IceSword, shown in Figure A-11, is the most complicated of the rootkit detectors presented in this appendix. It is also the most unstable, so expect an occasional system crash while using this software.
Despite complexity and the stability problems, IceSword is a very good rootkit detection tool. This software contains 13 distinct methods for detecting malware. The term malware is used here to describe any malicious software, not necessarily rootkits, but because rootkits are a subsection of malware, and can use some of the same loading and persistence techniques, it makes sense to provide a tool that covers all the possibilities. Unfortunately, the number of detection methods, the types of malware targeted, and the marginal user interface make using IceSword more difficult than the other rootkit detectors.
The IceSword detection methods are as follows:
TCP, UDP, and RAW IP port activity detection
Kernel module detection
Autostarted application detection
Winsock catalog entry detection
Browser Helper Object detection
Kernel system call table hook detection
Message hook detection
Process creation detection
Process termination detection
Registry tamper detection
File system tamper detection
Process detection is performed by listing all processes believed to be running on the system. A process shown in the IceSword process list that is not shown in the Task Manager’s process list would be considered an anomaly. If IceSword is certain the process is being hidden, the list item will be displayed with a red font.
TCP, UDP, and RAW IP port activity detection is a less exact form of detection. By showing the address and port of the local machine, the address and port of the connected machine, and the name of the process responsible for the local connection, IceSword enables the operator to interpret each of the displayed connections.
Kernel module detection simply displays a list of the currently running kernel modules and their location on disk. This list will not show hidden device drivers, but if a kernel-level rootkit is using obfuscation, then IceSword will display it along with its location on disk. The generated list does not differentiate the displayed modules, so the user must know what to look for.
Autostarted application detection lists all the applications that are automatically started during the boot process. This is accomplished by displaying the contents of various registry entries. The operating system will check these registry entries during the boot process and launch whatever programs are defined. This convenient autostart system is often abused by malware.
Service detection simply displays a list of the registered services, running or not, and their location on disk. Like process detection, a service shown in the IceSword service list that is not shown in the Services applet would be considered an anomaly.
Winsock catalog entry detection lists all the protocols registered with the operating system’s socket layer. Like autostarted application detection, detection is accomplished by displaying the contents of various registry entries.
Browser helper object detection lists all the software registered as browser enhancements. This detection method simply displays the contents of Internet Explorer’s Browser Helper Object registry entry.
Kernel system call table hook detection displays a list of all kernel system call table entries, the original address, the current address, the module responsible for the entry, and the name of the exported ntoskrnl.exe function associated with the entry. Entries are printed in red font when the original address is not the same as the current address.
Message hook detection displays a list of all applications currently filtering system messages. Determining which hooks are valid and which hooks are malicious can be a difficult task. As such, results from this list might best be used to augment other lists.
Process creation detection can be used to monitor process activity while performing normal operations. Knowing what to expect in this list requires a great deal of system expertise, but in some circumstances a consistently created process is clearly unexpected.
Process termination detection can also be used to monitor process activity while performing normal operations. Like process creation detection, this detection technique also requires a good deal of system expertise. The current version of IceSword has not completely implemented this detection method.
Registry tamper detection is accomplished by displaying the registry without using the standard kernel system calls. Unfortunately, the registry is not also scanned using the standard kernel system calls, so the operator must perform a side-by-side comparison to detect a hidden registry entry. This can be an extremely tedious form of detection, but if you know where to look (e.g., HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services), IceSword registry tamper detection can be used to find rootkits.
File system tamper detection is performed by using low-level operations to display the local file system. Like registry tamper detection, IceSword does not perform a standard file system traversal to alert the operator to discrepancies. This requires the operator to already know what to look for. As such, the IceSword file system tamper detector is more useful for verifying already detected anomalies.
In addition to these detection methods, IceSword can also be configured as a rule-based system monitor. Like process termination detection, this feature is not completely implemented in the current version of IceSword.