Those Linux servers you have chugging away need rootkit checks as well. Fortunately there is a simple tool to help you in your quest for server security nirvana. This tool is Rootkit Hunter. It’s easy to install, easy to use, checks deep into your system, and offers outstanding reporting.

Rootkit Hunter supports all Linux distributions and most BSD distributions. Rootkit Hunter will test your system against:

• MD5 hash comparisons
• Default files used by rootkits
• Incorrect binary filepermissions
• Suspected strings in LKM and KLD modules
• Hidden files

RKhunter can also do optional scans within plaintext and binary files for even more complete checks.

Installing

Most distributions will include rkhunter in their standard repositories so you should be able to locate it with your Add/Remove Software utility. Open this tool up, do a search for “rkhunter”, select the results, and apply the changes. Once rkhunter is installed you are ready to check.

Usage

Rootkit Hunter is a command line tool so you will first need to open up a terminal window. You will need root access to run the command. The basic usage is:

rkhunter [OPTIONS]

A basic check is issued like so:

rkhunter –check

As the check runs you will see output like this:

Checking the network…

[Press <ENTER> to continue]

As each portion of the test completes you will have to hit enter to continue on to the next portion. A very nice feature of rkhunter is you know, as the test runs, if you do or do not have a root kit on your machine. During the group and accounts check on a Fedora machine I came across this:

Performing group and account checks
Checking for passwd file                                                 [ Found ]
Checking for root equivalent (UID 0) accounts            [ None found ]
Checking for passwordless accounts                              [ None found ]
Checking for passwd file changes                                  [ Warning ]
Checking for group file changes                                     [ Warning ]
Checking root account shell history files                       [ OK ]

A warning should be examined, but in this case it is no root kit.

Once the test runs the results will be quite clear. The most telling section of the results is:

Rootkit checks…
Rootkits checked : 68
Possible rootkits: 0

This machine is clear.

There are other options for testing. One particular option you should run every so often (maybe even creating a cron job for it) is the –update option. This option checks to see if there is a later verion of rkhunters’ text data files. This is critical especially when new (or new versions) of root kits are released into the wild.

Final Thoughts

If you are serious about security, and you have a Linux machine on your network, make sure you install rkhunter and use it often. You and your network will remain happy and healthy.

Related posts

• How to scan your Linux-Distro for Root Kits (2)
• Yoggie PICO Personal Mobile Security Computer (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• With Ubuntu 9.10 Arrives Wubi 9.10 (2)
• Widgets for Linux: SuperKaramba (6)

Codewalker is a rootkit detection software that has been developed by a member of the Sysinternals forum. The current version that has been released today is 0.24b which clearly outlines that the software program is a work in progress. It is a portable software that can be run from the local drives or removable devices.

The security program suggests a deep scan of the computer system upon startup which takes a few minutes to complete. It is possible to avoid this deep scan which will lead directly to the main program interface. The main interface uses tabs to display various information including system processes, hidden code, kernelmode and usermode hacks.

The connected disk drives are displayed on the right side with the option to select some or all of them for a scan. The same scan that was suggested upon program start will then be performed. The results are shown in the various tabs after the scan has finished.

The developer explains his program:

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 – jmp/call dword ptr [abc]) tho there’re still some problems with false-positive hooks/modifications.

Codewalker is a viable alternative to already available rootkit detection programs like Gmer or AVG Anti-Rootkit. It is probably be best used in conjunction with these tools.

Related posts

• Youtube Video Search Is A Barebone Youtube Downloader (2)
• Xkcd Comic Wallpaper Changer (2)
• Wireless Networking Software Homedale (13)
• Windows XP: Default Internet Browser Per User Profile (0)
• Windows XP System File Checker (7)

To give an example. Should a user run Ad-Aware, Spybot Search And Destroy, Spyware Terminator or one of the other dozen or so anti-spyware applications that can be used freely for personal non-commercial use.

To much choice can be confusing and this article tries to narrow down the list to security applications that are recommended most of the time. Some users will disagree with the choices and they have every right to do so. You can rest assured on the other hand that the selection of tools should be sufficient to scan a computer system thoroughly

Anti-Spyware:

Spyware usually refers to malicious software that tries to spy on the user or serve advertisement to him. This can be done with tracking cookies, changing the user’s homepage or showing popups from time to time.

