Understanding Rootkits And Ways To Avoid Them

[ritchie58]

Understanding Rootkits

 

 

 

 

 

 

 

By: Ken van Wyk

 

I've been reading a lot about undetectable malware and rootkits — and the like —recently. Without a doubt, these attack tools have been iteratively improving over the years. Like most such security "nasties," however, a bit of safe computing goes a long way. Let's explore a bit.

 

First off, let me explain what a rootkit is so we can consider the facts and not get caught up in the hype. A rootkit is a tool, or (more commonly) a collection of tools, that an attacker can install on a compromised computer. The functionality of rootkits vary tremendously from one version to the next, and they're available for just about any computer operating system and architecture in existence today.

 

What they have in common, however, is generally a small set of features:

 

1. they hide their (and the attacker's) presence on the compromised computer and
2. they enable the attacker to log back onto the compromised computer. Most rootkits include tools for removing historical indications the attacker has been on the computer as well, but I think of that as just one aspect of hiding their presence.

A subtle, but important, issue here is that rootkits typically don't have their own collection of tools for providing the attacker with elevated privileges, but they do require those elevated privileges to already be in place in order to install on a victim's computer. So the attacker has to somehow get elevated (e.g., root or administrator) privileges before a rootkit can be installed.

 

Ever since I first saw a rootkit installed a computer during a system compromise back in the 1994-1995 time frame, I've been watching them and following new rootkit technologies as they've been unleashed. The earliest rootkits accomplished their goals by replacing normal system tools on the victim.s computer with altered versions. Since most of the early rootkits were UNIX-based, their (altered) tools included login, ls, ps, df, netstat, and so on — tools a UNIX user or administrator would routinely run to look at files on a system, processes running in memory, disk utilization and so on. The rootkit versions of these tools did all of these things and more. Specifically, they carried out the features I described above.

 

Pretty soon after these started appearing, the IT Security community got wise and started running login, ls, ps, df, etc., from CD so they could be sure they.re using tools that haven.t been tampered with.

 

So, the attackers responded by modifying the underlying system shared libraries and leaving the tools intact. So, when ps runs, it returns a list of all the processes on the system, except for those owned by the attacker.not because it has been tampered with, but because the system calls it made returned erroneous information.

 

More recently, rootkits have been installed as kernel loadable modules and such. This has made things increasingly difficult for the IT Security folks to detect rootkits, since they keep going lower (in a software abstraction sense).

 

In fact, with modern microprocessor technology, any software — legitimate or malicious — can pass along deceptive or erroneous data to software that calls it, so long as it is the first in line. In other words, if your software loads first and intercepts system calls, then you can control what others see. If someone else comes along and can find a way to butt into the line, then they can control what others (and you) see. That's the nature of the beast, I'm afraid.

 

So what can we do about it? On the surface, the answer is simple (don't run a rootkit or allow one to be run on your computer), but in practice it's not quite so trivial. However, here are a few things that can help in preventing bad stuff from happening,:

 

• Make judicious use of privileges. Remember the principle of least privilege? Well, you need to put it into practice. If your users run with privileges on their desktops, then the environment is ripe — in fact, it is ideal — for malicious insertion of a rootkit. Users should be able to run software, but not install software. Likewise, when you're logged in as an administrator to do administrative things, that's all you should be doing.
• As much as I hate security patches, it's still important to stay up to date with them. Sure, we've all heard this a gazillion times, but unpatched systems provided rootkits with easy avenues of entry to your system. Remember I said most rootkits need to already have privileges in order to install? I'm constantly amazed by how many people don't run some form of Windows Update on their Windows desktops.
• Antivirus programs, firewalls, and — those things — are also important layers of security, of course.

Of course, those are just a few things that can be done. The list can't guarantee safety from rootkits and other malware, but it sure can go a long way to reducing the risk, if the recommendations are well-thought-out and implemented.

 

Did You Know...

A Blue Pill is an effective Hypervisor Rootkit that can do an on-the-fly install and simply shift your operating system from direct control of the physical computer to a virtualized state. [Source]

 

 

 

 

 

Key Terms To Understanding Rootkits rootkit

A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up.

 

malware

Short for malicious software, software designed specifically to damage or disrupt a system, such as a virus or a Trojan horse.

 

security

In the computer industry, refers to techniques for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization. Most security measures involve data encryption and passwords.

 

 

Kenneth van Wyk, a 20-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.

 

[WacoJohn]

Understanding Rootkits

 

Great info, Ritchie. I just want to add .. a lot of Windows users create a user account WITH ADMINISTRATIVE privilages, usually when they first 'configure' Windows. That is the account they use the most .. if not exclusively.

