Thursday, October 12, 2006

Rootkit techniques in today’s Windows based Malware

Recent Malware trends on Windows NT based platforms are adopting more and more Rootkit like techniques, i.e. employing cloaking and stealth. Such techniques are either embedded within the malware itself or simply assist the malware while existing as a third-party application. Two such proliferating malware that embed "rootkit-like" functionalities within them are W32/Haxdoor and W32/Goldun. The wide range of today's Window's based malware such as Trojans, Mass-mailers, Backdoors, Spyware & Adware Programs, use stand-alone/third-party rootkit programs in order to cloak files/folders, processes, registry entries, memory modules, handles, TCP/UDP communication ports, logins, log files, and any other resource used of the Operating System to conceal their malicious activity.

There are two types of rootkits: the ones that operate at Window's kernel level and the ones that stay at the user level. Kernel-mode rootkits are more powerful and much harder to detect, disinfect or de-activate. But these are more complicated to implement and require administrator privileges to be installed on a machine. A kernel-mode rootkit is usually a kernel mode device driver program which is loaded by the malware. User-mode rootkits are less powerful but still very efficient and much easier to implement and deploy. The most popular among the publicly available rootkits are the FU-rootkit (Kernel-mode rootkit) and Hacker Defender (User-mode rootkit).

The wide usage of rootkits in today’s malware is attributed to their ease of availability via the web. They are downloadable as ready to use rootkits or as source code for those who want to compile custom rootkits. Ther are online resources for both rootkit developers and security professionals who could use this information to educate themselves and learn the ways of the attacker in order to develop anti-rootkit techniques. Most advances in Windows based rootkits are posted on the internet in the form of discussion groups, news reads, blog posts etc.

Another reason to which the use of rootkits can be attributed is “a shift in intent of writing malware”. Viruses and worms are no longer written to prove skill or to draw attention but rather as a means to bank the green bucks! This shift in intention or rather the commercialization of malicious intentions has greatly increased the creation and proliferation of “crime-ware” (or snoop-ware such as spyware, keyloggers, backdoors, Trojans, etc.). These applications demand the use of stealth in order to "own the box" for as long as possible without being detected and without being able to be traced back to.

In order to combat today’s rootkits we require more of a pro-active approach rather than the traditional reactive approach. Merely adding signatures to definition files (i.e. if we are lucky enough to get our hands on the rootkit in the first place), is only “pushing the problem under the rug”. More wide-spread use of rootkits among malware is predicted in the near future and so will co-evolve the sophistication of rootkit detection tools and methods.

Digg This | Slashdot This | Add to