Rootkits
The Problem

Microsoft Corp. security researchers are
warning about a new generation of powerful
system-monitoring programs, or "rootkits," that
are almost impossible to detect using current
security products and could pose a serious risk
to corporations and individuals

The kernel rootkits are invisible to many
detection tools, including antivirus, host and
network intrusion-detection sensors and
antispyware products
EC-Council
Rootkits
Rootkits are
kernel programs
which has the ability to hide itself
and cover up traces of activities
When a rootkit is installed, it
replaces certain operating system
calls and utilities with its own,
modified versions of those
routines
For example, to hide the
existence of a file, the rootkit
intercepts all system calls that
can carry a file name argument,
such as open(), chdir() and
unlink()
EC-Council
Why rootkits?

If hacker wants to do something to your system,
such as plant a virus, a Trojan horse program or
spyware, he has to gain access to the system's
root directory and the unlimited power that
goes with that access.

Once established as root, the intruder can
modify system commands to hide his tracks
from the systems administrator and preserve
his root access.

Hackers achieve this via a rootkit.
EC-Council
Rootkits in Linux

Rootkits are also referred to a set of modified
and recompiled Unix tools (typically including
ps, netstat and passwd) designed to hide any
trace of the intruder's presence or existence

A rootkit may include programs to monitor
traffic, create a back door into the system, alter
log files and attack other machines on the
network
EC-Council
Detecting rootkits

Detecting rootkits is a problem

Once infected with a rootkit, you can't trust
your operating system

You can't believe what the system tells you
when you request a list of running processes or
files in a directory

One way to get around this is to shut down the
suspect computer and check its storage after
booting from alternative media that you know
are clean, such as a bootable CD-ROM
EC-Council
Sony Rootkit Case Study







EC-Council
Mark Russinovich discovered last October that some Sony BMG
Music Entertainment CDs use rootkit technology to automatically
install digital rights management software on Windows computers
The intent of this kludge was to prevent unauthorized digital
copying of the music
The Sony music CD creates a hidden directory and installs several
of its own device drivers; it then reroutes Windows systems calls to
its own routines
It intercepts kernel-level application programming interfaces and
tries to disguise its presence
Sony was hit with numerous lawsuits around the United States for
planting a rootkits on users computer with their knowledge
For more information visit:
http://www.sysinternals.com/blog/2005/10/sony-rootkits-anddigital-rights.html
Steps for Detecting Rootkits
1.
2.
3.
4.
5.
EC-Council
Simple steps you can take to detect some of today's ghostware:
Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially
infected OS and save the results.
Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on
the same drive, and save the results.
Run a clean version of WinDiff from the CD on the two sets of
results to detect file-hiding ghostware (i.e., invisible inside, but
visible from outside).
Note: there will be some false positives. Also, this does not detect
stealth software that hides in BIOS, Video card EEPROM, disk
bad sectors, Alternate Data Streams, etc.
Rootkit detection tools

BlackLight from F-Secure Corp.
• http://www.f-secure.com/blacklight

RootkitRevealer from Sysinternals
• http://www.sysinternals.com/Utilities/RootkitRevea
ler.html

Malicious Software Removal Tool from
Microsoft Corp.
• http://www.microsoft.com/security/malware
remove/default.mspx
EC-Council