 

I believe what they should do is create another user account .. which can ONLY RUN PROGRAMS .. they cannot install anything etc. Use an administrator account to 'ADMINISTER' and a 'user' account to enjoy your system. This satisfies the advice:

 

Make judicious use of privileges. Remember the principle of least privilege? Well, you need to put it into practice. If your users run with privileges on their desktops, then the environment is ripe — in fact, it is ideal — for malicious insertion of a rootkit. Users should be able to run software, but not install software. Likewise, when you're logged in as an administrator to do administrative things, that's all you should be doing.

 

I, myself, am guilty and I intend to create a restricted user account as soon as I post this.

[ritchie58]

You are correct WacoJohn. If your using a non-administrative account during normal day to day operation of your PC then you're a lot less likely to become infected with rootkits and other malware. Using the Administrator account only when you intend to make changes to your system such as installing, uninstalling and updating software is the best approach. Most people don't want to do this because it's a bit more of a hassle to switch between accounts but doing so does leave you less vulnerable to infection.

[sweidre]

Hi,

 

Adminstrative rights & not

Many years ago, when I used Win 95, I participated in the security forum Castle Cops, where I got the advice to create an extra account without administrative rights. Logging in to the new account, all my settings (profile) were gone, so it was like working in an empty OS without emails- or other program icons, or favorites etc. I tried to copy over the profile, but it failed due to to long names of favorites. So I skipped it! During my XP period, I did not even try. When I insatalled Win 7, I decided to create a limited account with the same profile, but in Win 7 I cannot find any profile to copy! So I have still only one account with administrator rights!

 

Rootkits

I searched in CNET & in FileHippo for "Rootkit" and found the following samples of softwares:

01. Antilogger

USD 23.95

CNET: 4 stars Users: 3.5 stars

02,Webroot AV with SpySweeper 20011

USD 39.95

CNET: N.A. Users: 2.5 stars

03. Avira AntiVir Personal Free AV

Freeware

CNET: 4.5 stars Users: 4 stars

04. ESET NOD32 4

USD 39.99

NET: 5 stars Users: 4 stars

05. ThreatFire Freeware

Freeware

CNET: 5 stars Users: 3 stars

06. RootKit Revealer ( by MS Sysinternals)

Freeware

07. Avast Free AV

Non-Commercial Freeware

08. Norton AV 2009

Commercial Trial

09. Emsisoft Anti-Malware

Commercial Trial

10. SuperAntSpyware 4.55.1000

Freeware (available for lifeime subscription USD 19.95, I think!)

 

The list is of course not complete! I tried to search for "Anti-Rootkit Review", but I found no hits. Important are the functions to online block rootkits to enter into the computer, offline scan the computer for existing rootkits and removal of them!

 

Cheers,

sweidre

PS. Personally I have ESET NOD32 4, SuperAntSpyware 4.55.1000 & Emsisoft Anti-Malware, whereof Emsisoft will expire in the beginning of September. DS

[ritchie58]

That's another reason a lot of people don't use separate accounts. If a program requires administrative privileges it will not function with a guest account. There is a work around for that though. I have included in the context menu the option, Run as Administrator, which allows me to run any program with administrator privileges while using the guest account. You can add that option to the context menu using Windows 7's GodMode. That is a list of good software that includes rootkit scanning capabilities Sweidre. One of the reasons I originally posted this is because Immunet's free version does not include rootkit detection and if one's companion AV does not have that capability as well then a dedicated third party rootkit scanner would be a must have for your anti-malware arsenal in my book.

[boombastik]

Hi Sweidre,just an ask,

U have in realtime protection eset,superantispyware,emsisoft,malwarebytes and immunet?

They work all together?

[sweidre]

Hi Sweidre,just an ask,

U have in realtime protection eset,superantispyware,emsisoft,malwarebytes and immunet?

They work all together?

Hi boombastik,

Yes, I have all these 5 security sotwares together both online (as shields in the system tray) and during computer scanning. Note, that Immunet is the Free cloud-based version with ClamAV disabled. If I have ClamAV activated, my computer becomes very slow (as chewing gum). None of these 5 security softwares have anything against each other. Anyhow, I wonder, if I should keep Immunet & Emsisoft. Both are reporting malwares, that turn out to be annoying false positives. (ESET, SuperantiSpyware & Malwarebytes do not report any annoying false positives at all). Emsisoft is very heavy (checking every activity in the computer), but is a superb blocker when enterring a bad site when surfing. I both hate & love Emsisoft (I have been used to the heavy behaviour of Emsisoft, and I know by experience how to cope with it). Immunet I will keep until the next release; if its bugs are not ironed out by then, I will consider to uninstall Immunet for good! Wait & see!

