Rootkits are programs that hackers use in order to evade detection while trying to gain unauthorized access to a computer. Rootkits when installing on a computer, are invisible to the user and also take steps to avoid being detected by security software.
A rootkit is a set of binaries, scripts and configuration files that allows someone to covertly maintain access to a computer so that he can issue commands and scavenge data without alerting the system’s owner.
Depending on where they are installed there are various types of rootkits:
- Kernel Level Rootkits
- Hardware/Firmware Rootkits
- Hypervisor (Virtualized) Level Rootkits
- Boot loader Level (Bootkit) Rootkits
NTFS DATA Stream
Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. Using Alternative Data Streams a user can easily hide files that can go undetected unless close inspection.
The art of hiding a data inside another data/medium is called steganography.
For eg: hiding data within an image file
The secret message is called overt file and the covering file is called covert file.
Types of Steganography
- Image Steganography
- Document Steganography
- Folder Steganography
- Video Steganography
- Audio Steganography
- White Space Steganography
- Avatar rootkit runs in the background and gives remote attackers access to an infected PC.
- It uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot.
- The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and it works only on x86 systems.
- Necurs contains backdoor functionality, allowing remote access and control of the infected computer.
- It monitors and filters network activity and has been observed to send spam and install rogue security software.
- It enables further compromise by providing the functionality to:
- Download additional malware
- Hide its components
- Stop security applications from functioning
- Azazel is a userland rootkit written in C based off of the original LD_PRELOAd technique from Jynx rootkit.
- ZeroAccess is a kernel-mode rootkit which uses advanced techniques to hide its presence.
- It is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer and acts as a sophisticated delivery platform for other malware.
- If running under 32-bit Windows, it will employ its kernel-mode rootkit. The rootkit’s purpose is to:
- Hide the infected driver on the disk
- Enable read and write access to the encrypted files
- Deploy self defense
- The payload of ZeroAccess is to connect to a peer-to-peer botnet and download further files.
- Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
- Signature-Based Detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
- Heuristic/Behavior-Based Detection: Any deviations in the system’s normal activity or behavior may indicate the presence of rootkit.
- Runtime Execution Path Profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection.
- Cross View-Based Detection: Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit.
Steps for Detecting Rootkits
- Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results.
- Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results.
- Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)
Note: There will be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
How to Defend against Rootkits
- Reinstall OS/applications from a trusted source after backing up the critical data.
- Well-documented automated installation procedures need to be kept.
- Perform kernel memory dump analysis to determine the presence of rootkits.
- Harden the workstation or server against the attack.
- Educate staff not to download any files/programs from untrusted sources.
- Install network and host-based firewalls.
- Ensure the availability of trusted restoration media.
- Update and patch operating systems and applications.
- Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies.
- Update antivirus and anti-spyware software regularly.
- Avoid logging in an account with administrative privileges.
- Adhere to the least privilege principle.
- Ensure the chosen antivirus software posses rootkit protection.
- Do not install unnecessary applications and also disable the features and services not in use.
- Stinger: Stinger scans rootkits, running processes, loaded modules, registry and directory locations known to be used by malware on the machine.
- UnHackMe: UnHackMe detects and removes malicious programs
- GMER: GMER is an application that detects and removes rootkits.