Is there a way to find rootkits on 64-bit Windows 7

3

1

I was at work and got a help desk call about a rather severe malware infection and it got me thinking about my own computer.

I am running Windows 7 64-bit RC1 on my everyday laptop. I run ESET NOD32 antivirus which does a good job of keeping itself up to date. I never turned off UAC.

I am also a computer professional so I have a pretty good idea when NOT to click OK on a windows dialog that looks rogue.

All that to say that I think I am clean but I wanted to be sure so I booted into safe-mode and downloaded and did a quick scan using the well-recommended anti-malware tool MalwareBytes tool. It only found a strange registry entry which I deleted. No file or folder problems were detected. I rebooted to complete the clean as it requested. I was surprised by this because all it did was clean a registry entry.

Oh yeah...one other thing run the professional edition of BillP Studio of WinPatrol.

After re-booting normally, WinPatrol warned about new program MalwareBytes which I expected and allowed. But to my surprise it also had me confirm the install/setup of userinit (I can't remember if it was dll or exe) but the program info was that this is the file that presents the startup screen to windows. I allowed it but it caught me off guard.

One last thing. I tried to also run root-kit revealer and IceSword so I could do a rootkit scan on my machine and neither of them would run and I am pretty sure it is because I am running a 64-bit OS.

So here are my questions:

  1. Is it normal for userinit to be "re-installed" or "re-init" after doing a scan using MalwareBytes? If not, why was a prompted for allow permissions for that file?

  2. Is there a known/recommended way to do a rootkit scan of 64-bit windows system?

  3. Is it possible that my machine is LESS likely to have a rootkit problem BECAUSE I am running as 64-bit OS. Wouldn't a rootkit have to run as a 64-bit process and isn't it likely that right now that rootkits will not be written to target 64-bit since it is a smaller target audience? Is my risk surface-area actually less?

Thanks in advance.

Seth

Seth Spearman

Posted 2009-10-01T17:17:24.497

Reputation: 1 389

Idk about the rest, but concerning #3: No. Windows 64-bit supports running 32-bit processes if you haven't noticed yet. – Will Eddins – 2009-10-01T17:20:36.910

I'm interested in hearing more about the so called new security that windows 7 is claiming to have. Anyone have any hard information on this? All I've heard of so far is that it's better, and that windows defender now covers viruses as well. – Sakamoto Kazuma – 2009-10-01T17:39:08.557

Guard,

It is true you can run 32-bit programs. But you CAN'T run 32-bit drivers. 64-bit requires 64-bit drivers. And the point of the question is I would THINK -- but can't be sure, which is why I ask-- that a rootkit would need driver level support/permissions rather than mere application level support/permissions. – Seth Spearman – 2009-10-01T19:18:29.870

It's a good point Seth. A kernel rootkit will indeed need a driver. Furthermore, being bent on replacing certain parts of the kernel, it will need to be designed with 64-bit versions in mind, or crash under Win 64-bit. However it also needs to be said, there are other types of rootkits (http://en.wikipedia.org/wiki/Rootkit#Types) for which a device driver is not needed. And... not all device drivers need to be specifically designed for 64-bit OSes.

– A Dwarf – 2009-10-01T20:36:55.530

Answers

0

I use combofix successfully on 64bit Vista regularly. In my experience, 64bit does take advantage of system operations regardless of whether or not application does. Although I wouldn't agree that vista 64 is 100% rootkit free, it is a lot harder to get rootkits on a 64bit OS. It is difficult for manufacturers of hardware to make drivers for 64bit still, I don't think we will see too many 64bit root kits for a while. And if you hate on 64bit get used to it, whether you like it or not, 4gb of ram will become obsolete. When it does 64bit will be required.

Max

Posted 2009-10-01T17:17:24.497

Reputation:

2

Sophos Anti-Rootkit claims to be able to scan for, and remove, rootkits on 64-bit Windows 7.

raven

Posted 2009-10-01T17:17:24.497

Reputation: 5 135

0

Is there a known/recommended way to do a rootkit scan of 64-bit windows system?

