1. What is a rootkit?
Breaking the term rootkit into two component words, root and kit; root is a UNIX/Linux term that's the equivalent Administrator in Windows while kit denotes program that allow someone to obtain root/admin-level access to computer by executing the programs in the kit -- all of which is done without end-user knowledge.
2. Why use a rootkit?
Rootkits have two functions: remote command/control (back door) and software eavesdropping. It allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer's configuration. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren't malicious at all.
3. How do rootkit propagate?
Rootkits can't propagate by themselves, and that fact has create a great deal of confusion. In reality, rotkits are just one component of what is called a blended threat; typically consist of 3 snippets of code: dropper, loader and rootkit.
Dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once activate, the loader uses buffer overflow, which loads the rootkit into memory.
4. User-mode rootkits
There are several types of rootkits, with the simplest one is user-mode rootkits. This type run on computer with administrativite privileges. This allows user-mode rootkits to alter security and hide proccesses, file, system drivers, network ports, and even system services. It remain installed on the infected computer by copying required files to the computer's hard drive, automatically launching with every system boot.
Sadly, user-mode rootkits are the only type AV/spyware applications even have a chance of defecting.
5. Kernel-mode rootkit
Malware developers are savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits; placing the rootkit on the same level as the OS and rootkit detection software. Simply put, the OS can no more be trusted.
Instability is the one downfall of a kernel-mode rootkit. If you notice your computer is blue-screening (BSOD) for other than the normal reason, it might just be a kernel-mode rootkit.
6. User-mode/Kernel-mode hybrid rootkit
Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristic (stealthy). The hybrid approach is very successful and the most popular rootkit nowadays...
7. Firmware rootkits
This type of rootkit can be any of the other types with an added twist: the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from uprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time computer starts, the firmware rootkit is right back in bussiness.
8. Virtual rootkits
Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.
9. Generic symptoms of rootkit infestation
Rootkits are frustrating. By design, it is difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in OS efficiency. Here's a list of noteworthy symptoms:
If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.
10.Polymorphism
It is amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.
11. Detection and Removal
Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.
Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:
Breaking the term rootkit into two component words, root and kit; root is a UNIX/Linux term that's the equivalent Administrator in Windows while kit denotes program that allow someone to obtain root/admin-level access to computer by executing the programs in the kit -- all of which is done without end-user knowledge.
2. Why use a rootkit?
Rootkits have two functions: remote command/control (back door) and software eavesdropping. It allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, and even changing the computer's configuration. This surprises most people, as they consider rootkits to be solely malware, but in of themselves they aren't malicious at all.
One famous (or infamous, depending on your viewpoint) example of rootkit use was Sony BMG’s attempt
to prevent copyright violations. Sony BMG didn’t tell anyone that it
placed DRM software on home computers when certain CDs were played. On
a scary note, the rootkit hiding technique Sony used was so good not
one antivirus or anti-spyware application detected it.
3. How do rootkit propagate?
Rootkits can't propagate by themselves, and that fact has create a great deal of confusion. In reality, rotkits are just one component of what is called a blended threat; typically consist of 3 snippets of code: dropper, loader and rootkit.
Dropper is the code that gets the rootkit's installation started. Activating the dropper program usually entails human intervention, such as clicking on a malicious email link. Once activate, the loader uses buffer overflow, which loads the rootkit into memory.
4. User-mode rootkits
There are several types of rootkits, with the simplest one is user-mode rootkits. This type run on computer with administrativite privileges. This allows user-mode rootkits to alter security and hide proccesses, file, system drivers, network ports, and even system services. It remain installed on the infected computer by copying required files to the computer's hard drive, automatically launching with every system boot.
Sadly, user-mode rootkits are the only type AV/spyware applications even have a chance of defecting.
5. Kernel-mode rootkit
Malware developers are savvy bunch. Realizing that rootkits running in user-mode can be found by rootkit detection software running in kernel-mode, they developed kernel-mode rootkits; placing the rootkit on the same level as the OS and rootkit detection software. Simply put, the OS can no more be trusted.
Instability is the one downfall of a kernel-mode rootkit. If you notice your computer is blue-screening (BSOD) for other than the normal reason, it might just be a kernel-mode rootkit.
6. User-mode/Kernel-mode hybrid rootkit
Rootkit developers, wanting the best of both worlds, developed a hybrid rootkit that combines user-mode characteristics (easy to use and stable) with kernel-mode characteristic (stealthy). The hybrid approach is very successful and the most popular rootkit nowadays...
7. Firmware rootkits
This type of rootkit can be any of the other types with an added twist: the rootkit can hide in firmware when the computer is shut down. Restart the computer, and the rootkit reinstalls itself. The altered firmware could be anything from uprocessor code to PCI expansion card firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time computer starts, the firmware rootkit is right back in bussiness.
8. Virtual rootkits
Virtual rootkits are a fairly new and innovative approach. The virtual rootkit acts like a software implementation of hardware sets in a manner similar to that used by VMware. This technology has elicited a great deal of apprehension, as virtual rootkits are almost invisible. The Blue Pill is one example of this type of rootkit. To the best of my knowledge, researchers haven’t found virtual rootkits in the wild. Ironically, this is because virtual rootkits are complex and other types are working so well.
9. Generic symptoms of rootkit infestation
Rootkits are frustrating. By design, it is difficult to know if they are installed on a computer. Even experts have a hard time but hint that installed rootkits should get the same consideration as other possible reasons for any decrease in OS efficiency. Here's a list of noteworthy symptoms:
- if the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could br due to an installed kernel-mode rootkit.
- settings in Windows change without permission. Examples of this could be the screensaver changing or taskbar hiding itself.
- web pages or network activities appear to be intermittent or function improperly due to excessive network traffic.
If the rootkit is working correctly, most of these symptoms aren’t going to be noticeable. By definition, good rootkits are stealthy. The last symptom (network slowdown) should be the one that raises a flag. Rootkits can’t hide traffic increases, especially if the computer is acting as a spam relay or participating in a DDoS attack.
10.Polymorphism
It is amazing technology that makes rootkits difficult to find. Polymorphism techniques allow malware such as rootkits to rewrite core assembly code, which makes using antivirus/anti-spyware signature-based defenses useless. Polymorphism even gives behavioral-based (heuristic) defenses a great deal of trouble. The only hope of finding rootkits that use polymorphism is technology that looks deep into the operating system and then compares the results to a known good baseline of the system.
11. Detection and Removal
Be sure to keep antivirus/anti-spyware software (and in fact, every software component of the computer) up to date. That will go a long way toward keeping malware away. Keeping everything current is hard, but a tool such as Secunia’s Vulnerability Scanning program can help.
Detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, any one of the following rootkit removal tools will most likely work:
- F-Secure Blacklight
- RootkitRevealer
- Windows Malicious Software Removal Tool
- Process Guard
- Rootkit Hunter (Linux and BSD)
Powered by ScribeFire.
0 comments:
Post a Comment