• Spybot Search And Destroy – Spybot Search and Destroy is updated regularly and does not confuse the user with different versions like Ad-Aware does with Ad-Aware Free, Plus and Pro.
• Spyware Terminator – A tool that has been downloaded more than 17 million times should do a good job. Spyware Terminator is fast and efficient.

Anti-Virus:

Anti-virus applications create probably the most controversy. There is so much choice of free and commercial applications that makes it nearly impossible to make a decision. The applications protect the computer in realtime and can scan the computer thoroughly.

• AVG Anti-Virus – A classic anti-virus software that provides protection against viruses, rootkits and spyware.
• Free AV – Antivir protects the computer against viruses, rootkits, dialers and phising.

Rootkits:

Rootkits have been gaining popularity in the last years and one could say that Sony did not have a small part in raising the public’s perception of rootkits with their music CDs that contained a rootkit in order to prevent customers from copying the music.

• Rootkit Unhooker – a portable rootkit scanner with a size of under 100 Kilobyte.
• Gmer – is another tool to scan the computer for rootkits.

Is the list missing any categories? Would you put other applications up there (I know you would so let me know)?

Related posts

• Windows Registry Watcher (5)
• Windows Defender (11)
• Universal Music Group Music Cds might also install rootkit (0)
• System Protect Protects Windows Files (2)
• Sony music cds might install spyware on your system (0)

AVG Anti Rootkit is a free software that scans a computer for rootkits and removes them if one or more of those have been identified. The anti rootkit application can be used to either quickly scan the computer for possible rootkits and the other to make an in depth scan which takes longer but is more thorough. The in depth scan for Rootkits takes some time depending on the amount of files and size of your hard drives.

Related posts

• Rootkit Detection Software Codewalker (4)
• IceSword the better Rootkit Revealer ? (1)
• How to scan your Linux-Distro for Root Kits (2)
• How to check your system for rootkits (0)
• Gernova Keylock (2)

There is no way that I have enough time to write about all features of IceSword. I therefor decided to mention the most important ones and leave the rest up to you. The process tab of IceSword is one of the most important ones when it comes to detecting rootkits. Icesword will color most hidden processes red which means it is a good idea to take a look at those first. Some rootkits are not colored however so a second look never hurts. You are able to terminate a process by right clicking and selecting Terminate Process.

A good idea is to check the compare the findings with other programs. Use a process explorer that shows the amount of processes but is able to view hidden processes. Compare that number with the number in Icesword and you should have the same amount of processes, if not take a closer look and compare the results.The Mitec Process Viewer is a good tool for this for example.

The ports tab lists all open ports and their applications. Compare the applications with the one that you´ve started. If you see for example that iexplorer.exe is currently connected to the internet but you are not using this program, well you know that you should block the connection and check what´s going on. IceSword should show the same connections that the command netstat -an shows. If they differ something is not right.

The Kernel Module tab in Icesword colors hidden drivers red. The BHO tab (Browser Helper Objects) should be empty if you are not using Internet Explorer but Firefox for example. If you see something in there search for it using Google to see if it is spyware or not.

As you can see it is not that easy to use Icesword compared to other rootkit scanners that work by clicking on the scan button. Iceswords biggest advantage is the fact that it offers more information which is good if you know what you are doing or how to search for the information that you need.

Alternatives to Icesword are still the sysinternals rootkit revealer and blacklight from f-secure.

Related posts

• How to scan your Linux-Distro for Root Kits (2)
• How to check your system for rootkits (0)
• Dvd Rootkit on the way (3)
• AVG Anti Rootkit free (3)
• Yahoo marks dangerous search results (4)

The first tool is called rootkit hook analyzer, the second one rootkit revealer. Both are great tools and easy to use. You probably have to do some research on the web after one or both of the tools scanned your system. You have to interpretate the output, the website that can help you with this is either the rootkit revealer homepage which has a short introduction on interpretating the output or the rootkit.com website which has lots of information on the subject.

Related posts

• IceSword the better Rootkit Revealer ? (1)
• How to scan your Linux-Distro for Root Kits (2)
• Dvd Rootkit on the way (3)
• AVG Anti Rootkit free (3)
• Yahoo marks dangerous search results (4)

The article “How to scan your Linux-Distro for Root Kits” walks you through all steps of downloading and running a script that is able to detect some root kits.  Everything is explained in detail that even beginners will be able to follow the steps and check their system for possible root kits. If you don´t feel like compiling the script yourself you could try and use google to find a precompiled version and download that instead.

