External rootkit detection software?

2

2

The trouble with any rootkit detection software is that if the rootkit is really good, it will work to hide traces of itself from the detecting software as well.

I imagine that rootkits could be detected with more certainty by watching the traffic coming out of the potentially-infected computer from an alternate computer. Something like:

  1. Configure alternate computer (I'll call it the "monitoring computer") to route all traffic for the infected computer (either via wired or wireless)
  2. Configure infected computer to use the monitoring computer as its gateway or wireless access point
  3. Software on the monitoring computer has definitions of likely traffic which would indicate infection (e.g. virus signatures, IRC protocol patterns, smtp patterns for outbound spam)
  4. If the monitoring computer detects a problem, it reports the issue and drops the suspect traffic.
  5. All innocent traffic is routed onward.

Does such software exist for any platform? The infected computer would likely be running Windows, but the monitoring computer could run any OS since it's acting as a router.

Doug Harris

Posted 2009-10-14T15:11:40.833

Reputation: 23 578

Answers

1

There are about a zillion ways to monitor the traffic: if you put a computer in between, you can parse it all. You can use Ethereal (now Wireshark) or Snort, or hell, even IPTraf. You don't even have to have a machine in between, if you have a hub in promiscuous mode.

The problem comes up in the second part. How to know what traffic is malicious and what traffic isn't? The method commonly used in corporate networks is just block every port by default, and only allow traffic on specific (usually harmless) ports, but obviously this is a brute force approach.

One thing you can do is just monitor activity and drop it when it passes a certain threshold, but this assumes that your rootkit is dumb enough to flood the network with traffic, and this is not always going to be the case.

What I do is a combination of the two. I block all ports, and only allow specific traffic, and I have the upstream router generate a traffic report daily, that can be compared with previous reports to show possible infection (I use Snort and Argus...I like Ethereal/Wireshark better for active testing than for long term monitoring.)

Satanicpuppy

Posted 2009-10-14T15:11:40.833

Reputation: 6 169

0

I don't know if something like this exists, but I guess it shouldn't be much of a problem to make it yourself. First two and last two steps would be quite easy (And maybe, you don't even have to use real computer, some VM should be enough), as for the third, I don't know any kind of traffic scanners, although they surely exist, but for the sake of syplicity you could use IPTables (Given that the "routing" computer uses Linux).
But I am no expert in this, who knows. :)

sYnfo

Posted 2009-10-14T15:11:40.833

Reputation: 1 902

Asked: 2009-10-14T15:11:40.833

Viewed: 359 times

Active: 2009-10-29T21:00:01.517