Rootkits

What is a rootkit?

  • A rootkit is a collection of software put in place by an attacker that is designed to obscure system compromise

  • It is software that replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity

  • They are designed to provide back doors for the attacker to use later and include ways to remove and hide evidence of any activity

  • Examples of rootkits

    • Horsepill

    • A linux rootkit inside "initrd" with three main parts

      • klibc-horsepill.patch — creates a new, malicious run-init

      • horsepill_setopt — moves command line arguments to the new malicious run-init

      • hrsepill_infect — splats files

    • Grayfish

      • A Windows rootkit that injects code in the booth record

      • It creates its own virtual file system (VFS)

    • Sirefef

      • More like malware on steroids

      • Often called a multi-component family of malware

    • Azazel

    • Avatar

    • Necurs

    • ZeroAccess

What are the six types of rootkits?

  • Hypervisor level — these rootkits modify the boot sequence of the host system to load a virtual machine as the host OS

  • Hardware (firmware) — hide in hardware devices or firmware

  • Boot loader level — replace the boot loader with one controlled by the hacker

  • Application level — directed to replace valid application files with Trojan binaries. They work inside an application and can change the application's behavior, user rights level and actions.

  • Kernel level — Attacks the boot sectors and kernel level of the operating system themselves, replacing kernel code with back-door code. These are the most dangerous and are hard to detect and remove.

  • Library level — Use system-level calls to hide their existence

What are protection rings in relation to rootkits?

  • Refers to concentric, hierarchical rings from the kernel out to the applications

  • Each has its own fault tolerance and security requirements

  • Rings

    • Ring 0 — kernel

    • Ring 1 — drivers

    • Ring 2 — libraries

    • Ring 3 — Applications

Ways to detect rootkits

  • ECC provides these commands, they tend to result in a lot of false positives and does not detect all stealth software

# Run these commands in the potentially infected system and save the results 
dir /s /b /ah 
dir /s /b /a-h 

# Boot a clean CD version and run the same commands for the same drive 
  • Use WinDiff on both results to see any hidden malware

Other methods

- Run integrity verifiers

Last updated