What is rootkit?
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix-likeoperating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
So what can be hidden from an administrator with a Windows-based rootkit?
The quick answer is anything and everything. If you are an administrator and a well-written rootkit has been installed on your machine, you see only what the rootkit allows you to see with normal system tools.
The following items are commonly hidden using Windows rootkits:
• Processes
• Services
• Network connections
• Files and folders
• Registry entries
• User accounts
• Drivers Object
• Manager objects
• Pages of memory
• Services
• Network connections
• Files and folders
• Registry entries
• User accounts
• Drivers Object
• Manager objects
• Pages of memory
It is important to note that not all rootkits hide all of these objects. The more that a malicious hacker chooses to hide, the more complex and sophisticated the code has to be. Some rootkits are very small and are designed to hide only certain items—for example, the original FU rootkit hide only running processes, but the files backing those processes remained visible on disk. Compare to the Hacker Defender rootkit for Windows, which can hide most of the items above.
Some rootkits provide additional services to the malicious hackers who install them. For example, some rootkits provide a built-in backdoor that can be connected to remotely, while others strive to go that extra mile for the miscreant by providing the ability to adjust the list of hidden files, folders, and processes; perform DoS attacks; fetch remote files; lie about the amount of free space on a volume; and reboot the system.
For example, Hacker Defender can alter the user’s view of the available disk space—this feature has often been used by hackers for setting up warez servers.
It is difficult to pinpoint exactly when rootkits were first used by malicious hackers when compromising Windows machines (after all, the goal of a rootkit is to allow the malicious hackers to go undetected for as long as possible).
Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
Hardware/Firmware rootkits hide itself in hardware such a network card, system BIOS etc.
Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.
Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords.
Rootkit Types
• Application Level Rootkits:
Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
• Kernel Level Rootkits:
Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
• Hardware/Firmware Rootkits:
Hardware/Firmware rootkits hide itself in hardware such a network card, system BIOS etc.
• Hypervisor (Virtualized) Level Rootkits:
Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system.
• Boot loader Level (Bootkit) Rootkits:
Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords.
Rootkit locations
\SystemRoot\System32\Drivers\ACPI.sys
\SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32:18467
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\m
\SystemRoot\system32\drivers\userdump.sys C:\:unreal.sys
\SystemRoot\System32\DRIVERS\ipnat.sys \SystemRoot\system32\drivers\kmixer.sys
C:\Documents and Settings\User\Desktop\hxvariant\ hxdef100r\hxdefdrv.sys
‘<drive letter>:\System Volume Information’ folder.
\SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32:18467
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\m
\SystemRoot\system32\drivers\userdump.sys C:\:unreal.sys
\SystemRoot\System32\DRIVERS\ipnat.sys \SystemRoot\system32\drivers\kmixer.sys
C:\Documents and Settings\User\Desktop\hxvariant\ hxdef100r\hxdefdrv.sys
‘<drive letter>:\System Volume Information’ folder.
Rootkit Symptoms
• AV Stops working
• Windows settings change independently Without user interaction.
• Frozen input devices
• Increased Bandwidth usage
• Windows settings change independently Without user interaction.
• Frozen input devices
• Increased Bandwidth usage
Rootkit Detection
• Behavioral observation
• Error messages
• Logs
• Hidden devices device manager
• Dumping memory
• Boot logging
• BootExecute Registry Entry
• Boot process snapshop comparison
• Port scan from another machine
• Namespace Detection (winObj.exe)
• Error messages
• Logs
• Hidden devices device manager
• Dumping memory
• Boot logging
• BootExecute Registry Entry
• Boot process snapshop comparison
• Port scan from another machine
• Namespace Detection (winObj.exe)
• Pagefile.sys & hyberfil.sys analysis
• Increased file or folder size
• Hash comparison
• DNS Cache analysis
• Anomalous service names
• Anomalous service DLL paths
• Mismatched service names
• Schedule tasks
• Prefetch Directory
• Timestamp Change
• Traffic Analysis
• Hosts File Modification
• Collecting Interesting Files (ntuser.dat, index.dat, .rdp, .bmc files, Antivirus log files)
Reg query HKLM\software\microsoft\windows\currentversion\run /s
Reg query HKLM\software\microsoft\windows\runonce /s
Reg query HKLM\system\currentcontrolset\seevices /s
CASE STUDY
A customer had called Microsoft when suddenly one of their SQL servers started crashing on a fairly regular basis. The escalation engineer at Microsoft who debugged the crash dumps was stumped by what he eventually found. Somehow the device driver responsible for the crashes was nowhere to be found on the file system (because it was using its stealth techniques to hide), and we were not able to track down the company responsible for the driver by searching the Web (we were able to get the name of the driver and its contents from the memory dumps). Dumping the raw memory where the device driver was loaded revealed an interesting string, SLANRET, which eventually was used in the naming of the rootkit by the various AV vendors.
TOOLS USED TO DETECT ROOTKITS
Autorun
RootkitRevealer
Process Explorer
Procmon
Process Hacker 2
Hashmyfiles
ADSSpy
TCP View
TCP Log Vie
Volatility
TOOLS USED TO DETECT ROOTKITS
Autorun
RootkitRevealer
Process Explorer
Procmon
Process Hacker 2
Hashmyfiles
ADSSpy
TCP View
TCP Log Vie
Volatility
Currports
VMMap
Access data imager
WinMerge
Currports
Sysinternals Vmmap
More Readings:
https://www.bleepingcomputer.com/startups/rootkits/
https://heimdalsecurity.com/blog/rootkit/
No comments:
Post a Comment