- The ability to install rootkits at increased privilege levels in the operating system, making them immune to malware scanners.
在操作系统的增加特权层上安装rookits使之可对恶意软件扫描程序免疫的能力。 - The use of advanced QoS parameters to reduce the amount of time required to get a proof of concept rootkit out in the wild, making it difficult to get workable signatures for malware scanners.
利用先进的QoS(服务质量?)参数,来减少用于检测流行rootkit设想的时间,使恶意软件扫描程序很难获得可行的特征码。 - Built-in sophistication allowing rootkits to morph their signature at will, which totally negates any pattern recognition by scanners.
内置变形机制允许rootkits随意改变特征码,这使扫描程序任何识别模式完全失效。
Rootkits: Is removing them even possible?
Rootkits:有可能清除它们吗?
Author: Michael Kassner
作者:Michael Kassner
翻译:endurer,20008-12-02 第1版
Category: General, security, Botnet
分类:常规,安全,僵尸网络
Tags: Built-in Sophistication, BlackLight, GMER GMER, Rootkits, Scanners, Security, Spyware, Adware & Malware, Hardware, Peripherals, Michael Kassner
标签:Built-in Sophistication,BlackLight,GMER,Rootkits,扫描程序,安全,间谍软件,广告软件 & 恶意软件,硬件,外围设备,Michael Kassner
英文出处:http://blogs.techrepublic.com.com/networking/?p=736&tag=nl.e099
Is it possible to remove rootkits? Some say yes, and others say no. The people developing rootkits are smart and financially motivated to design rootkits that evade detection. So what’s the answer?
是否有可能清除rootkit?有人说是,也有人说不。研发rootkit的人是聪明的,并在经济利益动机下设计可避开检测的rootkit。那么答案是什么呢?
——————————————————————————————————————-
Throughout my series about rootkits and botnets, I’ve been impressed by the number and quality of member comments, especially the ones discussing how to remove rootkits. Thinking about this led to one of my ah-ha moments; fortuitously I decided to listen and consolidate those real-world tips along with what I have gleaned from security experts.
通过我的rootkit和僵尸网络系列文章,成员们的意见的数量和质量一直让我印象深刻,特别是那些讨论如何消除的rootkit的。思考这个问题使我到“啊哈!”的时刻;我偶然决定听取和巩固这些真实世界的秘诀,连同我收集到的安全专家。
Why rootkits are hard to remove
为什么rootkits难于清除
To be honest, my research is showing rootkit removal to be a rather haphazard affair, with positive results not always the norm. The apparent reason for this is the increased sophistication of rootkits. Some examples of these improvements are:
老实说,我的研究是所展示的rootkit清除是一个相当偶然的事情,相应地取得的积极成果并不总是规范的。出现这种情况的明显原因是增加了rootkit的复杂性。这些改进措施的一些例子是:
That’s just a few reasons, but you get the picture. I’m happy to say there’s hope though. I can confidently say that once it’s determined a computer has an installed rootkit; it’s entirely possible to remove it. It’s the how that gets a bit complicated.
这只是一些原因,但你了解到大概的情况。我很高兴地说,有希望的。我可以自信地说,一旦确定电脑已安装了rootkit,完全有可能清除它。这有些复杂。
《endurer注:1、get the picture:了解概略情况》
My mistakes
我的错误
The next three points are now readily apparent to me, but I’ve had to learn the hard way. I see no sense in anyone repeating my mistakes, so please consider doing the following before you start troubleshooting:
接下来的三点现在对我来说很明显,但我是经过刻苦学习的。我明白任何人重复我的错误都没有任何意义,所以在开始排除故障请先考虑下面的事情:
《endurer注:1、learn sth the hard way:经过艰难困苦而学到》
- It’s been my experience that any kind of malware removal project takes longer and is more difficult than expected. So keep that in mind as you work through the various steps of troubleshooting. Doing so will allow you to make a more informed decision of whether it’s easier and more cost effective to continue troubleshooting or more sensible to reformat and re-image the computer.
