Rootkits

provided by:


For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.



Rootkits: Understanding the Enemy
A rootkit is a program designed to hide not only itself, but another program and all its associated resources (processes, files, folders, Registry keys, ports, and drivers). Rootkits can be whitehat (well-intentioned in purpose but still a potential security risk) or blackhat (malicious in nature). Malicious rootkits are often used to compromise and maintain remote control over a computer or network for illegitimate, — often criminal — purposes. Malicious rootkits do their work by hiding malware that installs a backdoor to allow an attacker to have unlimited and prolonged access to the infected computer. A rootkit infection introduces a fundamental flaw into computer systems: Suddenly you can’t really trust the integrity of the operating system or have any faith in the results it reports. Because of this flaw, you may be unable to distinguish whether your systems are pest-free or harboring some uninvited “visitor” that traditional scanners are unequipped to deal with. When you go up against rootkits, you need to know your enemy. This section gives you the skinny on why they hide, how they survive, and why the little creeps exist in the first place.

A Bit of Rootkit Lore
Rootkit technology is not new. In fact, rootkits have actually been in existence for over a decade. They were first developed for use on Unix-like operating systems (Solaris and Linux), and later evolved to encompass Windows platforms as well. The first public rootkit developed for the Windows NT platforms made its debut in 1999 when it was introduced by Greg Hoglund, a wellknown security researcher and owner of rootkit.com. The unusual moniker rootkit is actually derived from root — a Unix reference (which implies rootlevel access to a system and administrator privileges) — and kit (which refers to the collective set of tools used to obtain that hidden and privileged access). The discovery of the Sony Digital Rights Management (DRM) Rootkit by Mark Russonovich of Sysinternals suddenly thrust rootkits from relative obscurity to a position of prominence. Until the recent publicity barrage, rootkits had commanded little attention and had been implicated with a relatively small percentage of malware infestations. They were considered an intriguing but rarely encountered curiosity than an imminent threat. Enter the Sony rootkit exposé on October 31, 2005 — and suddenly rootkits took center stage. The Sony rootkit controversy has not only heightened public awareness, but it has also spurred the development of new rootkit technology and research, as well. These days, rootkits are regarded as a real and growing potential threat — and the security community has responded to this upgraded threat accordingly. This unfolding scenario was bound to happen. As security vendors provided increasingly better solutions to combat nearly every type of pest, malware writers have responded by creating a stealthier and more tenacious breed of malware. Your basic Catch 22 scenario has developed.

These new exploits are designed to outfox today’s highly refined malware detection and removal programs. By embracing rootkits and their stealthy capabilities, cybercriminals have found a “new and improved”’ way to launch an attack. Stealth programs and rootkits represent a looming threat and the tide of the future. In fact, eweek’s December 6, 2005 issue has reported that “More than 20 percent of all malware removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits, according to a senior official in Microsoft Corp.’s security unit.” A more recent paper by the Microsoft Anti-malware Team entitled “Windows Malicious Software Removal Tool: Progress Made, Trends Observed” published on 6/12/2006, reports a more modest rootkit incidence of 14 percent. When the Sony DRM WinNT/F4IRootkit is factored out the figure drops to only 8 percent. Before you jump with joy over the apparent decrease in rootkit prevalence, let’s put this in perspective. The June 2006 statistics represent incident rates on Windows 2000, Windows XP, and Windows Server 2003 computers, as opposed to only the extremely popular Windows XP SP2 platform. This would tend to lower the 2006 figures. The December 2005 statistics are not adjusted to exclude the Sony DRM rootkit and were released soon after its public discovery. It is likely more computers were affected by the Sony DRM rootkit at that time, and that would inflate the 2005 figures. Microsoft has taken this threat very seriously. Apart from its rootkit tools (currently in development), it has incorporated rootkit detection and removal into a handy program called the Malicious Software Removal Tool (MSRT). A newly updated MSRT is delivered along with Windows updates every month — and it silently scans in the background for several commonly encountered rootkits. (Trying to root them out, so to speak.) In addition to rootkits, the MSRT also scans for some of the most pernicious but prevalent backdoor trojans and worms that known to be out there.

