Thread link
ALL ABOUT MALWARE
- Rootkits -
Introduction: Hey Guys, welcome to tutorial. Well, I planned to make a series about Malware. In my threads I will explain how they work, what they are, how you could protect yourself from the type of malware that I discuss in the thread. Well in this thread I like to explain you everything I know about rootkits. I hope I could help you with this tutorial and you will learn something from it ;) Enjoy!
Definition:
A rootkit is a stealthy type of malware which is used to hide
processes, programs and registry keys from the user. A rootkit
installation could be automatic or a hacker could install it on victims
computer. Once they’ve obtained root/Administrator access, they start to
hide something. A rootkit is not an exploit! A rootkit could get full
control over a system and can modify everything, normally the system.
How does a rootkit work?
To explain how a rootkit works, I need to explain first how an application normally works on your computer. Let’s take the timer application as an example.
To explain how a rootkit works, I need to explain first how an application normally works on your computer. Let’s take the timer application as an example.
The timer shows you the current time.
But to get the timer know what’s the current time, the timer needs
to know it from the system. But the timer is not allowed to get access
to the system clock. But the timer is allowed to ask windows or better:
the API (Application Programming Interface). Well our clock wants to
know the time. The clock uses the function in the API to get time. The
API can now access to the system clock to read out the current time.
The system gives us the response over the API and our clock application can tell us the current time:
Every application works like that. There’s no exception.
Another example:
After clicking a folder we could see what files are into. It works the same way as above.
Another example:
After clicking a folder we could see what files are into. It works the same way as above.
Our explorer wants to know what files are on C:\ so it has to ask the API. The API tells the system to list all files on C:\.
The system gives us the response over the API and our explorer can display us all files on C:\
**
Now let’s see what happens when our system is infected with a
rootkit. We take the same example as before, where the explorer displays
us the files on C:\.
(The red bug in the image is the rootkit)
(The red bug in the image is the rootkit)
The rootkit makes just one thing at startup. It modifies the Enum-File API. The rootkit sets a
“Jump-Point” at the Enum-Files-API. (The "Jump-Point" is the red area at the API)
“Jump-Point” at the Enum-Files-API. (The "Jump-Point" is the red area at the API)
Now our explorer should display us the files on C:\ so it asks the
Enum-Files API. But we know that our Enum-Files API has a new
“Jump-Point” and the API did not ask the real system function to read
out the files on C:\ instead it asks one of the rootkit DLL’s.
The rootkit DLL asks now the real Enum-Files-Function. And the real Enum-Files API gets the list of all files on C:\
We could now see there are all Files and also the File named “Virus.exe”.
This is the file the rootkit wants to hide from the User and also from the antivirus software. So it deletes the Virus.exe file from the list. (It does not delete the file itself it just deletes the entry in the list.)
The filtered List without the Virus.exe file goes back to the real Enum-Files API and the real Enum-Files API sends the filtered list back to our explorer. The explorer displays all files, but NOT the Virus.exe file!
I hope you could understand now how a rootkit works in general.
That’s the same thing if you antivirus software scans your computer. If the computer is infected with a rootkit, the program could not detect the rootkit because he could not see it. The antivirus scans only a modified files by the rootkit.
This is the file the rootkit wants to hide from the User and also from the antivirus software. So it deletes the Virus.exe file from the list. (It does not delete the file itself it just deletes the entry in the list.)
The filtered List without the Virus.exe file goes back to the real Enum-Files API and the real Enum-Files API sends the filtered list back to our explorer. The explorer displays all files, but NOT the Virus.exe file!
I hope you could understand now how a rootkit works in general.
That’s the same thing if you antivirus software scans your computer. If the computer is infected with a rootkit, the program could not detect the rootkit because he could not see it. The antivirus scans only a modified files by the rootkit.
Types of rootkits
There are different Types of rootkits. Here is a list:
Kernel-Based:
Typically, kernel-based rootkits are codes that are able to mask themselves under the operating system's loadable modules and device drivers. Because these rootkits are incorporated inside important components, detecting them can be difficult. A kernel-based rootkit rewrites and modifies the kernel's code to stay hidden and manipulate every facet of the operating system. Because it is within the kernel, it has pretty much unrestricted movement within the system. Some popular malicious kernel-based rootkit examples in Windows are TR/Rootkit.Gen, W32.Focelto.A and Haxdoor rootkits.
Application-Based:
Application-based rootkits are pretty common. They find their way into a computer system through the installation or updating of software, such as word-processing, graphics-editing, gaming and other commonly used computer programs. These rootkits come in the form of an application library file that will be associated with the application installed. It will modify the behavior of the application to escape detection and do what it was written to do. For example, when using a Windows-based system, you will often encounter this threat by way of a suspicious .DLL file. The rootkit will then replicate certain processes to evade detection while it captures information in the system. Application-based rootkits are easier to manage than some other types, since most system-protection software constantly updates definitions to include these types of malicious codes.
