Windows Security Checklist - Part 32: More Rootkit Revelations

by Larry Stevenson, aka Prince_Serendip, CastleCops Staff Writer
with the contribution of CastleCops 1st Responder wng_z3r0.
November 20, 2005


No one application nor technique can protect you at 100%, but you can still get pretty close to that. When these guidelines are followed by Windows users, it could possibly bring their chances of being infected by malwares almost to zero. Now we begin our next installment of the Windows Security Checklist - Part 32: More Rootkit Revelations.

It is not as complicated as it may first appear, although there is a lot of information to absorb. The Security Experts, 1st Responders, Special Response Team members, Host and Moderator consultants at CastleCops can help you, if you have questions about any of these techniques or featured applications.

What Rootkits Do and How They Work

Rootkits are programs which can change the data and the directives of software to be useful in ways contrary to the original purposes and values. Software has many places where changes can be made. Rootkits can cause changes in the source code by rewriting short data strings in the software, often called "byte patching." It's a common technique used to write cheats for videogames, or to remove subscription limits from shareware. Rootkits are tools installed by an intruder (after gaining access to the computer with an exploit) to hide files, system data and running processes while maintaining access to the system without the user's knowledge.

The attacker can gain access by tricking the user into downloading and installing some free software which contains the rootkit, cracking easy passwords, exploiting an unpatched, poorly configured or insecure system or by sitting down at your computer and doing it themselves.

The most dangerous and unstable Rootkits run at the Kernel level of a Windows computer. The Kernel is the core software which acts as a secure interface between the operating system with the programs you run and the real hardware devices of your machine. The operations of the Kernel are hidden from the operating system in order to prevent system wide chaos. Rootkits take advantage of this function in order to remain hidden from the operating system and hence the user. The drawback of this is if the Rootkit code crashes, your system will do likewise. As few Rootkits are ever well-written, this is a common indication of their possible presence.

The most popular Rootkits run in User-mode with administrator privileges which means they are loaded each time the system is booted. They can be detected by code running in Kernel-mode.

Exactly how Rootkits really work in computing terms would be beyond the grasp of most readers here. One of our 1st Responders at CastleCops, wng_z3r0, has provided a means to increase our understanding of how they work, and has given permission to put it in this article.

wng_z3r0 wrote:

here's my quick analogy: Imagine you're in a classroom. Let's call where you are sitting "Ring 3." The teacher and the teacher's aide are sitting on the lower ring at the center of the classroom. Let's call that ring "Ring 0." You are a program. The teacher is the operating system. Suppose you wanted to know what your grade on a particular test was? You COULD break into the teacher's vault (the hard drive) figure out all the intricate details, and try to understand the teacher's cryptic writing. This would be very hard because 1. The teacher is not going to let you (and in real life Windows doesn't let programs communicate to hardware), 2. You would have to know how to break in the safe. And the safe is unique for that room (just as every hard drive is different), 3. You would have to understand the writing (and the teacher or operating system) holds the key. BUT, why would you do that? You could just ASK the teacher? But probably not in Pig latin. You need to use a standard means of communication. In this analogy, that would be writing a note and passing it down to the teacher. You have to use "English," and make a correct sentence the teacher will understand. This standard form of communication is an analogy for the Windows API. (API is the Application Program Interface.) The teacher will understand your note because it is in a standard form of language that she can understand. She will then consider your request against her own set of rules (the code of the operating system), and then decide if she should grant you this request? Let's say she does. Then it is very easy for her to grab the test score because she knows how to access the vault, and how to read the test scores (data) See how much easier it is just to send the note compared to breaking in and accessing the vault directly? This is why practically every Windows program in existance goes through the teacher (operating system) using notes (Windows API). BUT: what happens if you pass a note to the teacher, but along the way it is intercepted by another student? This student is another program in userland. Say he didn't want you to know your test score because it would make him look bad. He could throw the note in the trash, or modify it so that it asks the teacher something else? This is what a rootkit does. It is just another program that intercepts "notes" and changes or deletes them. This would be pretty hard to detect. Another student (like an antivirus program) could try to ask the teacher what's going on? BUT, he also has to pass notes to the teacher to get any information, so the bad student (the rootkit) could modify those requests too. This is how rootkits hide from most programs. Userland rootkits, like the one described above, can still be detected. The teacher's aide can pass a note to the teacher. But, he is in Ring 0 with the teacher. So, he doesn't have to pass the notes through Ring 3. He can just pass it through Ring 0 to the teacher. So he can compare what's going on in Ring 3 (where the rest of the students sit) to Ring 0 and determine that, hey, there's a problem here. This is how userland rootkits can be detected. BUT: what if a program seduced the Principal of the school (which would be YOU, the actual computer user) to try this really cool software. This software came with it's own teacher's aide. You don't care, you just want the software. So you install the program, and poof! another teacher's aide appears in ring 0. This NEW teacher's aide is a kernel mode rootkit. He can change the notes coming from the students in Ring 3 AS WELL AS ANYTHING IN RING 0. This includes the other teacher's aides AND the teacher herself. Now, this new teacher's aide wants to hide a student, because he is going to cheat and spread a virus throughout the school. So, when the teacher takes roll, he modifies the notes coming in and out and makes it seem like the virus program doesn't exist. He does the same when the antivirus program tries to find out what's in the computer. This is how SOME rootkits work. wng

Prevention is Easier than Detection

Preventing Rootkits is far easier than detecting and removing them. In fact, there is no certain way to remove them completely. A properly secured computer is unlikely to be compromised in this manner. You absolutely need to be fully patched, use strong passwords, have a properly configured firewall, antivirus, anti-trojan and/or anti-spyware applications, all fully updated and regularly maintained.

Criminal-hackers need an exploit by which to hook into your computer. Fully protected computers are unlikely to provide them the opportunities they seek. It's still possible to hack a protected computer but it's far more difficult. Criminal-hackers deliberately look for computers that are running without firewalls and security protections. You may feel that you have nothing of value to a hacker, but they can use your computer to commit crimes without your knowledge. You can be held liable for what your computer does.

Detect and Remove Only With Expert Help

In both cases, detection and removal are difficult. A tremendous amount of data must be processed and examined in detail. Rootkits have been around for a long time as developers tools, owing their name to the old UNIX systems on which they were used. Since they have become the tools of malware developers and criminal-hackers, new methods of detection and removal are still in their infancy.

Many Rootkit detection programs exist yet these can produce false positives and inconsistent results. If you wish to search for a Rootkit on your machine, consult with a security expert before you do anything about it. Too many people assume that the Rootkit detectors work like their anti-malware scanners and so they can misinterpret the results of the scans.

The usual method of detection and removal is to use multiple Rootkit Detectors with expert help to interpret the results and suggest means of removal. Following removal, a thorough cleansing of the operating system must be done to remove any malware installed by the Rootkit. Even so, the process of removal is not completely certain. Most system admins upon discovering a computer infected with a Rootkit will simply erase the entire hard drive, reformat and do a fresh install of the operating system. This method is extreme but more certain of success. Nonetheless, there may be Rootkits which can infect hardware components such as the video chip. These would be immune to any form of detection and removal as are currently available.

Conclusion

Rootkits have suddenly been catapulted into the spotlight in the news, yet they are still very rare. You are far more likely to be infected by a virus or a trojan than to be compromised by one of these. Due to the corporate messes over Rootkits, they are now more widely known than ever before. Still it's best to be cautious and not to overreact to the information being provided. Be sure to update and secure your computer and protection programs so you will not need to worry about Rootkits.


Best regards and always take care of your security.