Malicious software (malware), including viruses, Trojan horses, and spyware, has become an epidemic over the past few years. Statistics show that an unpatched Windows XP Service Pack 1 (SP1) machine is infected within minutes of being connected to the Internet, and downloading software or even just visiting certain Web sites can introduce undesirable software onto your system. Fortunately, the defenses against this plague are constantly improving, with a sound security shield consisting of an antivirus tool, an antispyware solution, a firewall, and up-to-date patches. However, a technology called root kits threatens to change the security landscape and make the task of validating that a computer is clean of malware difficult or even impossible.
Root kit is a term loosely applied to cloaking techniques. When malware utilizes a root kit, it can make itself invisible to security systems, including antivirus tools and system-diagnostic tools such as Task Manager. Let's look at common root kit mechanisms, methods, and utilities you can use to try to detect the presence of a root kit and at what you should do if you find a root kit on your system.
Growing Threat
Root kits have been around since the early 1990s but were solely the domain of Unix variants until the late '90s, when the Windows developer community began exploring root kit techniques and several programmers published root kit toolkits that other programmers could modify and extend. Some of the toolkits are so well packaged that all a malware author has to do to take advantage of the root kit's cloaking is to make a few changes to a configuration file and bundle it with the malware.
The Web site http://www.rootkit.com has become the central meeting place for root kit developers, including those who claim to be working to defeat root kits, in some cases in the counterintuitive and somewhat controversial manner of publishing root kits themselves. The root kits published at Rootkit.com include Vanquish, FU, Afx Rootkit 2005, NT Rootkit, and Hacker Defender.
Given that root kits are so easy to access, it's surprising that more hackers haven't used them to cloak the viruses they've unleashed over the last several years. It's even more surprising that spyware and adware developers haven't used root kits to deeply embed their software into a system. Microsoft Customer Service and Support (CSS—a new organization that encompasses Microsoft Product Support Services) and antivirus companies do discover root kits installed on customer systems, but relatively rarely.
However, root kits have recently received a great deal of media attention as researchers have realized that they represent the next battleground in the malware war. That publicity, although alerting end users to the dangers of root kits, has also advertised the power of root kits to the malware community, which will begin to utilize root kits to combat the growing effectiveness of traditional antivirus and antispyware solutions. There will soon be viruses, spyware, and adware that you'll be unable to delete from your computer without reformatting it and reinstalling the OS.
Root Kit Basics
Early root kits took the relatively unsophisticated approach of replacing core system utilities with versions that hide malware files and processes. For instance, the root kit version of the Unix utility to list active processes, ps, omitted the malware process from the list of those obtained from the kernel, and the Unix directory-listing utility, ls, did the same for malware files in directory listings.
As system utilities became more sophisticated and third-party utilities and antivirus solutions proliferated, the simple file-replacement technique for root kits lost its viability. Writing replacements for Task Manager, Tasklist, and all the other process-listing tools commonly used on Windows systems would require a significant amount of work on the part of a root kit author, and all the work would be for nothing if a user ran an uncompromised utility such as a virus scanner or different process-listing tool.
Root kit developers have therefore gotten more sophisticated, attacking not specific applications, but the APIs that these applications use to obtain information. By intercepting the API by which an application retrieves the list of active processes and removing the malware process from the returned list as it's handed back to the application, the root kit hides itself from Task Manager and other process-listing utilities that use the API directly or indirectly. Modern root kits use this technique to hide files, directories, registry keys and values, Windows services and device drivers, TCP/IP ports, user accounts, and processes. Of course, root kits generally exempt malware processes from the modified system view so that the malware can have full control of the system.
Figure 1 shows the popular root kit Hacker Defender in action. Hacker Defender consists of a configuration file and an executable image. When you run hxdef.exe, it cloaks the files, directories, drivers, services, processes, and TCP/IP ports you list in the configuration file. The default configuration file cloaks any of these items that contain the string hxdef in their name. Thus, in the second listing, the directory appears to be empty.
Windows has several API layers, as Figure 2 shows, and different root kits attack different layers, depending on the root kit's level of sophistication. Higher level APIs are better documented and easier for root kits to intercept, but intercepting lower level APIs provides a more thorough cloak; for example, a root kit that cloaks at the Windows API layer isn't effective against an application that obtains its information directly from the native API.
User-mode root kits can cloak any process that runs in the account in which the malware launches but are most effective when run in an account that has the Debug Programs privilege. The Administrators group has this privilege by default, which enables the root kit to infect any and all processes on the system, including those that might be running in the Local System account, such as antivirus and antispyware processes. Thus, root kits are one more reason to follow the security best practice of running as an unprivileged user whenever possible.
The most powerful root kits are kernel-mode root kits. However, kernel-mode root kits require that the malware run in an account that has the ability to install a device driver and therefore won't work from within an unprivileged user account the way user-mode root kits can. Kernel-mode root kits require a great deal of knowledge to implement and must be carefully coded because a bug will crash the OS. The last thing a root kit author wants to do is to draw attention to the root kit by having it crash an application or computer.
Previous
Register