Related posts

• Monitor your network connections with X-NetStat (4)
• Learning Linux: Log Files (5)
• IceSword the better Rootkit Revealer ? (1)
• How to check your system for rootkits (0)
• Fundamental Differences Between Linux and Windows (23)

Apparently the german movie dvd Mr. and Mrs Smith does contain a rootkit as well. F-Secure confirms that the Settec Alpha-DISC copy protection system is used on the dvd.

If you think you are infected by this rootkit you can use the uninstaller from the manufacturers website.

Besides the obvious threat that a rootkit poses many users claim that even standalone dvd players have troubles playing the dvd. I would advise everyone to not buy this dvd and sent a clear message to the company showing them that we don´t want and need rootkits or other means of copy protection on cd´s and dvd´s that we purchased.

[tags]cd, dvd, rootkit, sony, mr. and mrs. smith, settec[/tags]

Related posts

• IceSword the better Rootkit Revealer ? (1)
• How to scan your Linux-Distro for Root Kits (2)
• How to check your system for rootkits (0)
• AVG Anti Rootkit free (3)
• Yahoo marks dangerous search results (4)

In the beginning, there was one guy, who found out about the rootkit software, analysed it in depth and wrote an entry in his blog named Mark’s Sysinternals Blog on a well frequented site. Then the ball got rolling, the news was copied and commented on other sites, big portals like slashdot.org and digg.com had articles that soon became the most popular ones for the day.

The news spread like fire in the world wide web, people from all over the world read the news. It was soon clear that there were only a few who supported Sony´s move, the majority was clearly against it.

News got worth for Sony the following days, Mark again identified some additional “features”. First, the rootkit software was phoning home to Sony. Second, it was almost impossible for the average user to uninstall it. Third, the rootkit possed a cloaking ability that other executables could use to hide inside, a perfect hiding place for viri and trojans.

Sony’s reaction was to provide an update to the rootkit software that disabled the cloaking feature. Unfortunately it was again almost impossible for the average user to find the uninstaller on their webpage. Still, Sony in its shining glory denied that the rootkit posed a security threat and that most users didn’t care whether a rootkit was installed on their system. The patch unfortunately had the nasty habit to crash windows on some machines.

The internet community created lists of cd´s that contained the software, boycott websites went into existence and had to deal with a massive amount of visitors who were looking for information or wanted to join the boycott.

With lots of News Coverage from respected institutes like BBC Sony presented a statement on Monday that they would cease the production of music cd’s containing First 4 Internet’s XCP technology, for now.

Yesterday Dan Kaminsky presented the first figures of rootkit infections analysing the rootkits phone home traces in the dns cache of nameservers. This lead to the conclusion that at least half a million networks are infected with it. He created a graphic showing infections on a map of north america.

Today Sony finally announced that it would institute an exchange program for already purchased cd’s and pull the rest from the market.

Now, what conclusion can we draw from this ? It´s pretty obvious to me that Sony underestimated the “might” of the internet community. From a single website the story spread into the whole world in no more than one day. It became so popular that big internet portal sites like wired.com, cnn.com and theregister.co.uk reported on it. The traditional media became aware and soon the story was also making headlines in newspapers, radio shows and even television.

Sony: 0
Internet Community: 1

What i learn from this ? We have a tremendous power in our hands and can use it to force even multinational corporations to yield, even countries ? That question remains to be answered.

Related posts

• World of Warcraft hackers using Sony BMG rootkit (0)
• Sony music cds might install spyware on your system (0)
• Sony halts production of ‘rootkit’ CDs (0)
• Sony and the rootkit, the story continues (0)
• How to remove the Sony – XCP DRM Rootkit (0)

If you suspect that your pc might contain sony’s rootkit protection take a look at the article posted at bleepingcomputer.com.

Related posts

• Sony halts production of ‘rootkit’ CDs (0)
• Sony and the rootkit, the story continues (0)
• Zune does not allow to share all songs (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• Sony, the rootkit and the internet community (6)

The Pressure on Sony increased over the last days with anti-virus companies warning its customers not to install this rootkit software and big companies like microsoft taking stand against it altogether.

Related posts

• Sony and the rootkit, the story continues (0)
• How to remove the Sony – XCP DRM Rootkit (0)
• Zune does not allow to share all songs (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• Sony, the rootkit and the internet community (6)

It is possible to hide other scripts and software as well, one possibility would be to hide virii and trojans from antivirus software. All of this could be done using this software. Yesterday First 4 Internet Ltd, the British company that developed the DRM software, issued a patch that did not add an uninstallation routine to the software but remove the cloaking feature. It also patched the software to a new version.