我的经验是任何类型的恶意软件清除工程需要较长的时间并且比预计的更困难。所以在你的故障排除工作的各个阶段中记住这一点。此举可以让您更容易、更经济地做出更明智的决定,是继续排除故障或更理性地重新格式化并重装电脑。 - Make sure the computer operating system, drivers, and applications have all the latest patches and are using the newest version of software. This will go a long way in preventing a re-occurrence of the rootkit. For more information on the best ways to do this, please refer to my article, “Botnets: Keep Computers Up to Date or Else.”
确认电脑的操作系统、驱动程序和应用程序升级到最新,并且使用的是软件的最新版本。这将大大有助于防范rootkit再次出现。实施的最佳方式请参考我的文章《僵尸网络:保持计算机保持最新或者》。
《endurer注:1、go a long way in:大大有利于(大大有助于)》 - If possible, isolate the computer on its own sub-net with Internet access. Many suggest removing the computer from the network/Internet, but in many cases, scanners need to phone home to get the latest signature file. Also you may want to try some on-line scanners.
如果可能的话,使用电脑孤立在子网访问互联网。一些建议把电脑从网络/互联网中移出, 但在一些情况下,扫描程序需要联网来获取最新的特征码文件。另外,你可能想尝试一些在线扫描程序。
Let’s get started
让我们开始罢
It seems like everyone has their favorite malware scanner, probably because it’s worked for them in the past. Like you, I have my favorites. The problem is rootkits aren’t generic, so a scanner that works for one occasion may not work another time.
好像每个人都有自己最喜爱的恶意软件扫描程序,可能是因为日久生情罢。像你们一样,我有自己的最爱。问题是rootkits不是通用的,所以在某个时刻可以工作的扫描程序可能在其它时候就不行了。
I’ve used several scanners and have no problem recommending them. On the flip side, there are many scanners out there that I don’t have any experience with, and I urge caution in their use. It seems that a certain percentage of rootkit developers also like to create rootkit scanners. So please be careful. I’d now like to discuss several of the generic scanners that have some success in removing user-mode and kernel-mode rootkits.
我已经使用过几个扫描程序,介绍起来没有问题。另一方面,有许多扫描程序,我没有任何使用经验,我敦促谨慎使用。有一定比例的rootkit的开发商们似乎也想创造rootkit扫描程序。所以,请留意。我现在要讨论一些在清除用户模式和内核模式的rootkit取得一些成功的通用的扫描程序。
RUBotted by TrendMicro
趋势科技的RUBotted
RUBotted is a scanner that sits in the background and works quietly. This scanner would be a good first choice for many users who don’t want to deal with scanner configurations or the details of removing a rootkit. It’s my first choice when I suspect a problem, and I’ve successfully used RUBotted to remove user-mode rootkits on Windows XP computers.
RUBotted是一个处于后台并安静工作的扫描程序。这个扫描程序是一些不想处理扫描程序配置和清除rootkits细节的用户是首选。它也是我在怀疑一个问题时的第一选择,并且我已成功地使用RUBotted在Windows XP的电脑中清除了用户模式的rootkit。
BlackLight by F-Secure
F-Secure的BlackLight
F-Secure’s Security Center Web page is full of useful information, including information about their on-line scanner as well as the BlackLight scanner. BlackLight is a stand-alone scanner that requires very little user intervention, similar to RUBotted. The major difference between the two is that BlackLight only scans on demand. Another helpful link on the Web site references removal tools for many malicious programs.
F-Secure的安全中心网页充满了有用的信息,包括它们的在扫描扫描程序和BlackLight扫描程序的信息。BlackLight是一个独立扫描程序,类似RUBotted,极少要求用户介入。两者的主要差别是BlackLight按需扫描。该网站的另一些用用连接指向了一些恶意程序的清除工具。
Rootkit Revealer
Rootkit Revealer is a well-known scanner written by Mark Russinovich and Bryce Cogswell, formerly of SysInternals and now with Microsoft. Rootkit Revealer works in the following way:
Rootkit Revealer是以前在ysinternals、现属于微软的Mark Russinovich 和 Bryce Cogswell写的著名扫描程序。Rootkit Revealer工作于如下方式:
“Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive.”