Cheers,

sweidre

[sweidre]

That's another reason a lot of people don't use separate accounts. If a program requires administrative privileges it will not function with a guest account. There is a work around for that though. I have included in the context menu the option, Run as Administrator, which allows me to run any program with administrator privileges while using the guest account. You can add that option to the context menu using Windows 7's GodMode. That is a list of good software that includes rootkit scanning capabilities Sweidre. One of the reasons I originally posted this is because Immunet's free version does not include rootkit detection and if one's companion AV does not have that capability as well then a dedicated third party rootkit scanner would be a must have for your anti-malware arsenal in my book.

Hi & thanks Ritchie,

I must further study how to find and use GodMode, for sure!

Cheers,

sweidre

[ritchie58]

Sweidre, Here is some info from CNET on GodMode and how to manually create the folder necessary for it to function. Click here. There is also a software program that will create the folder for you. That's what I used to create the folder but I can't remember where I got it from. CNET maybe. I'll check and if I find a download link I'll post that too.

[ritchie58]

I did remember correctly. CNET has the installer software to create the folder without having to go through creating and re-naming the folder manually. Which is really more convenient. Just download and run the program and it will create a desktop icon which looks like the Control Panel icon except it will say GodMode. Happy tweaking, click here to download.

[sweidre]

Hi Ritchie,

I have got the GodMode folder (very useful list!). I created a Standard account, but "Run as administrator" did not work properly, so I had to log in as an Admin and again log in as a Standard user. Back & forth! (What a hazzle!) So I am back as only Admin loggin again. I will try another time with a Standard account! (Now we have thunderstorms in Sweden everyday, so I am not using my computer much!)

Cheers,

sweidre

[WacoJohn]

Hi Ritchie,

I have got the GodMode folder (very useful list!). I created a Standard account, but "Run as administrator" did not work properly, so I had to log in as an Admin and again log in as a Standard user. Back & forth! (What a hazzle!) So I am back as only Admin loggin again. I will try another time with a Standard account! (Now we have thunderstorms in Sweden everyday, so I am not using my computer much!)

Cheers,

sweidre

 

 

One of my Immunet machines is XP HOME SP3. Godmode won't help me there. I have a question, though:

 

Add a RESTRICTED user account. Boot up, log in as Admin, then SWITCH (not log out) to Restricted Account. Now in Restricted account .. do programs continue to run in the Admin account or are they suspended (I did not LOG OUT of Admin account)? Anyone know?

 

Also .. when in Restricted Account, I tried a few programs set to 'run as administrator', but they would not run anyway (under restricted). Seems odd.

[sweidre]

Add a RESTRICTED user account. Boot up, log in as Admin, then SWITCH (not log out) to Restricted Account. Now in Restricted account .. do programs continue to run in the Admin account or are they suspended (I did not LOG OUT of Admin account)? Anyone know?

Also .. when in Restricted Account, I tried a few programs set to 'run as administrator', but they would not run anyway (under restricted). Seems odd.

Hi WacoJohn,

I have Win 7 Swedish version. I have two optional types of accounts: Aministatör or Standard. I think, that your expression RESTRICTED = to my expression STANDARD?! At shutdown after a session of swiching between Admin & Standard accounts, I get a question, if I want to log out from one of the accounts. So it seems, that swiching between accounts keep both logged in!? This must be further investigated! Is a logout or computer shutdown needed to get logged in as one single new user, puh!? Regarding "Run as Admistrator", I have the same problem as you!

Cheers

sweidre

[WacoJohn]

Hi WacoJohn,

I have Win 7 Swedish version. I have two optional types of accounts: Aministatör or Standard. I think, that your expression RESTRICTED = to my expression STANDARD?! At shutdown after a session of swiching between Admin & Standard accounts, I get a question, if I want to log out from one of the accounts. So it seems, that swiching between accounts keep both logged in!? This must be further investigated! Is a logout or computer shutdown needed to get logged in as one single new user, puh!? Regarding "Run as Admistrator", I have the same problem as you!

Cheers

sweidre

 

 

Yes, by 'restricted', I mean Standard (more restricted than Admin). When you start with one account, you can 'switch user' and open a 'session' as the other account. I THINK both sessions continue to run, but I am not sure. Of course if you LOG OUT the first account, and LOG IN the other account, the logged OUT account is 'finished' .. inactive, .. not running. That is how I ASSUME it works.

