start > 2006-04-01 > 1

Rootkits: now a generalized threat

Created by pabrantes. Last edited by pabrantes, 2 years and 234 days ago. Viewed 1,013 times. #3

[diff] [history] [edit] [rdf]

labels

Category:

attachments

Rootkits: now a generalized threat

In the past rootkits only worried system administrators that had to keep their systems away from intruders. But nowadays, the average user is being oblied to deal with them.

What is a rookit?

A rootkit is a piece of software which after installation will hide from users certain programs, files, or other type of information such as open connections or logged in users.

The Problem

In the past they were used by intruders. After gaining access to a system, they would install a rootkit that would hide their presence, but nowadays, the rootkit problem has hit another dimension.

Worms, which have become a real problem in the internet days for the non-protected computers - recall the damage that code red or sasser made - are not only packing up with backdoors but also with rootkits, this can allows the worm to work unnoticed to the user and probably system scanners, a life example of this is the latest mutation of the Bagle worm. As I spoke with Hugo it's not a completly new tech-hype idea, since it was usual to pack backdoors, but it's a new concept and definatly elegant one.
Though, in my opnion, this isn't the most dangerous factor, since a well patched and protected computer, with educated users can survive most of these attacks.

A bigger problem is arrising for all of us, companies from which we buy products, such has Symantec and it's well known Norton anti-virus software, music cds from Sony BMG are being packed also with rootkits or even Mr. & Mrs Smith DVD (in germany) on purpose!!! These companies hadn't the objective of gaining access to the user's computer, but preventing the user to delete important files or avoiding the user to see the DRM scheme. Although, such rootkits could be exploited by other intruders in order to proceed with ilegal activity, and at least that I know of, Sony rootkit was exploited in that way.

These two examples, are public knowledge but imagine how many others could be outthere.. It only takes someone with not so good intentions to find one to start taking advantage of it. Next time you install software, better think twice.

How does a rootkit a work?

I've said that a rootkit hides information from users, but how does it actually work? There are actually 3 kinds of rootkits, they all have the same intention but they attack different parts of the operating system.

First you have the most basic which are in the user land - which means at the application level. Most of the time it's a patched binary that does something besides the normal. An example would be a modified w command that would never list the username intruder.

Next to it, you have the library rootkits, which hijack system calls, this can be done by patching a system call or totally replacing it, in order to acomplish the cloacking.

Finally you have the most hardcore rootkits, the one that attack the core, the kernel level rootkits. These are fake kernel modules (in linux) or fake device drivers (in windows) that will modify kernel's interactions in order to, once again, achieve stealthness.

More ways of achieving cloacking are always being studying and tried, I'm aware of another way using a virtual machine monitor.. Which, since it's running under a virtual machine it won't allow scanners to access it and detect the presence of one. But such proof of concept is still under heavy study.
If you're interested you can check the refences and you'll find links related to it.

How can you protect yourself

Besides having the usual precautions with which binaries you do run and having a good security policy. Running rootkit scanners won't hurt you. Bellow you can find some rootkits scanners:

For Linux:

For Windows:

References

no comments | post comment