There's only two programs I trust for this: ComboFix followed by RegDelNull.

I'm unsure however as to ComboFix 64bit support. But if you create a restore point before using it, you should be able to use the Recovery Console to restore it in case something goes wrong.

But I feel the need to make 2 points here:

1. 64-Bit craze
I'm yet to understand why the insistence on using 64-bit versions of your OSes. For all practical reasons, there is near 0 advantages in doing so. A 64-bit OS is only useful when 64-bit applications making use of the new processor features and address space are made mainstream. That is not the case. Very few applications are true 64-bit and those that are, are so only for compatibility reasons. For the most part these applications make no use of, neither they have a use for, any of these features. And then you get into trouble, as you are seeing now, when trying to obtain specialized software that may not run well under 64-bit.

2. Methods
There's no clear-cut way to do rootkit checking. Even combofix certainly adopts its own methodology which will allow for other or newer rootkits to pass by unscathed. That said, your tools of choice will always be the recovery console or booting into safe mode, where many of these rootkits will not be operating.

With that, a few firewall products offer system-level protection (I'm thinking Comodo, for instance) which will allow you to see system-level prompts informing of many changes that are occurring in your computer.

Furthermore, you should have UAC enabled at the highest level and be running from a non administrator account. That's what UAC was built for and there's really no excuse anymore to not run our Windows machines under a unprivileged account. No rootkit will ever bypass that which actually means you don't need to worry about searching for them.

Is it possible that my machine is LESS likely to have a rootkit problem BECAUSE I am running as 64-bit OS. Wouldn't a rootkit have to run as a 64-bit process and isn't it likely that right now that rootkits will not be written to target 64-bit since it is a smaller target audience? Is my risk surface-area actually less?

Unfortunately no. As mentioned, 64-bit systems allow for 32-bit applications to run at any level. But attention! You do add a certain level of protection since rootkits there may be that may fail under a 64-bit OS, for many reasons; the same as many other 32-bit applications inexplicably or not do also tend to fail under 64-bit OSes. Rootkits are not immune to bugs. But that's about it.

That said, there's also the possibility of certain rootkits to start specifically targeting 64-bit systems. So you are really not anywhere more secure.

A Dwarf

Posted 2009-10-01T17:17:24.497

Reputation: 17 756

164 bits become necessary if you would like to use more than 3GB on a computer - which many computers shipping today are supplied with. – Sanjay Sheth – 2009-10-01T18:16:08.293

And yet no 32-bit sofwtare takes advantage of the added address space and virtually no 64-bit software needs it. That's my point, Sanjay. Outside very specialized software in the Engineering, Scientific and possibly Movie fields you have no current use for it. – A Dwarf – 2009-10-01T18:20:20.657

Virtualization? – Bender – 2009-10-01T18:26:37.913

It's independent of the processor address space. 32-bit processors also offer hardware virtualization – A Dwarf – 2009-10-01T18:30:14.257

Yes but memory quickly becomes scarce. – Bender – 2009-10-01T18:55:15.393

A Dwarf,

The point is not that the programs don't support it. The point is that you can only address 4 GB of RAM on a 32 bit system (actual suport is 3GB) whereas 64-bit can address (not sure - is it over a terabyte?). In any case my PC came with 4 GB of RAM and I run a lot of virtual machines. That is why I wanted it.

That said, even after all these years 64-bit is a pain. I have had a lot of issues with driver and application support. I have managed to get around them but they have been a pain.

Seth – Seth Spearman – 2009-10-01T19:12:12.923

I understand Seth :) But the question remains... Why do you need more than 4GB? That's the question. But I beg of you, be objective. – A Dwarf – 2009-10-01T20:22:13.750

I run multiple virtualbox virtual machines at the same time. And my host is also Windows 7. This would not be possible (or at least a lot more unpleasant) without 4 GB of RAM. – Seth Spearman – 2009-10-01T23:35:44.903

Asked: 2009-10-01T17:17:24.497

Viewed: 20 628 times

Active: 2010-12-15T05:24:15.003