New Technologies, New Dangers
If you’re like most of us, you may have faced many of the threats out there in cyberspace, putting security measures in place to protect your system from intrusion (and to remove any malware that does find a way to get in). It’s true that many tools perform this function quite successfully when used in combination. But the fact that you’re reading this book indicates that you may not be content with those security measures — or even confident that they’re protecting you. If that’s the case, you’re right to be concerned. With the appearance of rootkits on the scene, none of the brilliant tools developed for recognizing and removing malware threats can perform this function accurately. A rootkit can blind traditional security tools to the presence of malware programs, letting the invaders function unimpeded. If a rootkit makes its way into your system, conventional software scanners may still go about their business in the normal manner — scanning memory, processes, and Registry hives, producing scan results that smugly claim, “no infection found.” The operating system is changed or tricked by the rootkit into reporting false results. In the end, both the scanners and the users are deceived. We can help you see past a rootkit’s trickery. Rootkits not only hide themselves, they also hide their malware-associated processes, files, Registry entries (on Windows systems), and ports. This malware-hiding capability is what makes rootkits so dangerous — and it is their whole reason for being. A rootkit, in and of itself, does not present a danger — it just makes danger easier. It only becomes dangerous when it is used to conceal illicit activity — or if it is exploited by other malware programs that seek to conceal their presence. But even though the rootkit serves to hide the activities and infected components installed on a system — as well as itself — all is not lost. Luckily, they have not yet reached the level of sophistication required to completely dupe all scanners. By understanding what rootkits are and how they work, you become better prepared to protect your computer or network from this security threat. The following sections explore these topics in more detail.

No operating system is immune
Rootkits are very platform-specific. Although Windows systems are by far their most frequent targets, rootkits were first developed on Unix systems. That is where the term comes from: root (administrative) access and kit (a Unix break-in tool). Linux, of course, is a derivative of Unix — so it has its own (smaller) subset of rootkits. You should also know that Mac OS X has a rootkit on record (see www. theregister.co.uk/2004/10/25/mac_ rootkit_opener/). Typically, malware writers invest their time writing programs that attack whichever platforms can reap them the most benefit — whether that means bragging rights (as in the early days) or illicit financial gain. No wonder so many malware programs are written for the popular Windows XP and Windows 2003 platforms — they get maximum exposure. Although malware writers usually won’t waste their time writing for outdated Windows platforms or unpopular operating systems, any platform can attract their unwelcome attention by becoming more widely used.

Why do rootkits exist?
As with many technological developments, rootkits have both good and bad uses. A rootkit by itself works like a hidden empty safe or vault. What matters is not the container itself, but whether it’s ultimately used to store (so to speak) diamonds or vials of anthrax. A rootkit can hide a legitimate backup image of your operating system so your system can recover if it crashes — or the same little cache can tuck away a backdoor trojan. Although what’s in a rootkit is of primary importance, there are ethical considerations at work. Legitimate uses for rootkits do exist — but many computer users oppose any use of a rootkit, regardless of whether its purpose is beneficial (whitehat) or malicious (blackhat). Some users object strenuously — and understandably — to anything being hidden from them on their own systems. There is an even more compelling reason to object to including a rootkit of any kind — even a whitehat rootkit — in a program. Once a rootkit is known to exist, malware writers see it as an opportunity; They’ll attempt to exploit its powers of concealment for their own benefit. Thus even whitehat rootkits pose a potential risk, which is why they’re met with such criticism. A better technique is to employ encryption to ensure that critical data remains inaccessible and unaltered. Any rootkit, regardless of its intended purpose, may be exploited by the bad guys to invisibly compromise a system. All these efforts are aimed at hiding the presence of the intruder and the rootkit itself. Just as a thief who steals your wallet does not want to get caught, cyber criminals also try to maintain a low profile, so they can operate under a shroud of concealment.

