100 likes | 455 Views
Rootkits. The Problem. Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals
E N D
The Problem • Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals • The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products
Rootkits • Rootkits are kernel programs which has the ability to hide itself and cover up traces of activities • When a rootkit is installed, it replaces certain operating system calls and utilities with its own, modified versions of those routines • For example, to hide the existence of a file, the rootkit intercepts all system calls that can carry a file name argument, such as open(), chdir() and unlink()
Why rootkits? • If hacker wants to do something to your system, such as plant a virus, a Trojan horse program or spyware, he has to gain access to the system's root directory and the unlimited power that goes with that access. • Once established as root, the intruder can modify system commands to hide his tracks from the systems administrator and preserve his root access. • Hackers achieve this via a rootkit.
Rootkits in Linux • Rootkits are also referred to a set of modified and recompiled Unix tools (typically including ps, netstat and passwd) designed to hide any trace of the intruder's presence or existence • A rootkit may include programs to monitor traffic, create a back door into the system, alter log files and attack other machines on the network
Detecting rootkits • Detecting rootkits is a problem • Once infected with a rootkit, you can't trust your operating system • You can't believe what the system tells you when you request a list of running processes or files in a directory • One way to get around this is to shut down the suspect computer and check its storage after booting from alternative media that you know are clean, such as a bootable CD-ROM
Sony Rootkit Case Study • Mark Russinovich discovered last October that some Sony BMG Music Entertainment CDs use rootkit technology to automatically install digital rights management software on Windows computers • The intent of this kludge was to prevent unauthorized digital copying of the music • The Sony music CD creates a hidden directory and installs several of its own device drivers; it then reroutes Windows systems calls to its own routines • It intercepts kernel-level application programming interfaces and tries to disguise its presence • Sony was hit with numerous lawsuits around the United States for planting a rootkits on users computer with their knowledge • For more information visit: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
Steps for Detecting Rootkits • Simple steps you can take to detect some of today's ghostware: • Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results. • Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results. • Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). • Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.
Rootkit detection tools • BlackLight from F-Secure Corp. • http://www.f-secure.com/blacklight • RootkitRevealer from Sysinternals • http://www.sysinternals.com/Utilities/RootkitRevealer.html • Malicious Software Removal Tool from Microsoft Corp. • http://www.microsoft.com/security/malware remove/default.mspx