Rootkits - making malware more powerful - part 1

Intro

This series of blog entries will examine the topic of rootkits , what they are, and how they work. Rootkits are a utility component to bots and other malware that provides stealth and protection for the malware. They are also the reason that makes malware very difficult to remove and sometimes detect. Therefore they are an important topic to explore as they apply to BOTs as well as other types of malware. This first part will examine what they are, why they exist and why they are a concern.

What are they?

Rootkits are not necessarily a new idea or technology, but like all software the techniques and goals have evolved over the years. Regarding strictly the terminology, a “root”-“kit” would be a collection or utilities, or a kit, which allows a user to obtain and manipulate root.

This definition, however, fails to accurately describe what a rootkit is and provides today. The basic purpose of a rootkit is to provide stealth. The idea of “root” is a unix-centric term that means privileged user. In Windows terminology this would be equivalent Administrator or Domain Admin access. So a better definition would be: a program or collection of programs that allows access and manipulation of low-level, privileged functionality on a target machine by a potentially unauthorized source. Including, but not limited to devices, kernel services and hardware.

Initially, rootkits were a collection of utilities installed on unix systems that allowed a user to modify the operation of the host that would either give the user root access or hide the fact that they have it. This technique would involve displacing common unix binaries like ps (list of processes), ls (list files), and netstat (network statistics) with the purpose being to hide the existence of malware or malicious activity. These utilities would be specially modified by the attacker so that when used they would not reveal details about the attacker’s activities or utilities. For example, ‘ls’ would work as it normally did but simply not report the entry ‘myrootkit’ which for all intents and purposes would make the file listing myrootkit invisible. Finding and removing a rootkit using these techniques are rather trivial with file-integrity software like Tripwire.

Today, rootkits are far more sophisticated and the term is more loosely applied to describe cloaking techniques and methods in general. Today’s rootkits come in five different flavors:

  • Application Level: These rootkits use techniques as described above that replace regular operating system binaries with fakes, modified, or patched binaries that modify the existing behavior of the said utilities.
  • Library Level: These rootkits are commonly a patch or hook, usually referred to as ‘user level hooks’, which replace or modify the functionality of system calls to the Operating System.
  • Kernel Level: These rootkits are much more sophisticated and leverage modular kernel technologies such as Loadable Kernel Modules or Device Drivers. This allows kernel data structures to be modified and code to be introduced in the kernel. This allows for unabated access to all resources controlled by the operating system.
  • Virtualized Level: These are the lowest level of rootkits currently produced and they work by modifying the boot sequence of the operating system. This allows the rootkit to be loaded first and then load the operating system as a Virtual Machine, and then all hardware calls made by the operating system can be intercepted and modified as desired.
  • Firmware Level: These rootkits use device or platform firmware to instantiate a persistent image of the malware. This allows the rootkit to hide within the firmware memories which are not often inspected for code integrity. A demonstration of this technique was created by John Heasman which created examples using ACPI and the PCI expansion ROM.

What are they used for, and why do they exist?

With DOS and Windows, a new type of software nuisance started to gain more and more prevalence called viruses. Viruses were a piece of software that was capable of replicating itself by writing itself into the boot process or files. As the sophistication of this ‘arms race’ matured between anti-virus vendors and virus writers, the idea of stealth was incorporated into viruses to attempt to hide their presence. The strategy being, the longer an infected host remained unidentified the longer it could continue to spread the infection. Most of the time however, viruses have some sort of narcissistic characteristic like deleting files or formatting drives. So the ultimate goal in many cases is to provide stealth until the payload can deploy and the rootkit was an incorporated piece of technology within the virus code base.

With the emergence of other types of malware like AdWare, Spyware, Spam/Phishing sites, and especially BOTs, stealth technology became decoupled and much more powerful. This is because the purpose of the malware has now changed. These classes of malware are not infrequently for narcissistic purposes and are more commonly seen for identity theft, fraud, espionage, and other crimes. Therefore, it is paramount after a system is compromised that the malware remain in tact and hidden from view. Suspicious processes, network activity and files would immediately indicate a problem with a system. Using rootkits, a compromised system is very difficult to liberate and it’s usually easier to format and reinstall.

Why should someone care?

Today the most prevalent malware in the wild, which means that it’s been identified on a user’s system, are not viruses. A breakdown of statistics a 2005 found that categorically Trojan horses were 57% of all incidents followed by AdWare which was 21%. Based on these numbers, it is evident that a large percentage of malware detected were not propagation capable. This means that the metastasis occurs in two stages: Malware is deployed first by an exploit, deception or viral component. Then ancillary utilities like rootkits, are downloaded and installed and instantiated.

Existing utilities like Antivirus are not well suited for this type of problem. In fact, in some cases antivirus has provided the exploit that allowed the initial malware to be installed. However, the largest problem is that rootkits are on the same privileged level, if not below, antivirus and other preventative measures. Malware having ‘root’ or ‘administrative’ control of a system is devastating and often the end of the system’s integrity unless wiped. In addition, these types of malware or ‘viruses’ usually propagates by means of a system exploit. Antivirus and other like utilities were not designed to handle that type of infection vector, and as discussed above this type of malware is now far more common.

Conclusions

  • The most prevalent malware is not easily detected by existing techniques or can be obfuscated to avoid detection.
  • This malware is hidden and made much more powerful by rootkit technology.
  • A compromised system can theoretically be cleaned by the process is very intensive and requires the skills of kernel debugging and intimate knowledge of kernel data structures. Therefore, a system wipe and rebuild is almost mandatory which requires more resources and time.
  • The modern classes of malware are not preoccupied with fame or ‘territory’; they are actually monetizing compromised resources and using them as a platform for other crimes and criminal behavior.
  • The latest threats, Bots and botnets, can involve the coordinated control of several thousand, and in some cases hundreds of thousands of systems. This sort of problem is unprecedented and is a dire problem to the security of businesses and government.
  • Using rootkits, these compromised systems can remain compromised for extended periods of time mounting very large to crippling damages to the businesses and owners of these systems.

References:

  • Brumley, David (1999-11-16). Invisible intruders: rootkits in practice. USENIX.
  • Implementing and Detecting an ACPI Rootkit, by John Heasman, presented at BlackHat Federal, 2006.
  • Implementing and Detecting a PCI Rootkit by John Heasman, 15 November, 2006.
  • Jamie Butler and Greg Hoglund. Rootkits: Subverting the Windows Kernel. Addison Wesley, 2005. ISBN 0-321-29431-9
  • Oleg Zaytsev, Rootkits, Spyware/adware, keyloggers and backdoors: Detection and Neutralization. 2007 ISBN 1-931769-591
  • Greg Hoglund, Gary McGraw. Exploiting Software: How to break code. ISBN 0-201-78695-8
  • Ric Veiler. Professional Rootkits. Wrox, 2007. ISBN 978-0-470-10154-4

Security Researcher: DH