January 25, 2012

3.1.6 Rootkits

Rootkits

Rootkits are software programs that have the ability to hide certain things from the operating system. Theoretically, rootkits could hide anywhere there is enough memory to reside: video cards, PCI cards, and the like. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.

A rootkit is a type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at a privileged level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. If a rootkit has been installed, you may not be aware that your computer has been compromised, and traditional anti-virus software may not be able to detect the malicious programs.

Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected.

Rootkits can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to take advantage of a vulnerability on your computer or has convinced you to download it.

Detection methods include using an alternative, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel.

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers.

The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected.

Types of rootkits include the following:
  • Firmware – embedded in the firmware; always available
  • Kernel – embedded in the operating system; practically invisible; privileged
  • Persistent – activates on boot up and stays active while computer is running
  • Application – activates with a specific application
  • Library – associated with library files (e.g. DLLs); interjects own code via API and system calls
References:
  • http://en.wikipedia.org/wiki/Rootkit
  • http://www.us-cert.gov/cas/tips/ST06-001.html
  • http://www.pcmag.com/encyclopedia_term/0,2542,t=root+kit&i=55733,00.asp

No comments:

Post a Comment