Understanding Rootkits

A rootkit is a type of program often used to hide utilities on a compromised system. Rootkits include so-called backdoors to help an attacker subsequently access the system more easily. For example, the rootkit may hide an application that spawns a shell when the attacker connects to a particular network port on the system. A backdoor may also allow processes started by a nonprivileged user to execute functions normally reserved for the administrator. A rootkit is frequently used to allow the programmer of the rootkit to see and access usernames and log-in information for sites that require them.
There are several types of rootkits, including the following:
  • Kernel-Level Rootkits Kernel-level rootkits add code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as loadable kernel modules in Linux or device drivers in Windows. Kernel-level rootkits are especially dangerous because they can be difficult to detect without appropriate software.
  • Library-Level Rootkits Library-level rootkits commonly patch, hook, or replace system calls with versions that hide information that might allow the hacker to be identified.
  • Application-Level Rootkits Application-level rootkits may replace regular application binaries with Trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
In the following sections, we'll explore the process of infecting a system with a rootkit.

Planting Rootkits on Windows 2000 and XP Machines

The Windows NT/2000 rootkit is built as a kernel-mode driver, which can be dynamically loaded at runtime. The rootkit runs with system privileges at the core of the NT kernel, so it has access to all the resources of the operating system. The rootkit can also hide processes, hide files, hide Registry entries, intercept keystrokes typed at the system console, issue a debug interrupt to cause a blue screen of death, and redirect EXE files.
The rootkit contains a kernel mode device driver called _root_.sys and a launcher program called DEPLOY.EXE. After gaining access to the target system, the attacker copies _root_.sys and DEPLOY.EXE onto the target system and executes DEPLOY.EXE. Doing so installs the rootkit device driver and starts it. The attacker later deletesDEPLOY.EXE from the target machine. The attacker can then stop and restart the rootkit at will by using the commands net stop _root_ and net start _root_. Once the rootkit is started, the file _root_.sys no longer appears in directory listings; the rootkit intercepts system calls for file listings and hides all files beginning with _root_from display.

Rootkit Embedded TCP/IP Stack

A new feature of the Windows NT/2000 rootkit is a stateless TCP/IP stack. It works by determining the state of the connection based on the data in the incoming packet. The rootkit has a hard-coded IP address ( to which it will respond. The rootkit uses raw Ethernet connections to the system's network card, so it's very powerful. The target port doesn't matter; a hacker can telnet to any port on the system. In addition, multiple people can log into the rootkit at once.

Rootkit Countermeasures

All rootkits require administrator access to the target system, so password security is critical. If you detect a rootkit, you should back up critical data and reinstall the operating system and applications from a trusted source. The administrator should also keep available a well-documented automated installation procedure and trusted restoration media.
Another countermeasure is to use the MD5 checksum utility. The MD5 checksum for a file is a 128-bit value, something like the file's fingerprint. (There is a small possibility of getting two identical checksums for two different files.) This algorithm is designed so that changing even one bit in the file data causes a different checksum value. This feature can be useful for comparing files and ensuring their integrity. Another good feature is the checksum's fixed length, regardless of the size of the source file.
The MD5 checksum makes sure a file hasn't changed. This can be useful in checking file integrity if a rootkit has been found on a system. Tools such as Tripwire implement MD5 checksums to identify files affected by the rootkit.

No comments:

Post a Comment

Popular Posts