Rootkits

What is a rootkit?

A rootkit is a collection of software put in place by an attacker that is designed to obscure system compromise
It is software that replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity
They are designed to provide back doors for the attacker to use later and include ways to remove and hide evidence of any activity
Examples of rootkits
- Horsepill
- A linux rootkit inside "initrd" with three main parts
  - klibc-horsepill.patch — creates a new, malicious run-init
  - horsepill_setopt — moves command line arguments to the new malicious run-init
  - hrsepill_infect — splats files
- Grayfish
  - A Windows rootkit that injects code in the booth record
  - It creates its own virtual file system (VFS)
- Sirefef
  - More like malware on steroids
  - Often called a multi-component family of malware
- Azazel
- Avatar
- Necurs
- ZeroAccess

What are the six types of rootkits?

Hypervisor level — these rootkits modify the boot sequence of the host system to load a virtual machine as the host OS
Hardware (firmware) — hide in hardware devices or firmware
Boot loader level — replace the boot loader with one controlled by the hacker
Application level — directed to replace valid application files with Trojan binaries. They work inside an application and can change the application's behavior, user rights level and actions.
Kernel level — Attacks the boot sectors and kernel level of the operating system themselves, replacing kernel code with back-door code. These are the most dangerous and are hard to detect and remove.
Library level — Use system-level calls to hide their existence

What are protection rings in relation to rootkits?

Refers to concentric, hierarchical rings from the kernel out to the applications
Each has its own fault tolerance and security requirements
Rings
- Ring 0 — kernel
- Ring 1 — drivers
- Ring 2 — libraries
- Ring 3 — Applications

Ways to detect rootkits

ECC provides these commands, they tend to result in a lot of false positives and does not detect all stealth software

# Run these commands in the potentially infected system and save the results 
dir /s /b /ah 
dir /s /b /a-h 

# Boot a clean CD version and run the same commands for the same drive

Use WinDiff on both results to see any hidden malware

Other methods

- Run integrity verifiers

PreviousMalware Types NextViruses

Last updated 11 months ago

Rootkits

What is a rootkit?

A rootkit is a collection of software put in place by an attacker that is designed to obscure system compromise
It is software that replaces or substitutes administrator utilities and capabilities with modified versions that obscure or hide malicious activity
They are designed to provide back doors for the attacker to use later and include ways to remove and hide evidence of any activity
Examples of rootkits
- Horsepill
- A linux rootkit inside "initrd" with three main parts
  - klibc-horsepill.patch — creates a new, malicious run-init
  - horsepill_setopt — moves command line arguments to the new malicious run-init
  - hrsepill_infect — splats files
- Grayfish
  - A Windows rootkit that injects code in the booth record
  - It creates its own virtual file system (VFS)
- Sirefef
  - More like malware on steroids
  - Often called a multi-component family of malware
- Azazel
- Avatar
- Necurs
- ZeroAccess

What are the six types of rootkits?

Hypervisor level — these rootkits modify the boot sequence of the host system to load a virtual machine as the host OS
Hardware (firmware) — hide in hardware devices or firmware
Boot loader level — replace the boot loader with one controlled by the hacker
Application level — directed to replace valid application files with Trojan binaries. They work inside an application and can change the application's behavior, user rights level and actions.
Kernel level — Attacks the boot sectors and kernel level of the operating system themselves, replacing kernel code with back-door code. These are the most dangerous and are hard to detect and remove.
Library level — Use system-level calls to hide their existence

What are protection rings in relation to rootkits?

Refers to concentric, hierarchical rings from the kernel out to the applications
Each has its own fault tolerance and security requirements
Rings
- Ring 0 — kernel
- Ring 1 — drivers
- Ring 2 — libraries
- Ring 3 — Applications

Ways to detect rootkits

ECC provides these commands, they tend to result in a lot of false positives and does not detect all stealth software

# Run these commands in the potentially infected system and save the results 
dir /s /b /ah 
dir /s /b /a-h 

# Boot a clean CD version and run the same commands for the same drive

Use WinDiff on both results to see any hidden malware

Other methods

- Run integrity verifiers

PreviousMalware Types NextViruses

Last updated 11 months ago