An easy way to detect most rootkits is to use an old technology: DOS.
Most (read, pretty much all) rootkits require some sort of file component. In fact all malware requires some sort of file to be loaded to perform it’s malfeasance. This is because malware is just software that does bad things and software means files. Even worms and other memory-resident applications require files at some point. This is why rootkits hijack directory listing commands to hide themselves.
So, how do you find files when they are being hidden? One way is to check the drive at a low-level, viewing the disk directly instead of using a file listing command. You can look at the disk and see if the entries in the cluster match up with the directory listing. This is a common method but has it’s drawbacks. For one thing, a decent rootkit would be able to hijack sector-level disk access and hide it’s entries just as it does with a directory listing command. Another problem is that it is difficult to use and can be unreliable.
Another easy to use method is to get a directory listing from within Windows, then boot into DOS mode and get another one, then compare the two. There are few if any DOS rootkits, but more importantly DOS is a lightweight, easy to control environment that can fit on a single floppy. This is important, because it means that you can ensure the integrity of a DOS boot disk because a minimal system needs just four files taking no more than 200KB. Make sure that the boot disk is reliable by making it from a secure system and then write-protecting it. Another option is to use a CD, for example a Windows 95/98 CD which allow you to boot to DOS.
To check for a Windows rootkit:
- Open a command prompt with the cmd command.
- Get a directory listing with dir c:\/s/a/o>d:\windir.txt.
- Reboot into pure DOS mode (do this ASAP after the previous step.)
- Get another directory listing with dir c:\/s/a/o>d:\dosdir.txt.
- Compare the two files (eg: WinDiff d:\dosdir.txt d:\windir.txt).
Obviously there will be some differences, since files are normally created, changed, and deleted while shutting down Windows. You’ll have to use your best judgement and possibly a reference or the Internet to determine which files that are different are malicious. To minimize the noise, make sure to clean up any temporary files and such before getting the listing.
If there is no rootkit, then the two listings should be more or less the same. If there is a rootkit present, then the DOS listing will reveal the hidden rootkit files.
One drawback to this method is that the built-in DIR command returns the directory listings in different formats in Windows and DOS. As a result, it will be difficult to do a straight comparison of the two listing files. For example this is a listing made in Windows:
Volume in drive C is C-Windows
Volume Serial Number is 0123-4567
Directory of C:
Mar.03.03 03:03am 233,632 ntldr
Mar.03.03 03:03am 47,580 ntdetect.com
Mar.03.03 03:03am 193 boot.ini
Mar.03.03 03:03am Windows
Mar.03.03 03:03am Program Files
Mar.03.03 03:03am Documents and Settings
3 File(s) 48,638 bytes
3 Dir(s) 123,456,789 bytes free
and the same in DOS (with DOSLFN for long file names on the right):
Volume in drive C is C-WINDOWS
Volume Serial Number is 0123-4567
Directory of C:
NTLDR 233,632 03-03-2003 03:03 ntldr
NTDETECT COM 502 03-03-2003 03:03 ntdetect.com
BOOT INI 502 03-03-2003 03:03 boot.ini
WINDOWS 03-03-2003 03:03 Windows
PROGRA~1 03-03-2003 03:03 Program Files
DOCUME~1 03-03-2003 03:03 Documents and Settings
3 file(s) 48,638 bytes
3 dir(s) 123,456,789 bytes free
The formats are quite different and will require some reworking to make a comparison easy. One solution is to use a third party directory listing program instead of the built-in dir. A third party dir would give the listing in the same format in both Windows and DOS, just make sure that it can list anything, and everything (including hidden files, system files, volumes, etc.)
All software is limited and hackable, and malware is no different. With a little thought and the right tools, even a rootkit can be ferreted out.