Rootkits are becoming more threatening every day. I wrote a bit about Metasploit last month but that’s really about a nice GUI that makes launching rootkit attacks a point & click operation.
Without going into toe-curling detail, a rootkit is basically a collection of software tools that enables a person to conceal the fact that they’ve taken administrator-level control of your computer (having acheived that status by exploiting some other vulnerability of your computer). Recently it’s been reported that such kits are now commercially available (helping malware creators with an important aspect of their business model).
Today’s rootkit (named after “root” or the unix superuser account that has full access to a unix system) installs software that attaches to your operating system at a very low level–making detection impossible using the operating system that’s been infected. For example, a typical technique involves inserting low-level code that modifies the way your computer does a simple task like listing the files on a disk or processes running on the system—once infected the operating system itself won’t even see the intruder’s file or processes. How can that be? Well, the rootkit does a bit of a transplant; that is, it inserts malicious code into the chain of normal operating system events. Once inserted into the chain, it can interrupt the normal flow of operating system logic to perform tasks of its choosing, filtering system calls and modifying data structures the OS relies upon to manage kernel-level functions. With control over fundamental routine processes, the intruder can hide his files and even his running processes. They are completely “invisible” to the operating system—and you.
Of course, this also prevents antivirus/security programs from finding the evidence since those utilities also use the now infected low level operating system routines. Freed from concern with discovery, the “payload” of the rootkit attack goes to work—relaying spam, participating in DDOS attacks, hosting IRC sessions, whatever.
For Windows users, the threat is great but there is hope. There are several utilities to assist in detecting a rootkit compromise and here I’ll mention one free package— RootkitRevealer. It can scan your drive (using file manipulation routines that don’t make system-level calls) and when finished offer a comparison between what it found and what your operating system reports. If the two reports aren’t identical you’ve been compromised (you do remember where you put that original Windows installation disk?). On a related note, this sort of “when you least expect it” forced rebuild of a Windows machine is why I always made a clone (using Symantec’s™ Ghost) of a new install on my home and office PCs. Actually I still do that on my Macs now that I’ve switched but that’s primarily a form of backup. For the mac (both desktop and a couple of my XServe servers) I use a donation-ware program called CarbonCopyCloner.
Click this thumbnail for a larger view of a RootkitRevealer sample report:
You can learn more about rootkit attacks (and download a copy of RootkitRevealer) from SysInternal’s website:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Another detection utility for Windows users is Blacklight (from F-Secure).