Some deliver puppet masters
One common goal of a blackhat rootkit is to install a puppet master — to conceal a worm or trojan that takes over your computer and makes it a willing workhorse for malicious purposes. The usual technique is to hijack and secretly maintain an open port that functions as a hidden backdoor, facilitating information transfer to and from your computer. Because the rootkit provides a shield of secrecy, such operations proceed stealthily and without interference. Your computer may have been recruited in such a manner to perform any (or all!) of the following dastardly deeds:

Launching Distributed Denial of Service attacks (DDoS) (or Night of the Cyber Dead): The blackhat hacker may be recruiting your computer as a zombie or an unwitting accomplice to conduct a DDoS or Distributed Denial of Service attack on another system or network server. The object of a DDoS attack is to bombard a system or network with so much traffic that it becomes inaccessible to legitimate users. Computers are normally recruited en masse to launch a successful DDoS attack — all without the users’ knowledge. Broadband subscribers who have “always-on” connections are particularly vulnerable to becoming members of the cyber-zombie army. Successful DDoS attacks have been launched against Microsoft.com, Apple.com, Yahoo, eBay, Amazon.com, and the Million Dollar Homepage (www.milliondollarhomepage. com/), to name only a few.

Sending spam e-mail: An infected computer may be used to launch e-mail spam attacks against targeted computers by sending out a multitude of solicitous e-mails. The zombie computer owner gets blamed for spamming, and the true source of the spam remains anonymous. Many zombie computer owners often have no idea their systems are being used for such illicit purposes — and their first wake-up call may come in the form of a letter from their Internet Service Provider (ISP) which threatens them with suspension of service for spamming.

Hosting and distributing illegal material: A rootkit may be used to conceal the fact that your computer has been recruited to store and distribute illegal or pirated content. Such content might include music or video libraries, or even criminal pornographic materials. Storing the content on the hard drive of a recruited victim’s computer kills two birds with one stone: It enables the true content provider to conserve on their own hardware resources, but more importantly it enables them to dispense criminal content with little risk of being identified or prosecuted. This is because the evidence resides on the compromised system not their own.

Some are just spies
Rootkits that act as spies enable keyloggers and packet-sniffers — programs that hide on a user’s system and (respectively) log the user’s every keystroke and inspect the data transmitted to or from the user’s system or network — to do their dirty work. Privacy? Forget it. And it gets worse. . .

Breaking the bank: Keystroke logs can be correlated with Web page visits to aid in the extraction of private and sensitive data such as bank login information, credit card numbers, and the like. This information can then be transferred remotely to the bad guys’ computer and used to conduct criminal financial transactions or commit identity theft. A rootkit is an ideal hacking tool because it allows an intruder to maintain a connection that cannot be detected by the user. This enables data transfer to progress without interruption.

Harvesting your habits: Another less insidious — but very annoying — form of spying is practiced by adware companies; at least one of them is known to employ a rootkit to prevent the removal of its software (if you can’t find it, you can’t remove it). The collection and transmission of information that reveals a user’s browsing habits is very valuable to commercial adware companies. This type of spying allows the companies to serve up targeted pop-up advertisements that are customselected to appeal to the user. The now-discontinued Apropos rootkit (distributed by the adware company ContextPlus, Inc.) performs this function — and frequently churns out new variants to dodge current removal techniques. Just when we thought it was safe to go back in the water, a new and even more devious adware rootkit has emerged — as if to take the place of the retired Apropos rootkit. Certain variants of Link Optimizer adware can be installed by the Gromozon rootkit, which arrives via a WMF (Windows MetaFile) exploit (on unpatched computers). This infection is extremely difficult to remove, and utilizes other sneaky techniques besides rootkit technology, to ensure its survival. For more information on this threat, please refer to the following description provided by Symantec, entitled “Gromozon.com and Italian spaghetti”, and available at www.symantec.com/enterprise/security_response/ weblog/2006/08/gromozoncom_and_italian_spaghe.html.

Sniffing the goods: A sniffer is a common rootkit snooping tool that an intruder can install to capture all data transmitted over a network. Though network administrators may have legitimate uses for sniffers, a blackhat hacker uses a sniffer with a more devious intent. The captured data can be saved and analyzed to extract user login information. These stolen passwords are very valuable to an intruder, allowing an attacker to log on remotely and take anything the network has to offer –– at the stolen password’s privilege level. In this manner, an attacker can penetrate the network access files and retrieve all sorts of confidential and potentially valuable information.

provided by:


For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.