Firmware-Based:
A firmware-based rootkit is a code specifically designed to create a permanent instance of the Trojan or malware in a device through its firmware--a combination of hardware and software, such as computer chips. For example, a simple residential DSL router uses firmware. If its firmware is compromised by a rootkit, there's really no way to detect it and the damage it can cause can be enormous, especially since all of the data you send and receive online passes through the router. Basically, there are only two ways a rootkit can embed itself in the firmware of a specific hardware--through a firmware update or through purchase, where the seller purposely installs the rootkit before selling it.
Virtual:
Considered to be low-level threats, virtual or virtualized rootkits hijack and modify a system and boot it up to appear as a virtual machine. This will allow the rootkit to capture data from the hardware as a guest machine requests it. While these types of rootkits aren't common, it is a vulnerability that Microsoft and Linux are aware of.
There are different Types of rootkits. Here is a list:
Kernel-Based:
Typically, kernel-based rootkits are codes that are able to mask themselves under the operating system's loadable modules and device drivers. Because these rootkits are incorporated inside important components, detecting them can be difficult. A kernel-based rootkit rewrites and modifies the kernel's code to stay hidden and manipulate every facet of the operating system. Because it is within the kernel, it has pretty much unrestricted movement within the system. Some popular malicious kernel-based rootkit examples in Windows are TR/Rootkit.Gen, W32.Focelto.A and Haxdoor rootkits.
Application-Based:
Application-based rootkits are pretty common. They find their way into a computer system through the installation or updating of software, such as word-processing, graphics-editing, gaming and other commonly used computer programs. These rootkits come in the form of an application library file that will be associated with the application installed. It will modify the behavior of the application to escape detection and do what it was written to do. For example, when using a Windows-based system, you will often encounter this threat by way of a suspicious .DLL file. The rootkit will then replicate certain processes to evade detection while it captures information in the system. Application-based rootkits are easier to manage than some other types, since most system-protection software constantly updates definitions to include these types of malicious codes.
Firmware-Based:
A firmware-based rootkit is a code specifically designed to create a permanent instance of the Trojan or malware in a device through its firmware--a combination of hardware and software, such as computer chips. For example, a simple residential DSL router uses firmware. If its firmware is compromised by a rootkit, there's really no way to detect it and the damage it can cause can be enormous, especially since all of the data you send and receive online passes through the router. Basically, there are only two ways a rootkit can embed itself in the firmware of a specific hardware--through a firmware update or through purchase, where the seller purposely installs the rootkit before selling it.
Virtual:
Considered to be low-level threats, virtual or virtualized rootkits hijack and modify a system and boot it up to appear as a virtual machine. This will allow the rootkit to capture data from the hardware as a guest machine requests it. While these types of rootkits aren't common, it is a vulnerability that Microsoft and Linux are aware of.
Source: Rootkit Types
The first rootkits:
Here is a short List with some of the first rootkits for windows ever made:
Year 2000 – he4hoook
This tool was developed by a Russian programmer. It works in Kernel mode and hides files. The author itself doesn’t say it’s a rootkit.
Year 2002 – HackerDefender
The HackerDefender is also a tool, but a more powerful one. You can use it over a configuration file to hide files, processes, Services and registry keys. It also works in Kernel mode.
Year 2003 – Vanquish
The tool vanquish could also be used to hide files, directories, processes and registry keys. It could also record the passwords on a user’s computer. This rootkit is usermode based.
Here is a short List with some of the first rootkits for windows ever made:
Year 2000 – he4hoook
This tool was developed by a Russian programmer. It works in Kernel mode and hides files. The author itself doesn’t say it’s a rootkit.
Year 2002 – HackerDefender
The HackerDefender is also a tool, but a more powerful one. You can use it over a configuration file to hide files, processes, Services and registry keys. It also works in Kernel mode.
Year 2003 – Vanquish
The tool vanquish could also be used to hide files, directories, processes and registry keys. It could also record the passwords on a user’s computer. This rootkit is usermode based.
How to detect rootkits?
There are different methods of detecting rootkits. But only a good
antivirus software could do this, you as normal user are not able to
find a rootkit if it’s well hidden. You could never detect a rootkit and
be 100% sure it is one. There are some plausibility tests to detect a
rootkit.
Here are some methods the most antivirus software uses to detect rootkits on a computer:
Alternative trusted medium:
The best and most reliable method for operating-system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash drive). The technique is effective because a rootkit cannot actively hide its presence if it is not running.
Behavior method:
This method is just looking for rootkit behavior which means hooking API to hide something. This method has a high rate of false positives.
Signature based:
The signature based method is using a stealth detector. If rootkit attempts to hide or unload itself during a virus scan the signature detection or fingerprinting can still find it. That’s why the programmer of a rootkit often try’s to implement counterattack methods into the rootkit which means to kill the antivirus process or service.
Here are some methods the most antivirus software uses to detect rootkits on a computer:
Alternative trusted medium:
The best and most reliable method for operating-system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash drive). The technique is effective because a rootkit cannot actively hide its presence if it is not running.
Behavior method:
This method is just looking for rootkit behavior which means hooking API to hide something. This method has a high rate of false positives.
Signature based:
The signature based method is using a stealth detector. If rootkit attempts to hide or unload itself during a virus scan the signature detection or fingerprinting can still find it. That’s why the programmer of a rootkit often try’s to implement counterattack methods into the rootkit which means to kill the antivirus process or service.