“因为现行rookit通过改变API结果来工作,以致一个使用API的系统观点不同于储存实际观点,RootkitRevealer将在最高级的系统扫描结果与在最低级的系统扫描结果进行比较。最高级的是Windows API,最低级是文件系统卷的原始内容的或注册表Hive。”
The difficult part comes once the scan is completed. Unlike RUBotted or BlackLight, RootkitRevealer requires user intervention to find and remove any malware. It usually requires searching online for information about the process in question and finding out how to remove it.
一旦扫描完成,困难的部分就来了。不像RUBotted或BlackLight,RootkitRevealer需要用户干预寻找并移除任何恶意软件。它通常需要在线搜索有疑问的进程信息,并找出如何将其清除的方法。
GMER
GMER is an excellent scanner that searches for hidden services, registry components, and files. Like Rootkit Revealer, it’s not at all intuitive. To its advantage, GMER has the ability to delete malware, which conveniently shows up in red when the scan is completed. Many security experts agree with the following claims made on the GMER Web site:
GMER是一个优秀的搜索隐藏服务、注册表部件和文件扫描程序。像Rootkit Revealer一样 ,它一点也不直观。GMER的优势是能够清除恶意软件,当扫描完成时方便地红色显示。许多安全专家同意GMER网站上的以下说法:
“GMER is an application that detects and removes rootkits. It scans for: hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls and inline hooks. GMER also can monitor the following system functions: processes creating, drivers loading, libraries loading, file functions, registry entries, TCP/IP connections.”
“GMER是一个检测和清除rootkits的应用程序。扫描:隐藏进程,隐藏线程,隐藏模块,隐藏服务,隐藏文件,隐藏交替数据流,隐藏的注册表项,挂接SSDT的驱动程序,挂接IDT的驱动程序,挂接IRP调用的驱动程序和内置钩子。 GMER还可以监控以下系统功能:进程创建,驱动程序装载,库装载,馆,文件功能,注册表入口, TCP/IP连接。”
I found GMER requires getting used to. More to the point, if you aren’t familiar with the anomaly GMER found, you either trust GMER to remove the process or research the process in question to make sure that it’s not a false positive. Also, uninstalling GMER is a bit different; it requires you to run the following command:
我发现GMER需要适应。更重要的是,如果你不熟悉GMER发现的异常,你要么信任GMER清除进程或研究有疑问的进程,以确保它不是一个误报。此外,卸载GMER是一个有点不同,它需要你运行下面的命令:
- Start C:/WINDOWS/gmer_uninstall.cmd script and reboot.
UnHackMe by Greatis
Greatis的UnHackMe
UnHackMe is a specialized rootkit removal tool that can detect and remove most of the simpler rootkits as well as several of the more sophisticated types. The user interface is very intuitive, and I like the fact that UnHackMe can easily be configured to run in the background. Sadly, UnHackMe isn’t freeware. You can try it for a month, after which it requires a registration fee of $19.95 USD.
UnHackMe是一个专门的rootkit清除工具,可以检测并清除绝大多数较简单的rootkit以及一些更复杂的类型。用户界面非常直观,我喜欢的是, UnHackMe可以很容易地被配置为在后台运行。可悲的是, UnHackMe不是免费软件。你可以试用一个月,之后它要求注册费130元美元。
I’ve been using UnHackMe for several weeks now, and I’m still learning about the technical details of the application. Actually it consists of three individual applications:
我现在已经使用UnHackMe几周了,并且仍在学习该应用程序的技术细节。实际上它包含三个不同的应用程序:
- UnHackMe4– Detects hidden services registry keys, processes, services, and drivers. It uses UnHackMedrv.sys kernel driver.
UnHackMe4-检测隐藏服务注册表键,进程,服务和驱动程序。它使用UnHackMedrv.sys核心驱动程序。
- Partizan– Watches the Windows boot process.
