-
Notifications
You must be signed in to change notification settings - Fork 0
/
rootkit_info.html
83 lines (77 loc) · 7.42 KB
/
rootkit_info.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<html>
<meta name=”robots” content=”noindex,nofollow”/>
<a href=index.html>Back to home</a>
<hr/>
source: CEH v. 12
<h1>Hiding Files</h1>
<p>After an attacker has performed operations on the target system to gain escalated privileges, the malicious programs have to be hidden. A <b>rootkit</b> can be used. Protective applications such as antivirus, antimalware and antispyware will not be able to detect it. A rootkit allows the
attacker to maintain direct access to the system, even in the future, without the victim knowing about it. <br/>
A <b>rootkit</b> is a software program designed to gain access to a computer without being detected. The goal is to gain root privileges to a system. It works by exploiting the vulnerabilities in the OS and it's applications. It builds a backdoor login process in the OS via which the attacker
can evade the standard login process. <br/>
With root access a rootkit may attempt to hide the traces of unauthorized access by modifying drivers or kernel modules and discarding active processes. A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots etc.<br/>
The attacker places a rootkit by:
<ol>
<ul>Scanning for vulnerable computers and servers on the web</ul>
<ul>Wrapping the rootkit in a special package like a game</ul>
<ul>Installing it on public or corporate computers through social engineering</ul>
<ul>Launching a zero-day attack</ul>
</ol>
Objectives of a rootkit:
<ol>
<ul>To root the host system and gain backdoor access</ul>
<ul>To mask attacker tracks and presence of malicious applications or processes</ul>
<ul>To gather personal information, sensitive data, network traffic etc. from the system</ul>
<ul>To store other malicious programs and act as a server resource for bot updates</ul>
</ol>
</p>
<h1>Six types of rootkits</h1>
<p><ol>
<ul>1. Hypervisor-level rootkit</ul>
<ul>2. Hardware/Firmware rootkit</ul>
<ul>3. Kernel-level rootkit</ul>
<ul>4. Boot-loader-level rootkit</ul>
<ul>5. Application-level / User-mode rootkit</ul>
<ul>6. Library-level rootkit</ul>
</ol></p>
<p>1. A <b>Hypervisor-level</b> rootkit is created by exploiting hardware features such as IntelVT and AMD-V. These rootkits run in Ring-1 and host the OS of the target machine as a virtual machine, intercepting all hardware calls made by the
target OS. This kind of rootkits work by modifying the system's boot sequence so that it is loaded instead of the original virtual machine monitor.</p>
<p>2. A <b>hardware/firmware</b> rootkit use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS or network card. The rootkit hides in firmware as the users do not inspect it for code integrity.</p>
<p>3. A <b>kernel-level</b> rootkit uses the core of the OS: the kernel. A kernel-level rootkit runs in Ring-0 with the highest OS privileges. These cover backdoors on the computer and are created by writing additional code, or by
substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit's code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same
privileges as the OS; they are difficult to detect and can intercept or subvert the operation of an OS.</p>
<p>4. A <b>boot-loader-level</b> rootkit functions either by modifying the legitimate boot loader or replacing it with another one. The bootkit can activite even before the OS starts. Bootkits are serious threats to security because they facilitate
the hacking of encryption keys and passwords</p>
<p>5. An <b>application-level / user-mode</b> rootkit runs in Ring-3 as a user along with other applications in the system. It exploits the standard behavior of API's. It operates inside the victim's computer by replacing the standard
application files (binaries) with rootkits or by modifying the behavior of present applications with patches, inject malicious code etc.</p>
<p>6. A <b>library-level</b> rootkit works high up in the OS and usually patch, hook or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the hacker.</p>
<h1>How a rootkit works</h1>
<p><b>System hooking</b> is the process of changing and replacing the original function pointer with a pointer provided by the rootkit in stealth mode. Inline function hooking is a technique in which a rootkit changes some of the bytes
of a function inside the core system DLLs (kernel32.dll and ntdll.dll), placing an instruction so that any process calls hit the rootkit first. Direct kernel object manipulation (DKOM) rootkits can locate and manipulate the "system"
process in kernel memory structures and patch it. This can also hide processes and ports, change privileges and misguide the Windows event viewer without any problem by manipulating the list of active processes of the OS, thereby
altering data inside the process identifier structures. It can obtain read/write access to the \Device\Physical Memory object. It hides a process by unlinking it from the process list.</p>
<hr/>
<h1>Popular rootkits</h1>
<ol>
<ul>Purple Fox rootkit (distributed via fake malicious Telegram installer)</ul>
<ul>MoonBounce (UEFI firmware bootkit)</ul>
<ul>Dubbed Demodex rootkit</ul>
<ul>Moriya</ul>
<ul>iLOBleed</ul>
<ul>Netfilter</ul>
<ul>Skidmap</ul>
</ol>
</p>
<h1>Rings</h1>
<p>There are four hierarchical levels, called protection rings, that define the rights that programs have when executed by the CPU. Ones placed on the higher ring cannot inflate the apps on the lower rings.</p>
<ol>
<ul>Ring 0: kernelmode, the "real" rootkits start from this layer. They live in a kernel space, altering behavior of kernel-mode functions. A specific variant of kernelmode rootkit that attacks bootloader is called a bootkit</ul>
<ul>Ring 1: running on the lowest level, hypervisor, that is basically a firmware. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware, but with the environment altered by the rootkit</ul>
<ul>Ring 2: programs with low-level access permissions. Implementing malware to ring 2 means you have control over all user applications on ring 3 etc.</ul>
<ul>Ring 3: usermode, most common and easiest to implement, it uses relatively simple techniques such as IAT and inline hooks, to alter behavior of called functions</ul>
</ol>
<p>The rule states that a rootkit running in the lower layer can't be detected by any rootkit software running in all of the above layers</p>
<h1>Remediation</h1>
<p>Rootkits (especially low level types) are very difficult to detect. Casual users may never even notice that they have been infected, and removing the threat manually is almost impossible. This type of malware
may even hide from typical antivirus programs. Only specialized anti-rootkit software can help in such cases. However, it may also not give 100% protection from unknown rootkits, written by professionals, basing on custom
and novel ideas. That's why sometimes reinstalling the full system is necessary (still, it may not help in case of UEFI rootkits). Malicious rootkits are the most dangerous type of malware. They may stay in the system for a long time,
carrying on their mission without being noticed. During this time, the user is exposed to any type of malicious activities planned by attackers. </p>