Rootkits: a tech guide
Published: 15 Nov 2005
I've written before about the dangers of remote access Trojan horses (RATs). Briefly, these are bits of code that get onto your computer in a variety of ways and open an unused port on your PC so that remote criminal hackers (crackers) can gain access at their leisure. Rootkits are a more specialised version of a RAT, in that they are virtually invisible. The good news is that more and more security vendors are recognising the danger posed by rootkits. The bad news is that rootkit authors are finding more and better ways of keeping their malicious code hidden.
Root what?
A simple definition of rootkit is a collection of tools used by any criminal intruder to gain access to the root of a remote system, to get control of that computer, and to hide their presence. For example, if you were to search for running processes on your computer, a malicious tool might mask its presence by not allowing itself to appear. You would have no way of knowing whether you were infected.
Rootkits aren't new. But their appeal is growing as more traditional means of commandeering a remote computer become harder to exploit, thanks in part to better security applications and increased public awareness of computer dangers. Rootkits are designed to be stealth, to hide RATs and to fool existing security applications into believing that all is normal. Rootkits are a moving target where the bad guys, for the moment, still hold the advantage.
How rootkits work
On networked systems, crackers first search for low-hanging fruit, such as a vulnerable print server located somewhere on the periphery of a vast computer network. They then exploit a known flaw in the print server, perhaps masquerading as a printer driver. Printer drivers are currently installed in the kernel of the Windows operating system. Beginning with next year's release of Windows Vista, Microsoft plans to move device drivers out of the kernel and onto the user level. At least this one vector of attack will be shut down on systems running Vista code or later.
Another common vector uses flaws within client-side Internet browsers, such as Internet Explorer or Mozilla Firefox. Someone viewing a maliciously coded Web page with an unpatched browser could become infected. Because the rootkit is, by nature, hidden from active security services, end users often don't realise that they've become infected.
Typically, once a cracker gains access to the root of one computer on a network, he or she can then install the rootkit tools of choice and use the first compromised computer to scan and probe deeper into the network. In our example, starting with a print server isn't too thrilling, but with diligence, the intruder could advance to the accounts payable system or perhaps the company's crown jewels -- proprietary software or media. The rootkit masks the presence of an intruder and allows a cracker to operate undetected for days, weeks, even months.
Known rootkits
Perhaps the best known rootkit is BackOrifice from Cult of the Dead Cow (I kid you not). Released at Defcon a few years ago, BackOrifice (said to be reminiscent of Microsoft's Back Office product) is a customisable remote access application that has legitimate purposes for security researchers, but also has been used by crackers. Another well-known rootkit is HackerDefender. Most of these rootkits are traditional, in that they fool task managers and system process utilities into thinking the tools aren't present on an infected system. Thus, spyware writers have started using rootkits to keep the antispyware programs from removing their wares.
The bad guys stay one step ahead
At last summer's Black Hat Briefing in Las Vegas, security researchers James Butler and Sherri Sparks announced a new memory-based rootkit method called Shadow Walker. The Shadow Walker rootkit escalates system privileges and hides files in memory using Direct Kernel Object Manipulation to fool the Windows Event Viewer. The use of volatile memory makes later forensics almost impossible because there's no trace after a system reboot. So far this remains theory. There's also a report from IT Asia One that someone has designed the first ever Mac OS X rootkit.
Solutions
Fortunately, there are rootkit hunters available. From Microsoft comes Strider GhostBuster, F-Secure has BlackLight and SystemInternals offers RootkitRevealer. Also, Webroot SpySweeper 4.5 will hunt down and find rootkits on your PC. All of these solutions attempt to detect file additions and registry changes that have been otherwise hidden from normal system utilities and security applications.
Did you find this article useful?
87 out of 141 people found this useful