[sweidre]

Yes, by 'restricted', I mean Standard (more restricted than Admin). When you start with one account, you can 'switch user' and open a 'session' as the other account. I THINK both sessions continue to run, but I am not sure. Of course if you LOG OUT the first account, and LOG IN the other account, the logged OUT account is 'finished' .. inactive, .. not running. That is how I ASSUME it works.

Hi WacoJohn,

I used "change users" instead of "log out". By using "change users" or "Switch" users, as you call it, I was amazed, that every time I swiched user, his screen opened directly, as if it was hidden in the background waiting for activation. So I am quite sure, that if I am switching between "Admin" & "Standard" accounts, they are both hidden in the background & ready to open. What about security, if they are both activated? (One in the foreground and the other in the background?) I think LOG OUT & LOGIN is safter than SWITCH, but takes much longer time unfortunately! Why is "Run as Admin" working for Ritchie, but not for us? GodMode says nothing about this matter!

Cheers,

sweidre

[WacoJohn]

Hi WacoJohn,

I used "change users" instead of "log out". By using "change users" or "Switch" users, as you call it, I was amazed, that every time I swiched user, his screen opened directly, as if it was hidden in the background waiting for activation. So I am quite sure, that if I am switching between "Admin" & "Standard" accounts, they are both hidden in the background & ready to open. What about security, if they are both activated? (One in the foreground and the other in the background?)

 

But the question is ... when switched OUT, does that account continue to run programs that were running when switched or does processing for that account 'suspend'?

 

I think LOG OUT & LOGIN is safter than SWITCH, but takes much longer time unfortunately!

 

Probably is more safe .. since logging out shuts down 'computing' for that account.

 

Why is "Run as Admin" working for Ritchie, but not for us? GodMode says nothing about this matter!

Cheers,

sweidre

 

I am not sure. I think it might depend on the program I am trying to run. I will have to work with it some more and try to figure it out.

[sweidre]

But the question is ... when switched OUT, does that account continue to run programs that were running when switched or does processing for that account 'suspend'?

Comments by sweidre: An reply to this matter, is to run a program like: procexp, ProcessHacker, Security Express Explorer, etc.

Probably is more safe .. since logging out shuts down 'computing' for that account.

Comments by sweidre: Probably more safe, but more time-consuming!

I am not sure. I think it might depend on the program I am trying to run. I will have to work with it some more and try to figure it out.

Comments by sweidre: When I click on "Run as Admin", I get a popup saying, that I must login as an admin!

Cheers,

sweidre

[WacoJohn]

When I click on "Run as Admin", I get a popup saying, that I must login as an admin!

 

 

I got the same thing .. but here is the thing .. I can't remember if ADMIN was already LOGGED IN and I did a SWITCH USER or did I log off ADMIN and login STANDARD. I am wondering if that has something to do with it. Have to 'fool' with it again later.

[duncan]

More rootkits on the way by the looks of the turf war erupting:

http://www.theregister.co.uk/2011/08/10/rootkit_turf_wars/

[WacoJohn]

More rootkits on the way by the looks of the turf war erupting:

http://www.theregister.co.uk/2011/08/10/rootkit_turf_wars/

 

Looks like it. I hope Zemana and others know 'all about' this .. and are developing for it.

[sweidre]

Looks like it. I hope Zemana and others know 'all about' this .. and are developing for it.

Hi,

I have seen a lot of softwares, that are said to block, find & eliminate rootkits! I have my doubts about them all, until I have come across an objective review (comparison) of the so called anti-rootkits!

Cheers,

sweidre

[WacoJohn]

Hi,

I have seen a lot of softwares, that are said to block, find & eliminate rootkits! I have my doubts about them all, until I have come across an objective review (comparison) of the so called anti-rootkits!

Cheers,

sweidre

 

 

Any possibility of a link to that comparison? I would like to read it.

[sweidre]

Any possibility of a link to that comparison? I would like to read it.

Hi WacoJohn,

I have by Google search tried many times to get hold of on any objective review (comparison) of (between) all sorts of so called anti-rootkits, but I have not found any!

Until now, I have got no hits! So, I wonder, if any member of the forum has seen any reviews?!

Cheers,

sweidre

[WacoJohn]

Hi WacoJohn,

I have by Google search tried many times to get hold of on any objective review (comparison) of (between) all sorts of so called anti-rootkits, but I have not found any!

Until now, I have got no hits! So, I wonder, if any member of the forum has seen any reviews?!

Cheers,

sweidre

 

I'm sorry. I misinterpreted your post. I thought you DID find a good review. Thank you anyway.