Đang tải... (xem toàn văn)
Published simultaneously in Canada
Rootkits FOR DUMmIES ‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page i 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ii by Larry Stevenson and Nancy Altholz Rootkits FOR DUMmIES ‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iii Rootkits For Dummies ® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REP- RESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CRE- ATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CON- TAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FUR- THER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. FULFILLMENT OF EACH COUPON OFFER IS THE SOLE RESPONSIBILITY OF THE OFFEROR. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2006926390 ISBN: 978-0-471-91710-6 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1B/RS/QR/QX/IN 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iv About the Authors Nancy Altholz (MSCS, MVP): Nancy is a Microsoft Most Valuable Professional in Windows Security. She holds a master’s degree in Computer Science and an undergraduate degree in Biology and Medical Technology. She is a Security Expert, Rootkit Expert and Forum Lead, and Wiki Malware Removal Sysop at the CastleCops Security Forum. She has also volunteered at other online security forums. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention. As a Security Expert and Rootkit Expert, she helps computer users with a variety of Windows computer secu- rity issues, including malware removal. Nancy coauthored the Winternals Defragmentation, Recovery, and Administration Field Guide for Syngress Publishing which was released in June 2006. She has recently been asked to write the foreword for a book authored by Mingyan Sun and Jianlei Shao, (developers of the DarkSpy Anti-rootkit program), on advanced rootkit detec- tion techniques. She was formerly employed by Medelec: Vickers’ Medical and Scientific Division, as a Software Engineer in New Product Development. Nancy’s interest in malware and rootkits evolved as a natural extension of her interest in medicine and computers, due to the many parallels between computer infection and human infection. Besides the obvious similarities in naming conventions, both require a lot of detective work to arrive at the correct diagnosis and enact a cure. Nancy enjoys investigating the malware life cycle, and all the factors and techniques that contribute to it – in short, she likes solving the puzzle, and of course, helping people, along the way. Nancy lives with her family in Briarcliff Manor, NY. Larry Stevenson: Larry has worked as a security consultant for over fifteen years. His education is abundant, including continuing studies in computer security, history, and fine arts. Larry works as an expert, volunteer modera- tor, and writer on staff at CastleCops, providing assistance and written articles to all users. In 2005, he wrote weekly articles on computer security topics for the Windows Security Checklist series. He helped develop, and co-wrote the CastleCops Malware Removal and Prevention procedure. For these published efforts he was given the MVP Award: Microsoft Most Valuable Professional in Windows Security, 2006. Currently a co-founder with Nancy Altholz of the CastleCops Rootkit Revelations forums, he continues to develop ways for users to obtain assistance and information from rootkit experts. A Canadian citizen, he is currently employed at a multi-function, government- owned facility which includes private residences for people with special needs, a senior citizens care home, daycare center, offices, a cafeteria and a public access theater. For over seven years he has served as the Chief Steward in the union local, negotiating contracts and solving workplace issues. 01_917106 ffirs.qxp 12/21/06 12:04 AM Page v 01_917106 ffirs.qxp 12/21/06 12:04 AM Page vi Dedications To my mother, Jeanne Gobeo, for being my constant supporter and friend — and to my sister, Rosie Petersen, for making this world a rosier place. — NA To Lael and Ken Cooper, Tiffany and Kyla, Paul and Robin Laudanski, also to my Muses, and my parents, Ruth and Hatton, for their faith and encouragement. — LS 01_917106 ffirs.qxp 12/21/06 12:04 AM Page vii 01_917106 ffirs.qxp 12/21/06 12:04 AM Page viii Authors’ Acknowledgments We are grateful for the tremendous assistance and unstinting dedication of the many people who contributed to this book, both at Wiley and CastleCops. We would especially like to thank Paul and Robin Laudanski for their extra- ordinary contributions to computer security in general and the generous ongoing support they extended during the writing of Rootkits For Dummies. We give thanks to all the people on the Wiley team for their expertise and patience, including Melody Layne, Rebecca Huehls, Laura Moss, Barry Childs-Helton, James Russell, and Technical Editor Lawrence Abrams (BleepingComputer) for the outstanding job he did. We offer heartfelt grati- tude to the Advisors and Rootkit Research Team at CastleCops, every one an expert in their field: Media Advisor Mahesh Satyanarayana (swatkat), Firefox Advisor Abdul-Rahman Elshafei (AbuIbrahim), Firewall Advisor Allen C Weil (PCBruiser), IE7 Advisor Bill Bright, and our Rootkit Research Team, includ- ing Don Hoover (Hoov), James Burke (Dragan Glas), Anil Kulkarni (wng_z3r0), David Gruno (wawadave), and Michael Sall (mrrockford). We would like to acknowledge Wayne Langlois, Executive Director and Senior Researcher at Diamond CS in Australia, for devoting his time, knowledge, and expertise to