Those Linux servers you have chugging away need rootkit checks as well. Fortunately there is a simple tool to help you in your quest for server security nirvana. This tool is Rootkit Hunter. It’s easy to install, easy to use, checks deep into your system, and offers outstanding reporting.

Rootkit Hunter supports all Linux distributions and most BSD distributions. Rootkit Hunter will test your system against:

• MD5 hash comparisons
• Default files used by rootkits
• Incorrect binary filepermissions
• Suspected strings in LKM and KLD modules
• Hidden files

RKhunter can also do optional scans within plaintext and binary files for even more complete checks.

Installing

Most distributions will include rkhunter in their standard repositories so you should be able to locate it with your Add/Remove Software utility. Open this tool up, do a search for “rkhunter”, select the results, and apply the changes. Once rkhunter is installed you are ready to check.

Usage

Rootkit Hunter is a command line tool so you will first need to open up a terminal window. You will need root access to run the command. The basic usage is:

rkhunter [OPTIONS]

A basic check is issued like so:

rkhunter –check

As the check runs you will see output like this:

Checking the network…

Performing check for backdoor ports
Checking for UDP port 2001                               [ Not found ]
Checking for TCP port 2006                               [ Not found ]
Checking for TCP port 2128                               [ Not found ]
Checking for TCP port 14856                              [ Not found ]
Checking for TCP port 47107                              [ Not found ]
Checking for TCP port 60922                              [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces                      [ None found ]

[Press <ENTER> to continue]

As each portion of the test completes you will have to hit enter to continue on to the next portion. A very nice feature of rkhunter is you know, as the test runs, if you do or do not have a root kit on your machine. During the group and accounts check on a Fedora machine I came across this:

Performing group and account checks
Checking for passwd file                                                 [ Found ]
Checking for root equivalent (UID 0) accounts            [ None found ]
Checking for passwordless accounts                              [ None found ]
Checking for passwd file changes                                  [ Warning ]
Checking for group file changes                                     [ Warning ]
Checking root account shell history files                       [ OK ]

A warning should be examined, but in this case it is no root kit.

Once the test runs the results will be quite clear. The most telling section of the results is:

Rootkit checks…
Rootkits checked : 68
Possible rootkits: 0

This machine is clear.

There are other options for testing. One particular option you should run every so often (maybe even creating a cron job for it) is the –update option. This option checks to see if there is a later verion of rkhunters’ text data files. This is critical especially when new (or new versions) of root kits are released into the wild.

Final Thoughts

If you are serious about security, and you have a Linux machine on your network, make sure you install rkhunter and use it often. You and your network will remain happy and healthy.

Codewalker is a rootkit detection software that has been developed by a member of the Sysinternals forum. The current version that has been released today is 0.24b which clearly outlines that the software program is a work in progress. It is a portable software that can be run from the local drives or removable devices.

The security program suggests a deep scan of the computer system upon startup which takes a few minutes to complete. It is possible to avoid this deep scan which will lead directly to the main program interface. The main interface uses tabs to display various information including system processes, hidden code, kernelmode and usermode hacks.

The connected disk drives are displayed on the right side with the option to select some or all of them for a scan. The same scan that was suggested upon program start will then be performed. The results are shown in the various tabs after the scan has finished.

The developer explains his program:

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 – jmp/call dword ptr [abc]) tho there’re still some problems with false-positive hooks/modifications.

Codewalker is a viable alternative to already available rootkit detection programs like Gmer or AVG Anti-Rootkit. It is probably be best used in conjunction with these tools.

To give an example. Should a user run Ad-Aware, Spybot Search And Destroy, Spyware Terminator or one of the other dozen or so anti-spyware applications that can be used freely for personal non-commercial use.

To much choice can be confusing and this article tries to narrow down the list to security applications that are recommended most of the time. Some users will disagree with the choices and they have every right to do so. You can rest assured on the other hand that the selection of tools should be sufficient to scan a computer system thoroughly

Anti-Spyware:

Spyware usually refers to malicious software that tries to spy on the user or serve advertisement to him. This can be done with tracking cookies, changing the user’s homepage or showing popups from time to time.

• Spybot Search And Destroy – Spybot Search and Destroy is updated regularly and does not confuse the user with different versions like Ad-Aware does with Ad-Aware Free, Plus and Pro.
• Spyware Terminator – A tool that has been downloaded more than 17 million times should do a good job. Spyware Terminator is fast and efficient.