Partizan–查看Windows引导过程
- Reanimator– Detects and removes Trojans/Spyware/Adware using Greatis application and signature database.
Reanimator– 使用Greatis应用程序和特征码数据库检测和清除特洛伊木马/间谍软件/广告软件
In my opinion, UnHackMe seems like a scanner that would be very useful to people who want an application that requires little user interface yet still has the sophistication to do its job. The fact that UnHackMe is relatively unknown is of some concern, but CNET is offering it as a download.
依照我的看法,UnHackMe看来对那些想要用户介入少、但仍然具有完成其工作的复杂功能的软件的人是很有用的一个扫描程序。UnHackMe比较无知的事实有些令人担忧,但CNET提供了它的下载。
The manual approach
手工处理
As I mentioned earlier the use of canned programs to remove rootkits can be a hit-or-miss proposition. Several TechRepublic members have presented a manual process to remove rootkits that will have a better success rate, but it comes at a price. The method is labor intensive and requires more than a casual knowledge of the operating system and installed applications. Even if you don’t try this process, it’s a good study in what’s required to locate and eventually remove a rootkit:
正如我前面提到的,使用现成程序删除rootkit可能是一个临时抱佛脚的建议。一些TechRepublic成员提出了一个将会有更好的成功率的手动清除rootkit的过程,但它价格高昂。该方法是劳力密集型,需要更多操作系统和安装的应用程序的基本认识。即使您没有尝试这一过程,它仍是一个有什么需要寻找,并最终删除的rootkit的良好学习:
《endurer注:1、hit-or-miss:无计划的, 无目的的, 遇事现打主意的》
- Open Process Explorer to look for suspicious processes and suspend them, but don’t delete them.
打开Process Explorer寻找可疑进程并挂起,但不要删除。 - Run a malware scanner of your chose; since the process in question is suspended, there’s a good chance the scanner will see it.
运行你选择的扫描程序;因为有疑问的进程被挂起了,扫描程序有看到它的好机会。 - Use AutoRuns and check for unusual service, drivers, DLLs, and processes.
使用AutoRuns检查不正常的服务、驱动程序、DLL和进程。 - Write down the name and location of anything that seems suspicious.
记下任何看起来可疑的名称和位置。 - Search the Internet for information about the process, and if it is indeed malware, try to find a permanent removal tool.
在互联网上扫描与进程有关的信息,如果它确实是恶意软件,试图找到一个永久性删除工具。
If one peeks under the hood, it becomes obvious that the manual and automated processes are very similar. Both try to capture two images of the operating system state — one initial image of what processes actually start and an image of what processes the operating system thinks started.
在从底层看来,明显的是手动和自动化过程非常相似。两者都在尝试捕捉操作系统状态镜像——一个哪些进程真正开始的最初镜像,和一个操作系统认为启动了的进程的镜像。
《endurer注:1、under the hood:在后台,在底层》
Final thoughts
终思
Removing malware as sophisticated as rootkits is hard. I’m convinced of that now. Because of that, this article has been one of the most difficult for me to write, even after hours of research. It just seems wrong to not have a clear and concise answer for removing rootkits.
清除像rootkits那样复杂的恶意软件很难。我现在相信了。由于这个原因,即使花了许多时间研究,这篇文章一直是我写得最困难的。对清除rootkit没有一个明确和简洁的答案似乎就是个错误。
Maybe it would have been better if I would have written an entire article about removing just one variation of rootkit. Yet rootkits morph and developers change signatures, so it seems that there’s little value in specifics. Hopefully I was able to raise general awareness about the subject to a point where you at least know where to start. If you have any thoughts, suggestions, or methods that work for you, please let me know.
如果我就清除一个rootkit变种写一整篇文章也许会更好。然而rootkit变形和开发者改变特征码,会使这样的文章似乎没有什么特别的价值。但愿我能够将对这一主题的普遍认识提高到至少你知道从哪儿开始。如果您有任何想法、建议或适用的方法,请让我知道。
873
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