the “Tracking a RAT” section in Chapter 9. We’d like to thank Przemyslaw Gmerek, developer of the GMER Anti-rootkit program, for freely sharing his rootkit expertise and allowing us to distribute the GMER Anti-rootkit Program on the Rootkits For Dummies CD. We’d like to thank Mingyan Sun, codeveloper (along with Jianlei Shao) of the DarkSpy Anti-rootkit program, for freely shar- ing his in-depth technical knowledge of rootkit methodology and for giving us permission to distribute the DarkSpy program on the Rootkits For Dummies CD. We would like to recognize and extend a special thanks to Mahesh Satyanarayana for sharing his exceptional technical expertise and so much more, during the development of Rootkits For Dummies. Nancy would also like to thank her family and friends for their patience and understanding during the course of writing Rootkits For Dummies. We give special thanks to Forensics Advisor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE), who provided valuable insights to our network and forensics sections, and who also helped get this book up and running by providing much needed hardware. Dave has worked in the Information Technology Security sector since 1990. Currently, he is the owner of SecurityBreachResponse.com, and lead litigation support technician for Secure Discovery Solutions, LLC. As a recognized security expert, and former Florida Certified Law Enforcement Officer, he specializes in litigation support, computer forensic investigations, incident response, and intrusion analysis. He is frequently a speaker at many national security conferences and is a published author of computer books. He is also the Sector Chief for Information Technology at the FBI’s InfraGard and Director of Education at the International Information Systems Forensics Association (IISFA). 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ix [...]... Rootkit-detection-and-removal applications 361 Password protectors and generators 362 Downloading tools for compromised hard drives 362 Troubleshooting 363 Index 367 xix xx Rootkits For Dummies Introduction W elcome to Rootkits For Dummies, a book written for regular folks who need a better understanding of what rootkits are, what we can do to protect our computers and networks against them, and... Discs 147 xv xvi Rootkits For Dummies Part III: Giving Rootkits the Recognition They Deserve 149 Chapter 7: Getting Windows to Lie to You: Discovering How Rootkits Hide 151 Discovering How Rootkits Hide and Survive 151 Keys to the Kingdom: Privileges 153 Knowing the Types of Rootkits 154 User-mode versus kernel-mode rootkits 155 Persistent... reduce your liability 310 xvii xviii Rootkits For Dummies Preparing for Recovery .318 Cutting off network connection before cleaning out the rootkit 319 Planning your first reboot after compromise 320 Chapter 11: Preparing for the Worst: Erasing the Hard Drive 323 Don’t Trust System Restore After Rootkit Compromise 323 When a Simple Format and Reinstall Won’t Work 325... discussed early on; the identification of rootkits and dealing with the havoc of an infected system are topics introduced later If you want a full overview, feel free to go the cover-to-cover route 3 4 Rootkits For Dummies Part I: Getting to the Root of Rootkits The book starts by introducing you to malware, rootkits, and the issues they create: what you can expect from rootkits and malware, where you will... doctoring the PspCidTable 175 Hooking the virtual memory manager 176 Virtual-machine-based rootkits 177 Chapter 8: Sniffing Out Rootkits 179 Watching Your Network for Signs of Rootkits 179 Watching logs for clues 180 Defending your ports 183 Catching rootkits phoning home 192 Examining the firewall 193 Trusting Sniffers and Firewalls... Spyware (and malicious adware) .13 The Many Aims of Malware 16 Rootkits: Understanding the Enemy 19 A Bit of Rootkit Lore 19 New Technologies, New Dangers .21 Why do rootkits exist? 22 xiv Rootkits For Dummies Chapter 2: The Three Rs of Survivable Systems 25 Formulating Resistance 26 Hackers may not be smarter than you 26... financial For those who have often felt mystified about how to set up security policies — using either the Local Security Policy Editor (for standalone Windows XP Professional computers) or the Security Configuration Manager (for global network policies), this part is for you Part III: Giving Rootkits the Recognition They Deserve which is to say, efficient detection, speedy removal, and savvy defense For. .. claim that you need only reformat your hard drive and reinstall your operating system to get rid of rootkits Unfortunately, that doesn’t work if you have rootkits squatting in the bad sectors of your hard drive So this part shows you how you really can remove even those tough nuts — no missile required — and start over with a clean hard drive Part V: The Part of Tens Every For Dummies book has a Part... Professionals 349 Geeks to Go 350 Gladiator Security Forum 351 Malware Removal 351 Microsoft Newsgroups .352 Sysinternals Forum (Sponsor of Rootkit Revealer Forum) 352 SpywareInfo 352 SpywareWarrior 353 Tech Support Guy Forum 353 Tom Coyote Security Forum .354 Table of Contents Appendix: About the CD 355 System... You: Discovering How Rootkits Hide 151 Chapter 8: Sniffing Out Rootkits 179 Chapter 9: Dealing with a Lying, Cheating Operating System 231 Part IV: Readying for Recovery 301 Chapter 10: Infected! Coping with Collateral Damage .303 Chapter 11: Preparing for the Worst: Erasing the Hard Drive 323 Part V: The Part of Tens 336 Chapter 12: Ten (Plus One) Rootkits and Their