Anti-Virus:

Anti-virus applications create probably the most controversy. There is so much choice of free and commercial applications that makes it nearly impossible to make a decision. The applications protect the computer in realtime and can scan the computer thoroughly.

• AVG Anti-Virus – A classic anti-virus software that provides protection against viruses, rootkits and spyware.
• Free AV – Antivir protects the computer against viruses, rootkits, dialers and phising.

Rootkits:

Rootkits have been gaining popularity in the last years and one could say that Sony did not have a small part in raising the public’s perception of rootkits with their music CDs that contained a rootkit in order to prevent customers from copying the music.

• Rootkit Unhooker – a portable rootkit scanner with a size of under 100 Kilobyte.
• Gmer – is another tool to scan the computer for rootkits.

Is the list missing any categories? Would you put other applications up there (I know you would so let me know)?

AVG Anti Rootkit is a free software that scans a computer for rootkits and removes them if one or more of those have been identified. The anti rootkit application can be used to either quickly scan the computer for possible rootkits and the other to make an in depth scan which takes longer but is more thorough. The in depth scan for Rootkits takes some time depending on the amount of files and size of your hard drives.

Update: AVG Anti-Rootkit Free has been discontinued in 2006. The program has been integrated into various AVG products including (in 2010) in AVG Anti-Virus Free, AVG Anti-Virus 2012 and AVG Internet Security 2012.

The free version of AVG Anti-Virus is available on the official AVG website. Just download and install it on your Windows system to protect the PC from malicious software and Internet based attacks.

Please note that the free version has limitations, including less frequent and prioritized updates, no email or telephone support, less interface and software customizations as well as no server support. The free product version may also only be used on home and non-commercial use systems.

There is no way that I have enough time to write about all features of IceSword. I therefor decided to mention the most important ones and leave the rest up to you. The process tab of IceSword is one of the most important ones when it comes to detecting rootkits. Icesword will color most hidden processes red which means it is a good idea to take a look at those first. Some rootkits are not colored however so a second look never hurts. You are able to terminate a process by right clicking and selecting Terminate Process.

A good idea is to check the compare the findings with other programs. Use a process explorer that shows the amount of processes but is able to view hidden processes. Compare that number with the number in Icesword and you should have the same amount of processes, if not take a closer look and compare the results.The Mitec Process Viewer is a good tool for this for example.

The ports tab lists all open ports and their applications. Compare the applications with the one that you´ve started. If you see for example that iexplorer.exe is currently connected to the internet but you are not using this program, well you know that you should block the connection and check what´s going on. IceSword should show the same connections that the command netstat -an shows. If they differ something is not right.

The Kernel Module tab in Icesword colors hidden drivers red. The BHO tab (Browser Helper Objects) should be empty if you are not using Internet Explorer but Firefox for example. If you see something in there search for it using Google to see if it is spyware or not.

As you can see it is not that easy to use Icesword compared to other rootkit scanners that work by clicking on the scan button. Iceswords biggest advantage is the fact that it offers more information which is good if you know what you are doing or how to search for the information that you need.

Alternatives to Icesword are still the sysinternals rootkit revealer and blacklight from f-secure.

The first tool is called rootkit hook analyzer, the second one rootkit revealer. Both are great tools and easy to use. You probably have to do some research on the web after one or both of the tools scanned your system. You have to interpretate the output, the website that can help you with this is either the rootkit revealer homepage which has a short introduction on interpretating the output or the rootkit.com website which has lots of information on the subject.

The article “How to scan your Linux-Distro for Root Kits” walks you through all steps of downloading and running a script that is able to detect some root kits.  Everything is explained in detail that even beginners will be able to follow the steps and check their system for possible root kits. If you don´t feel like compiling the script yourself you could try and use google to find a precompiled version and download that instead.

Apparently the German movie DVD Mr. and Mrs Smith does contain a rootkit as well. F-Secure confirms that the Settec Alpha-DISC copy protection system is used on the dvd.

The Settec Alpha-DISC copy protection system used on the DVD contains user-mode rootkit-like features to hide itself. The system will hide its own process, but does not appear to hide any files or registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all files on the disk.

If you think you are infected by this rootkit you can use the uninstaller from the manufacturers website.

