRx aiming at blocking the MBR reading/changing by antivirus products.

1. Rootkit.Protector (Cutwail, Pandex)
   Trojan Horse – spam-bot. KernelMode rootkit. During installation creates a driver in \Windows\system32\drivers\Ati*.sys. The rootkit driver blocks access to it by wiretapping IRP handlers of the file system driver and protects its key from deleting by installing callbacks for working with the register. The spam-bot reinstalls its IRP-wiretaps in case of their removing.

1. Rootkit.Podnuha (Boaxxe)
   Trojan Horse. KernelMode rootkit. During installation creates a driver in \WINDOWS\system32\drivers and a library with optional name in \Windows\system32\. DLL is registered as Winlogon (Winlogon\Notify) extension, as BHO (Explorer\Browser Helper Objects) and as a (Name_service\Parameters\ServiceDll) service. The driver access is blocked as well as the possibility to remove startup keys in the register. The library is protected from renaming/deleting.

1. Rustock (NewRest)
   Trojan Horse – spam-bot. KernelMode rootkit. During installation creates a driver with an optional name in \WINDOWS\system32\drivers. Blocks access to its file by IRP-handlers wiretapping and constantly recreates its file. Blocks its register key from reading and removing by kernel wiretapping.

1. Srizbi
   Trojan Horse. KernelMode rootkit. During installation creates a driver with an optional name in \WINDOWS\system32\drivers. Masks its startup key by functions wiretapping using a kernel machine code modification as well as masks itself on a disk by wiretapping IRP-handlers of the file system driver.

1. Synsenddrv (Rootkit.Pakes, BlackEnergy)
   Trojan Horse. KernelMode rootkit. Installs a driver with an optional name into \WINDOWS\system32\drivers. Masks itself on a disk by wiretapping IofCompleteRequest modification of the kernel machine code in the register and the memory.

1. TDL2 (TDSS, Alureon, Tidserv)
   Trojan Horse. KernelMode rootkit. During installation creates a driver in \WINDOWS\system32\drivers\gasfky*.sys and two DLL in the system catalogue. The malware masks itself on the disk, register and the memory. Blocks the disk opening, volume reading and recreates its startup keys and files in case of deleting. Blocks your keys access rights. Reinstalls its wiretaps in case of their disabling.

1. Max++ (ZeroAcess)
   Trojan Horse. KernelMode rootkit. During installation infects an optional boot driver so that its size remains unchanged and then works with its virtual disk crated during installation placing all its components on it. When reading an infected file, the rootkit shoves original file content before it was infected.

1. Virus.Protector (Kobcka, Neprodoor)
   Trojan Horse – spam-bot. KernelMode rootkit. During installation infects the system driver ndis.sys and masks itself from detection with a hook on IofCallDriver showing the original file content when reading an infected file. The infector creates its copy in the system catalogue with reader_s.exe name registering Run in the key and injecting svchost in the created process with the aim of spam mailing. The rootkit component also injects in svchost and sends spam.

1. TDL3 (TDSS, Alureon, Tidserv)
   Trojan Horse. KernelMode rootkit. During installation infects the system port or mini-port driver (e.g. atapi.sys) so that its size remains unchanged and allows downloading a driver in the last hard disk sectors on a virtual encoded file system into the memory. When reading an infected file, the rootkit shoves original file content before it was infected.

1. z00clicker
   Trojan Horse. KernelMode rootkit. During installation infects the system port or mini-port driver (e.g. atapi.sys) so that its size remains unchanged and allows downloading a driver in the last hard disk sectors on a virtual encoded file system into the memory. When reading an infected file, the rootkit shoves original file content before it was infected.

Testing procedure

The test was performed on a specially prepared real system controlled by Microsoft Windows XP Professional with integrated Service Pack 3 and a full upgrade set for the testing moment.

Device stack:

lkd> !devstack \Device\Harddisk0\DR0
!DevObj   !DrvObj            !DevExt   ObjectName
89c06e08  \Driver\PartMgr    89c06ec0
> 89b9aab8  \Driver\Disk       89b9ab70  DR0
89bb2f18  \Driver\ACPI       89c14008  00000061
89ba2030  \Driver\atapi      89ba20e8  IdeDeviceP2T0L0-7
!DevNode 89bb2008 :
DeviceInst

is"IDE\DiskST3320620AS_____________________________3.AAD___\5&c7a4952&0&0.0.0
ServiceName is "disk"

The following anti-rootkits that were actual for the test beginning were selected after open discussion:  

1.         GMER 1.0.15.15281
2.         KernelDetective 1.3.1
3.         Online Solutions Autorun Manager 5.0.11922.0
4.         Panda Anti-Rootkit 1.0.8.0
5.         Rootkit Unhooker 3.8.386.589
6.         RootRepeal 1.3.5
7.         Sophos Anti-Rootkit 1.5.0
8.         Eset SysInspector 1.2.012.0
9.         SysReveal 1.0.0.27
10.       Trend Micro RootkitBuster 2.80
11.       VBA32 Antirootkit 3.12 (beta)
12.       XueTr 1.0.2.0

Important! When selecting the tested products we took into consideration both its functional for rootkit detecting in the system and its neutralization (files deleting/renaming, register keys/subregisters deleting/renaming). Besides, we took into consideration the present utilities development situation giving preference to those the development and improvement of which is much more active.

Testing steps:

1. Installing an operation system on a hard disk and crating a full hard disk image using Acronis True Image.
2. Infecting the computer with a clean operation system (malware activation).
3. Checking malware performance and its successful installation in the system.
4. Rebooting an infected system.
5. Checking malware activity in the system.
6. Running rootkit, trying to detect and remove malware using all the methods available for the product.
7. Checking malware or its components activity.
8. Restoring the clean operation system image on the disk using Acronis True Image (booting from CD).
9. Repeating Steps 2-8 for all malwares and all anti-rootkits.