Bill Detwiler: Rootkits are a serious threat. Rootkit-based botnets unleash seas of spam, and the most dangerous rootkits allow attackers to steal corporate and individual financial information.
First of all, we need to understand what a rootkit is. A rootkit is a collection of programs that can give someone root or admin-level access to a computer.
With this access, someone (a legitimate administrator or intruder) can execute files, accesses logs, monitor user activity, and even change the computer's configuration. In the strictest sense, even versions of VNC are rootkits.
What makes rootkits particularly insidious is that they can be introduced without user consent or knowledge and may run undetected by antivirus or antispyware applications.
One famous example (or infamous, depending on your viewpoint) of rootkit use was Sony BMG's stealth DRM software installed without user knowledge in an attempt to stop music copyright violations.
Now that we know what we're fighting, let's examine how rootkits spread.
The second important rootkit fact you should know, is that Rootkits can t propagate by themselves.
Rootkits are just one component of what is called a blended threat, which typically consist of three snippets of code: a dropper, a loader, and a rootkit.
The dropper is the code that gets the rootkit's installation started, and usually requires human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. IM clients are particularly vulnerable; once a blended threat takes over a computer, it propagates itself by messaging malware to everyone in the contact list.
Another popular method is inserting the blended threat malware into rich-content files, such as PDF documents and getting unaware users to click on them.
Now that we know how they spread, let's talk about the different types of rootkits.
Rootkits come in several varieties -- some more common or dangerous than others.
First, there are user-mode rootkits that run on a computer with administrative privileges and are capable of altering security and hiding processes, files, system drivers, network ports, and even system services. These are the only type that can be routinely detected by antivirus or antispyware programs.
Kernel-mode rootkits are placed on the same level as the operating system and the antivirus software, making them harder to detect, although you might be tipped off by otherwise unexplainable blue screens and general system instability.
Hybrid types of both the user-mode and kernel-mode rootkits combine the stable characteristics of the former and the stealthiness of the latter.
Firmware rootkits can be any of the other types with an added twist: they can hide in firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, it will re-install itself.
Lastly, there are virtual rootkits, which can emulate virtual implementations of hardware sets, similar to the way VMWare works. These kind haven't been found in the wild yet, but the possibility is causing a lot of fear, as they would be almost invisible.
So how do you know if a rootkit has a hold of your computer or network? By their nature, rootkits are difficult to detect and may not raise obvious red flags, but you should definitely be suspicious if you notice any of these signs:
If you suspect one of your machines has a rootkit, now what?
Unfortunately, detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, tools like:
• F-Secure Blacklight
• RootkitRevealer
• the Windows Malicious Software Removal Tool
• ProcessGuard
• Rootkit Hunter (for Linux and BSD users) will most likely work.
The problem with these tools is that you can't be 100-percent sure they've removed the rootkit.
Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can't obscure their tracks when they aren't running. I'm afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like EnCase to check for any additional code.
Aside from these tools and techniques, you should always keep your operating system, antivirus/anti-spyware, and applications, up to date. That will help keep the malware away. Also, avoid installing applications from dubious sources or clicking links in unsolicited e-mail.
I've just scratched the surface of rootkits. For more information, see Michael Kassner's original post, "10+ things you should know about rootkits." I'll link to it from the IT Dojo blog.
And as always, for more teachings on your path to becoming an IT Ninja, visit itdojo.techrepublic.com. And please let us know if this tip was helpful.
First of all, we need to understand what a rootkit is. A rootkit is a collection of programs that can give someone root or admin-level access to a computer.
With this access, someone (a legitimate administrator or intruder) can execute files, accesses logs, monitor user activity, and even change the computer's configuration. In the strictest sense, even versions of VNC are rootkits.
What makes rootkits particularly insidious is that they can be introduced without user consent or knowledge and may run undetected by antivirus or antispyware applications.
One famous example (or infamous, depending on your viewpoint) of rootkit use was Sony BMG's stealth DRM software installed without user knowledge in an attempt to stop music copyright violations.
Now that we know what we're fighting, let's examine how rootkits spread.
The second important rootkit fact you should know, is that Rootkits can t propagate by themselves.
Rootkits are just one component of what is called a blended threat, which typically consist of three snippets of code: a dropper, a loader, and a rootkit.
The dropper is the code that gets the rootkit's installation started, and usually requires human intervention, such as clicking on a malicious e-mail link. Once initiated, the dropper launches the loader program and then deletes itself. Once active, the loader typically causes a buffer overflow, which loads the rootkit into memory.
Blended threat malware gets its foot in the door through social engineering, exploiting known vulnerabilities, or even brute force. IM clients are particularly vulnerable; once a blended threat takes over a computer, it propagates itself by messaging malware to everyone in the contact list.
Another popular method is inserting the blended threat malware into rich-content files, such as PDF documents and getting unaware users to click on them.
Now that we know how they spread, let's talk about the different types of rootkits.
Rootkits come in several varieties -- some more common or dangerous than others.
First, there are user-mode rootkits that run on a computer with administrative privileges and are capable of altering security and hiding processes, files, system drivers, network ports, and even system services. These are the only type that can be routinely detected by antivirus or antispyware programs.
Kernel-mode rootkits are placed on the same level as the operating system and the antivirus software, making them harder to detect, although you might be tipped off by otherwise unexplainable blue screens and general system instability.
Hybrid types of both the user-mode and kernel-mode rootkits combine the stable characteristics of the former and the stealthiness of the latter.
Firmware rootkits can be any of the other types with an added twist: they can hide in firmware. Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, it will re-install itself.
Lastly, there are virtual rootkits, which can emulate virtual implementations of hardware sets, similar to the way VMWare works. These kind haven't been found in the wild yet, but the possibility is causing a lot of fear, as they would be almost invisible.
So how do you know if a rootkit has a hold of your computer or network? By their nature, rootkits are difficult to detect and may not raise obvious red flags, but you should definitely be suspicious if you notice any of these signs:
- First, if the computer locks up or fails to respond to any kind of input from the mouse or keyboard, it could be due to an installed kernel-mode rootkit.
Second, look out for settings in Windows that change without your permission, such as the screensaver changing or the taskbar hiding itself.
Third, you may notice that Web pages or network activities are intermittent or function improperly due to excessive network traffic.
If you suspect one of your machines has a rootkit, now what?
Unfortunately, detection and removal depends on the sophistication of the rootkit. If the rootkit is of the user-mode variety, tools like:
• F-Secure Blacklight
• RootkitRevealer
• the Windows Malicious Software Removal Tool
• ProcessGuard
• Rootkit Hunter (for Linux and BSD users) will most likely work.
The problem with these tools is that you can't be 100-percent sure they've removed the rootkit.
Albeit more labor-intensive, using a bootable CD, such as BartPE, with an antivirus scanner will increase the chances of detecting a rootkit, simply because rootkits can't obscure their tracks when they aren't running. I'm afraid that the only way to know for sure is to have a clean computer, take a baseline, and then use an application like EnCase to check for any additional code.
Aside from these tools and techniques, you should always keep your operating system, antivirus/anti-spyware, and applications, up to date. That will help keep the malware away. Also, avoid installing applications from dubious sources or clicking links in unsolicited e-mail.
I've just scratched the surface of rootkits. For more information, see Michael Kassner's original post, "10+ things you should know about rootkits." I'll link to it from the IT Dojo blog.
And as always, for more teachings on your path to becoming an IT Ninja, visit itdojo.techrepublic.com. And please let us know if this tip was helpful.
