Rootkits and Viruses
Note: Notes below extracted from resources at the bottom of this page...
What is Rootkit
Malware (viruses, spyware, trojans) that hide (from spyware blockers, antivirus, system managment tools) on your system.
Rootkits have two primary functions: remote command/control (back door) and software eavesdropping.
Rootkits allow someone, legitimate or otherwise, to administratively control a computer.
- Persistent rootkits: ones that are there even after reboots.
- Rootkits hide, persist by...
- Hiding in the MBR
- Hide in files slack space
- Interrupt hooks
- Message Hooks (hook code between OS calls)
- Bluepill the machine (put running OS in a VM, malware runs as a hypervisor)
- Alternate Data Streams
- Memory based rootkits: live in ram, don't survive reboots
- Rings: In Windows and Linux
there is a distinction between code that is running in "user mode",
and code that is running in "kernel mode" or "supervisor mode".
Intel CPUs have modes of operation called rings which specify the
type of instructions and memory available to the running code.
There are four rings:
- Ring 0 (also known as kernel mode) has full access to every
resource. Windows kernel runs in Ring 0. Can control/crash the whole
system from Ring 0.
- Rings 1 and 2 can be customized with levels of access but are generally unused.
- Ring 3 (also known as user mode) has restricted access
to resources. Windows users code, including Administrators run in Ring
3. Can only corrupt what this user owns from Ring 3.
- User Mode Rootkits: Run with administrator priviledges, run in userspace. (Windows discussion below)
- The Windows native API serves as the interface between user-mode clients and kernel-mode service.
- Rootkits hide by altering windows APIs. For example, a
user-mode rootkit might intercept all calls to the Windows
FindFirstFile/FindNextFile APIs, which are used by file system
exploration utilities, including Explorer and the command prompt, to
enumerate the contents of file system directories. When an application
performs a directory listing that would otherwise return results that
contain entries identifying the files associated with the rootkit, the
rootkit intercepts and modifies the output to remove the entries.
- Kernel Mode Rootkits: can be even more powerful since, not only can they intercept the native API in kernel-mode,
but they can also directly manipulate kernel-mode data structures.
In Windows, a common technique for hiding the presence of a malware process is to remove
the process from the kernel's list of active processes. Since process management
APIs rely on the contents of the list, the malware process will not display in process management
tools like Task Manager or Process Explorer.
- Rootkit propogation: consist of dropper (bad email with
exe), loader (exploit, ie buffer overrun and install rootkit), and
rootkit itself.
- Rootkit detection (in Windows, Rootkitrevealer): Since
persistent rootkits work by changing API results so that a system view
using APIs differs from the actual view in storage, RootkitRevealer
compares the results of a system scan at the highest level with that at
the lowest level. The highest level is the Windows API and the lowest
level is the raw contents of a file system volume or Registry hive (a
hive file is the Registry's on-disk storage format). Thus, rootkits,
whether user mode or kernel mode, that manipulate the Windows API or
native API to remove their presence from a directory listing, for
example, will be seen by RootkitRevealer as a discrepancy between the
information returned by the Windows API and that seen in the raw scan of
a FAT or NTFS volume's file system structures.
References