Video Screencast Help

Rootkit -- An Intruder Living in your Kernel

Created: 16 Aug 2009 • Updated: 20 Aug 2009 | 11 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+20 20 Votes
Login to vote

 

 

What is a Rootkit?

Rootkits when it was discovered it meant a set of tools with the help of which one can get a Administrative or Authorized access to a non-administrative account or Un-authorized account and all its activities will been hidden from others on open Source Operating Systems like Unix, Linux, Solaris etc. In that time it used for the good, known applications. However it was not long that hackers exploited this feature.

Rootkits were pretty unknown until they made their debut on Windows platform in 1999 when a well known Security Researcher Greg Hoglund (who is owner of rootkit.com and have shifted to fasthorizon.blogspot.com) introduced it in his blogs called NTRootkit it was a Proof-of-Concept and training tool rather than a real threat. Then Mark Russinovich of Sysinternals (now Microsoft) discovered the Sony Digital Rights Management (DRM) rootkit on his computer when he was scanning is home computer with his RootkitRevealer (RKR) tool. He made this public on 31st October, 2005 in his blog Sony, Rootkits and Digital Rights Management Gone Too Far.(http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx)

Rootkits in Windows platform did more than what it used to do in UNIX and other Open System Platform. Since Windows Kernel is not well documented so whenever the hackers find a way they exploit it. It will be exploited in future as well just because it un-known to many and the one who will know it will exploit it easily.

Whenever Vulnerability is found it is exploited by the Cyber Criminals and Rootkits are one of the payloads of these exploits. The main intention of a rootkit is to open a backdoor so that the attacker can have a un-interrupted access to the compromised machine and it will hide itself so that it remains un-detected. Stronger rootkits are also programmed to remain un-detected from host based firewalls, Antivirus Software, HIPS and even AntiRootkit software/Tools.

 

What can a rootkit do?

Rootkits have the ability to hide itself from the user, administrator and even security software on a compromised system.

They can hide their Running Processes, Files they use (ex: exe, sys, dll, txt, jpg etc) and Folders where they are stored, Services and Drivers they install. (No rootkit service is visible from services.msc or from the API and no rootkit driver will be found in \WINDOWS\system32\drivers). The ports that are used by them to communicate with their master servers will be hidden and even the connection details will be hidden. While rootkits were earlier used by sophisticated attackers to hide their presence on compromised machines, recent worms, viruses, and Trojans have started using them to complicate efforts to detect and clean infected machines. Backdoor.Rustock.B was one of most infamous advanced rootkit which used a backdoor and was responsible for 50-75 % of Spam at the time when it was detected. Nowadays rootkits are used for Key loggers as they can access the hardware interrupt for the Keyboards and log all the hit on your keyboard and it will be hidden from the Windows API so that it remains un-noticed and un-detected. They can be used as Downloaders to download other malware files. They can be used as Bots. The new Generation of rootkits handles too many jobs together. That’s the reason they are the most sophisticated ones.

Types of Rootkits & how they work?

There are two types of Rootkits

User Mode Rootkits and Kernel Mode Rootkits

User Mode Rootkits: In the user our Applications run some of our application need to access the Kernel for which it makes a System call. The System call follows a predefined path . So the User mode rootkits hack these system calls at many points in its predefined path. These rootkits also use a process known as DLL injection or infection. In this process they inject a malware code on the System DLLs. When a application is run it calls this infected DLL to run in memory allocated to that application. Thus this infected DLL runs the application as well as the infected code and remains active in the application memory. Once the rootkit reaches memory it infects all running processes and whenever a API query is made it makes re-directs the results thus making it hidden. A user mode rootkit can only infect a Process, Service and Applications.

Kernel Mode Rootkits: Kernel is the heart of any operating system. So one who reaches the Kernel has control over the whole OS. These rootkits are the real sophisticated piece of softwares written by the expert cyber criminals. First they reach the Kernel via Native APIs using the NTDLL.dll then either they start hooking itself into System Call Table like Service Descriptor Table (SSDT), Export Addresses Table (EAT), Interrupt Descriptor Table (IDT), Import Addresses Table (IAT) or use a very well known technique called DKOM (Direct Kernel Object Modification).

How to find Rootkits?

 Sysinternal’s Microsoft – RootkitRevealer v1.71
 http://technet.microsoft.com/hi-in/sysinternals/bb897445(en-us).aspx 

Microsoft Windows – (MRT) Microsoft Windows Malware Software Removal Tool

 On Windows XP SP2 and Above –

Click on Start – then Run –type MRT - ENTER

Freeware- Antirootkit Software - IceSword 
http://www.antirootkit.com/software/IceSword.htm

GMER - http://www.gmer.net/

Note: Complex rootkits have the ability to hide themselves from Anti-rootkits as well. So always use the latest version of the tools available.

 

Symantec Protection Against Rootkits:

 

The Symantec technology portfolio offers a multi-layered defense including Network Filtering, Behavior Blocking and Storage Filtering layers. All of these layers encompass a wide variety of protection technologies which interact and integrate together to provide a defense in-depth protection architecture for customers. The Network Filtering (the outer-layer), is the first line of defense against attacks. This layer examines incoming traffic and can stop threats before they have an impact on the PC. Network

Filtering layer includes the Network Intrusion Prevention System, and the desktop Firewall security technologies. Many of today’s threats including rootkits attempt to exploit known OS and application vulnerabilities to execute their code on the PC. The Network IPS engine (using its Generic Exploit Blocking capabilities) can filter out attempts to exploit these vulnerabilities, thus keeping malware from executing. Examples of the types of protection signatures for the Network IPS technology can be found at the following URL:http://securityresponse.symantec.com/avcenter/attack_sigs/.