Besides the obvious threat that a rootkit poses many users claim that even standalone dvd players have troubles playing the dvd. I would advise everyone to not buy this dvd and sent a clear message to the company showing them that we don´t want and need rootkits or other means of copy protection on cd´s and dvd´s that we purchased.

Update: The uninstaller is no longer available. Settec on the other hand is still in operation.

In the beginning, there was one guy, who found out about the rootkit software, analyzed it in depth and wrote an entry on his blog named Mark’s Sysinternals Blog on a well frequented site. Then the ball got rolling, the news was copied and commented on other sites, big portals like slashdot and digg had articles that soon became the most popular ones for the day.

The news spread like fire in the world wide web, people from all over the world read the news. It was soon clear that there were only a few who supported Sony´s move, the majority was clearly against it.

News got worth for Sony the following days, Mark again identified some additional “features”. First, the rootkit software was phoning home to Sony. Second, it was almost impossible for the average user to uninstall it. Third, the rootkit possed a cloaking ability that other executable files could use to hide inside, a perfect hiding place for viri and trojans.

Sony’s reaction was to provide an update to the rootkit software that disabled the cloaking feature. Unfortunately it was again almost impossible for the average user to find the uninstaller on their webpage. Still, Sony in its shining glory denied that the rootkit posed a security threat and that most users didn’t care whether a rootkit was installed on their system. The patch unfortunately had the nasty habit to crash windows on some machines.

The internet community created lists of cd´s that contained the software, boycott websites went into existence and had to deal with a massive amount of visitors who were looking for information or wanted to join the boycott.

With lots of News Coverage from respected institutes like BBC Sony presented a statement on Monday that they would cease the production of music Cd’s containing First 4 Internet’s XCP technology, for now.

Yesterday Dan Kaminsky presented the first figures of rootkit infections analysing the rootkits phone home traces in the dns cache of nameservers. This lead to the conclusion that at least half a million networks are infected with it. He created a graphic showing infections on a map of north america.

Today Sony finally announced that it would institute an exchange program for already purchased cd’s and pull the rest from the market.

Now, what conclusion can we draw from this ? It´s pretty obvious to me that Sony underestimated the “might” of the internet community. From a single website the story spread into the whole world in no more than one day. It became so popular that big internet portal sites like wired.com, cnn.com and theregister.co.uk reported on it. The traditional media became aware and soon the story was also making headlines in newspapers, radio shows and even television.

Sony: 0
Internet Community: 1

What i learn from this ? We have a tremendous power in our hands and can use it to force even multinational corporations to yield, even countries ? That question remains to be answered.

If you suspect that your pc might contain sony’s rootkit protection take a look at the article posted at bleepingcomputer.com.

Update: some of the music CDs that contained the rootkit were Celine Dion’s On ne Change Pas, Switchfood’s Nothing is Sound or Acceptance by Phantoms. Here is a short list of music CDs that may have the rootkit installer.

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver’s Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

One indicator that the rootkit is installed on the user computer is the existence of the XCP CD Proxy service. Just press Windows-r, type services.msc and tap on the enter key to open the list of services on the system. If you find that particular service running on your computer, you likely have the rootkit installed on it.

The Pressure on Sony increased over the last days with anti-virus companies warning its customers not to install this rootkit software and big companies like microsoft taking stand against it altogether.

Update: One of the reasons for the backlash was the nature of the technology that Sony used to protect the music from being copied on the Windows operating system. It should be noted that the rootkit was only somewhat effective on Windows systems, and that Linux or Mac users could play the music CD just fine.

The copy protection, according to Wikipedia, was put on a total of 102 different titles. Users who tried to play the music on their computer running Windows using autoplay would inadvertently install the rootkit on the systems. Sony backed out of the program shortly after the media and public became increasingly aware of what the company did install on user PCs.

Users who unknowingly installed the rootkit on their system faced other dangers. It became known for instance that trojans and other malicious software used the rootkits ability to disguise files to remain undetected on the computer system.

The rootkit furthermore was said to cause all kinds of issues on PC systems, from system crashes to DVD or CD drives not working anymore after the removal of the software from the system.

Sony later on released two rootkit removal programs. The first, highly ineffective at removing the rootkit, and a second after public criticism.

Users interested in the whole story should check Wikimedia’s article on the issue. It covers everything from the very beginning to legal consequences.

