A Rootkit is a type of infection that is designed to hide its presence, such as from the user, antivirus & antimalware software, etc. Of course this also makes it very difficult to tell if your system is infected by just running an AV/Malware scan or looking for suspicious files as the Rookit hides its presence from the file system, task manager, etc.
After dealing with some past Malware infections (mainly from users of dodgy P2P networks such as Frostwire and the former Limewire), one thing I noticed in common with many of them is that when the Malware involves a Rootkit infection, it often interferes with low level disk access, usually causing problems with partition managers, disk defragmention, etc. The main utility that usually always gets affected is Windows disk management, which interestingly leaves a tell-tale sign that the system likely has a Rootkit infection.
Here’s the test: (Requires administrator access)
[li]Go into the Start menu.[/li][li]Right-click on Computer (“My Computer” in XP) and click “Manage”.[/li][li]If you get a UAC prompt, click ‘Yes’ to continue.[/li][li]On the left, go into Storage -> Disk Management.[/li][li]Do you see your OS hard disk on the right (e.g. Drive ‘C’)?[/li][/ol]
Try this, even if you don’t think you’re infected. You might be in for a surprise.
If you do not see your operating system hard disk (or even any hard disk), this is a suspicious sign that the computer has a Rootkit infection. If this is the case, try running GMER (link) which should hopefully reveal more details about it.
To following gives a past example of where this trick uncovered a Rootkit:
I recently went into disk management on someone’s PC to look at a partition and noticed the hard drives were missing, i.e. listing appeared blank. Even though the PC did not show any sign of an infection, I started to get suspicious. The PC had Avast AV running and up to date, yet it didn’t show anything suspicious. So just to double check, I ran Malware Bytes and no sign of any infection either. Figuring there still must be an infection, I then tried GMER and it showed a second tell-tale sign with a list of “Copy of MBR” results. However, it didn’t report anything else suspicious.
At this stage, I was convinced that there is definitely something there after two tell-tale signs, so the next “weapon” I tried is Combofix. Sure enough, it did report Rootkit activity, but all it deleted in the end was an inf file and the hard disks were still missing in disk management. Another scan in Malware bytes found nothing and another scan with Combofix also didn’t reveal anything. After recently reading about the deadly TDSS MBR infection, I decided to just give Kaspersky’s TDSS killer utility a try and sure enough it found the MBR infection, removed it and Windows disk management started working again.
What this also shows is that once your system is infected, especially with a silent rootkit like this, the only way you can be certain the infection is gone is with a total disk wipe (to also remove the MBR) and a fresh Windows installation. For example, had I not known about the TDSS utility, I may likely have believed that this computer had some special utility (e.g. full disk encryption that was not set up) that prevented disk management from working.
However, hopefully this simple method above should help reveal if there is a nasty in the system.
Update: 25th September 2012
Another trick I recently saw is where the Rootkit is placed in a separate tiny 10MB partition. So if the system partitions are shown in disk management along with an unusually small ~10MB size partition at the end of the drive, this is a also a pretty sure sign of a Rootkit.