Protection at this layer lowers the risk associated with the vulnerability allowing IT administrators more time to deploy patches. The second layer of our multilayered protection is the Behavior Blocking technology. This technology monitors the execution activity of code on the PC and attempts to prevent the code from completing its malicious activities. At this layer there are two main proactive technologies including

TruScanTM, and Outbound Email Heuristic (OEH). All of these technologies have the capability of detecting threats (including rootkits) executing on the PC and can automatically take action on these threats. This protection layer does not rely on specific detection signatures thus providing zero day protection against new threats release in the wild. The inner layer or the third layer is the Storage Filtering Layer. This layer is adds the AV engine, threat remediation engine ERASER (Extendable, Replaceable, Advanced Side-Effects Repair), Direct Volume Scanning (VxMS) and AutoProtect features. These are traditional signature-based technologies. These technologies continue to demonstrate their efficacy as the baseline of defense. Signature-base technology has a very low false positive rate, and is very efficient in detecting and removing known threats on the PC.

 

Direct Volume Scanning Technology (VxMS):

Direct Volume Scan (also known as Raw Disk Scan) combines a hard drive scanning technology built by Veritas (VxMS) with the security malware detection and removal tools to hunt down and eliminate rootkits. The Veritas software used in the application allows the technology to directly read sector data from device hard drives and then reconstruct the files for malware scanning without ever needing to access a machine's operating system. Traditional security applications have carried out such file scans

Through the OS, allowing rootkits an opportunity to inject code to cloak themselves and circumvent antivirus systems. With Direct Volume Scanning, we take the most common technique that rootkits and spyware use to hide themselves, what we call file-level stealthing, and bypass all known file-based techniques for those types of programs

 

Removing Kernel Level Rootkits:

Remediating a stealthed or Kernel level rootkit involves direct volume access. Since the Windows File System is designed to have exclusive access to the volume, it was deemed unsafe to directly modify the volume while the system is running. To minimize the risk of unsynchronized volume access, volume modification is done via a Windows Native application. Native applications, such as ScanDisk, run after some drivers have been loaded but before the user has logged on. To limit risk of volume corruption and to minimize functionality in the relatively difficult Native application environment, Eraser’s Native application limits disk modifications to renaming files. This is designed to prevent threats from loading on the next reboot while limiting volume modifications to simple and

undoable steps. After the threat’s files have been disabled, the system is rebooted. At this point the threat’s drivers, services, and other applications have been disabled, allowing Eraser to clean up the remainder of the threat via existing means (file remediations, registry remediations, etc). This removal technique is also known as 1 ½ Reboot.

 

Detection and Remediation of Usermode Rootkits:

There are a number of user mode rootkit techniques which many of today’s threats use due to the reduced level of complexity compared to developing complex kernel mode rootkit techniques. The Symantec threat remediation engine called ERASER is designed to mitigate the user mode rootkit techniques used by today’s threats. Below are some examples of some of the user mode rootkit techniques which ERASER can protect against.

 

Conclusion:

The use of rootkit techniques (both Kernel mode and User mode) provides malware writers a variety of techniques to mask their malware from users and applications on the PC. Symantec’s layered protection model provides multiple layers of protection against Rootkits and other threats. Independent testing results have proven that Symantec has industry leading protection against the various rootkit techniques. Symantec continues to provide solid Rootkit protection to Symantec customers and this will continue to be a key focus in the development of new security features in Symantec products.

 

 

 

 

Comments 11 CommentsJump to latest comment

Satyam Pujari's picture

well..good job Vikram ..nice article mate ..keep 'em coming !!

Inviting good karma to CPU...beep

+1
Login to vote
AravindKM's picture

A useful article

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

+1
Login to vote
Int3rn3t's picture

Nice article and write up .but have you intentionally or un-intentionally missed the other name who used rootkits.other than Sony

0
Login to vote
Vikram Kumar-SAV to SEP's picture

As i have already discussed in my article rootkit technology is also used by good programs and rootkit is a technology rather than a threat..
The Systemworks rootkit was used to hide few backed up files so that users cannot delete it..it was only patched because it could have been exploited as a malware could hide itself into it.
This article is more about what are rootkits,how they works and how symantec protects us from rootkits.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Since the Kernel Mode Rootkits has total control over your computer so rather than just reading what you type on your keyboard it can also listen what you Audio input devices are speaking to you or what secrets you are sharing on your Skype.

For More info  :https://www-secure.symantec.com/connect/blogs/trojanpeskyspy-listening-your-conversations

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+3
Login to vote
Dave.Z's picture

I have spent so many wasted hours removing RootKits that SEP 11 M4 will not detect or remove. All these PC's are up to date with MS Updates and SEP has the latest definitions. My clients are wondering why they pay all this money for SEP and they are getting hit everyday. Since the Symantec people won't/can't tell you how to fix them, I will. Download and keep combofix.exe and IceSword with you at all times. I would also suggest finding another AV program. I have been a Symantec reseller and tech for 15 years and I am done with them. Industry leading protection? Not hardly. I would ask for a refund for the 150 plus clients I have installed, but I am too busy cleaning up what SEP cannot.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 SEP does detect rootkits..It might have missed a few as all do.Icesword is utility to find rootkit..which will be the best options for any rootkit or hidden malwares.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
sym-consultant's picture

 how do i know what EP is detected is a rootkit or some other virus

0
Login to vote
SymSEP's picture

one more ..great info

0
Login to vote
AR Sharma's picture

Thanks!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

0
Login to vote
ShaalabaZ Hack's picture

Old but Gold (Y)

Very well organised article

White Hat Hacker 

Bug Bounty programs contributor

Security Researcher 

 

www.facebook.com/Shaalabaz.Hack

0
Login to vote