It is possible to hide other scripts and software as well, one possibility would be to hide virii and trojans from antivirus software. All of this could be done using this software. Yesterday First 4 Internet Ltd, the British company that developed the DRM software, issued a patch that did not add an uninstallation routine to the software but remove the cloaking feature. It also patched the software to a new version.

Sony´s reaction to the heavy fire from the internet community and privacy groups was to point their fingers at music pirates. Thomas Hesse, President of Sony BMG’s global digital business division, on NPR:

“Most people, I think, don’t even know what a rootkit is, so why should they care about it,” he asked? “The software is designed to protect our CDs from unauthorized copying, ripping.”

Yeah, why should one care if some software is installed on his personal computer that can´t be removed by normal means and can be used for all sorts of malicious actions (which Sony as of now still denies) ?

Why should one care that the software makes contact to a Sony server every time a song is played (there is no information about this for the user and of course no way to stop this) ?

The patch Sony issued is hard to find, if you are lucky enough to find it it is possible that receive a blue screen when you apply the patch.

This program once installed could not be uninstalled by normal means. Hackers could use the software to hide their hacking attempts from antivirus tools and the like. Who would have thought that the first available use would be using this for hacking the online game World of Warcraft ?

Blizzards Warden Client checks every 15 seconds if the computer playing Word of Warcraft runs programs or scripts in its background that would illegally help players cheat in the game. Take a look at the related thread to receive more information.

Update: The thread is no longer available and traces of the incident are only found on third party news site and not on the original sites they have been posted on.

It is nevertheless interesting to note that hackers managed to highjack the rootkit for their own purposes, in this case to cheat in the World of Warcraft game. It is likely that it can be used for other purposes as well, for instance to elude detection by convention security software that is not able to detect rootkits on the computer system.

One could now think that it took hackers a long time to manipulate the rootkit software for their own plans. It was in fact incredibly easy: Blizzard’s anti-cheat protection software could not detect files with the modified prefix $sys$. All it took was to add the prefix to the files and make sure the rootkit was up and running on the PC system to bypass Blizzard’s WOW protection.

John Lopez of Upstairs Records commented: “we are very pleased with the seamless production of the album. The media player on the CD has a good user experience and we intend using the technology on more new releases.”

That means, watch out if you intend to buy products from them as well. I especially like the survey they quote, claiming that “consumers have overwhelmingly reacted positively to these new discs.”

I can only think of two possible reasons for this. First, consumers don´t know about the software they install on the system and that they won´t be able to uninstall it without lots of troubles. Second, they don’t show the survey but only quote it. As long as we won’t have hard facts its not possible to draw conclusions. For example, how were the questions phrased, who was asked for their opinion, maybe the majority never used the CDs in their PC.

Take a look at the full press release here.

Update: The site where the press released was published on is no longer available. You can read up on the scandal on Wikipedia which covers every detail of it, including product recalls initiated by Sony as well as class action suits in the state of New York and California.

The backslash was big and public, and we have not heard of any attempts to put rootkit-like protections on music CDs ever since.

It seems that we have reached a new level in the fight between the record companies and its consumers. If you put a music cd in question into your drive a installer will popup. If you agree to install the software you won´t find a uninstall feature anywhere on your pc.

Apparently all Music Cds labeled “Content enhanced & protected” have the installer on the CD, make sure you check this before you buy a cd you would want to hear using your pc.

According to Krebs “The CDs in question make use of a technique employed by software programs known in security circles as “rootkits,” a set of tools attackers can use to maintain control over a computer system once they have broken in.”

It takes pc expertise to be able to remove this software ones it is installed on your pc. FSecure analysed the product and have a own virus definition for it. Lets take a look at their summary:

Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd. XCP has been used to protect some audio CDs released by Sony BMG Music Entertainment. The XCP protected disks contain digital rights management (DRM) software that allow the user to make a limited number of copies of the disk and also rip the music into a digital format to be used on a computer or portable music player.

Once installed, the DRM software will hide:

Files
Processes
Registry keys and values

No means of uninstalling the DRM software is given. The software supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows XP.

This analysis was conducted on Windows XP. The music CD that contained the DRM software was Van Zant: Get Right with the Man (Sony BMG Music Entertainment).

F-secure also posted a guide on how to remove the software once installed on your system.