Sony´s reaction to the heavy fire from the internet community and privacy groups was to point their fingers at music pirates. Thomas Hesse, President of Sony BMG’s global digital business division, on NPR:

“Most people, I think, don’t even know what a rootkit is, so why should they care about it,” he asked? “The software is designed to protect our CDs from unauthorized copying, ripping.”

Yeah, why should one care if some software is installed on his personal computer that can´t be removed by normal means and can be used for all sorts of malicious actions (which Sony as of now still denies) ?

Why should one care that the software makes contact to a Sony server every time a song is played (there is no information about this for the user and of course no way to stop this) ?

The patch Sony issued is hard to find, if you are lucky enough to find it it is possible that receive a blue screen when you apply the patch.

Related posts

• Sony halts production of ‘rootkit’ CDs (0)
• How to remove the Sony – XCP DRM Rootkit (0)
• Zune does not allow to share all songs (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• Sony, the rootkit and the internet community (6)

This program once installed could not be uninstalled by normal means. Hackers could use the software to hide their hacking attempts from antivirus tools and the like. Who would have thought that the first available use would be using this for hacking the online game World of Warcraft ?

Blizzards Warden Client checks every 15 seconds if the computer playing Word of Warcraft runs programs or scripts in its background that would illegaly help players cheat in the game. Take a look at the related thread to receive more information.

Related posts

• Sony, the rootkit and the internet community (6)
• Sony music cds might install spyware on your system (0)
• Sony halts production of ‘rootkit’ CDs (0)
• Sony and the rootkit, the story continues (0)
• How to remove the Sony – XCP DRM Rootkit (0)

John Lopez of Upstairs Records commented: “we are very pleased with the seamless production of the album. The media player on the CD has a good user experience and we intend using the technology on more new releases.”

That means, watch out if you intend to buy products from them as well. I especially like the survey they quote, claiming that “consumers have overwhelmingly reacted positively to these new discs.”

I can only think of two possible reasons for this. First, consumers don´t know about the software they install on the system and that they won´t be able to uninstall it without lots of troubles. Second, they don´t show the survey but only quote it. As long as we won´t have hard facts its not possible to draw conclusions. For example, how were the questions phrased, who was asked for their opinion, maybe the majority never used the Cds in their PC.

Take a look at the full press release by xcp-aurora.com

Related posts

• Which Programs Should I Run To Scan A Computer For Malicious Software? (13)
• Sony music cds might install spyware on your system (0)
• Zune does not allow to share all songs (3)
• World of Warcraft hackers using Sony BMG rootkit (0)
• Windows Media Center blocks TV Show recordings on request (2)

It seems that we have reached a new level in the fight between the record companies and its consumers. If you put a music cd in question into your drive a installer will popup. If you agree to install the software you won´t find a uninstall feature anywhere on your pc.

Apparently all Music Cds labeled “Content enhanced & protected” have the installer on the CD, make sure you check this before you buy a cd you would want to hear using your pc.

According to Krebs “The CDs in question make use of a technique employed by software programs known in security circles as “rootkits,” a set of tools attackers can use to maintain control over a computer system once they have broken in.”

It takes pc expertise to be able to remove this software ones it is installed on your pc. FSecure analysed the product and have a own virus definition for it. Lets take a look at their summary:

Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd. XCP has been used to protect some audio CDs released by Sony BMG Music Entertainment. The XCP protected disks contain digital rights management (DRM) software that allow the user to make a limited number of copies of the disk and also rip the music into a digital format to be used on a computer or portable music player.

Once installed, the DRM software will hide:

Files
Processes
Registry keys and values

No means of uninstalling the DRM software is given. The software supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows XP.

This analysis was conducted on Windows XP. The music CD that contained the DRM software was Van Zant: Get Right with the Man (Sony BMG Music Entertainment).

F-secure also posted a guide on how to remove the software once installed on your system.

Related posts

• World of Warcraft hackers using Sony BMG rootkit (0)
• Which Programs Should I Run To Scan A Computer For Malicious Software? (13)
• Universal Music Group Music Cds might also install rootkit (0)
• Sony, the rootkit and the internet community (6)
• Sony to patch copy-protected CD (0)