x32x01
ADMINISTRATOR
- by x32x01 ||
A rootkit is a malicious software that allows an unauthorized user to have privileged access to a computer and to restricted areas of its software. A rootkit may contain a number of malicious tools such as keyloggers, banking credential stealers, password stealers, antivirus disablers, and bots for DDoS attacks. This software remain hidden in the computer and allow the attacker remote access to the computer.
There are a number of types of rootkits that can be installed on a target system. Some examples include:
User-mode or Application Rootkits:
User-mode rootkits operate as user-level tasks, usually by invading existing processes, overwriting application memory with their own contents, or both. These are relatively easy to detect because they operate at the same layer as anti-virus programs. But Application rootkits are installed in a shared library and operate at the application layer, where they can modify application and API behavior.
Kernel-mode Rootkits:
Moving down in abstraction, these rootkits modify the operating system itself (by modifying kernel or drivers, or both) and are thus substantially harder to detect and eradicate because they can conceal themselves more comprehensively. Since these rootkits are implemented within an operating system’s kernel module, where they can control all system processes. In addition to being difficult to detect, kernel-mode rootkits can also impact the stability of the target system.
Bootkits or Bootloader Rootkits:
These rootkits gain control of a target system by infecting its Master Boot Record (MBR). Bootkits allow a malicious program to execute before the target operating system loads.
Hypervisor Rootkits:
Still lower in abstraction, these are rootkits which modify or replace a hypervisor used to govern virtual machines, each of which is running its own operating system on a shared host. These are installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. At present, rootkits of this type are not present in the wild, but proof-of-concept examples have been developed.
Firmware Rootkits:
These are extraordinarily difficult to address because they are, in a practical sense, embedded in the hardware itself — for instance, a computer BIOS or router firmware — and hence cannot be eliminated even by replacing the operating system completely. In some cases, replacing hardware may be the only plausible solution. A firmware rootkit can alter firmware of some real interactive hardware that runs firmware code to perform specific functions, such as the BIOS, CPU and GPU. Since only advanced rootkits could reach from kernel level to firmware level, firmware integrity checks are performed very rarely.
Major Rootkit Investigative Detection Techniques
Fortunately, as usual in security, it’s more of an arms race than a one-sided victory. While rootkits have gotten more sophisticated and diverse in nature, so have the tactics and tools available to deal with them. You can employ number of Rootkit detection methods, for instance, include:
1. A Trusted Host (for analysis):
To bypass the problem of a compromised OS that may have been modified to conceal a rootkit, you can simply use a different host machine, with an OS known to be secure, to do your analysis. You can attempt to boot from a CD, for instance, because it can’t be overwritten or compromised, and can be booted from.
2. Signature-Based:
This is the most common technique for malware detection. However, it is the least efficient as it is only effective for already detected and wide-spread rootkits. Signatures from known rootkits are used to detect if any of them exist on a system.
3. Behavior-Based:
Once installed, rootkits modify system performance in subtle ways that are sometimes detectable. For instance, the timing of API calls sometimes slows, and CPU utilization sometimes climbs. Some rootkit-detection software/device can identify an abnormal behavior on a computer system based on heuristics and behavioral patterns. These patterns are derived from certain activities typically found in rootkits. The advantage of the behavioral based technique compared to the previous one, is that it may detect previously unknown rootkits.
NOTE:
You can use a known clean system with otherwise identical hardware and software, to establish baselines for comparison to aid in rootkit detection.
4. Integrity Checking:
The idea here is to compare key files or Windows registry entries on a suspect host with clean examples to see if they’ve been changed in any way. You can perform Integrity checks in a system to check for unauthorized code alteration in system files. First, there is the need to run a one way function to calculate a hash for every system file when the system is still clean and then use it as baseline. When the need arises, you can perform a hash comparison between the baseline hashes and the current version’s hashes.
5. Difference-based:
Are installed binaries on a drive identical to their RAM-resident counterparts in a working system? If not, that’s a bad sign (though false positives are also possible). The Diff-Based or Cross view approach is used mostly to detect kernel-mode rootkits by comparing two different views of the system for the same information by traversing the data structures. In this case, the rootkit detector will get a view of the system and a view obtained from system utilities and then compare them. A difference in the results returned by the two approaches signals the presence of a rootkit.
6. Memory Dumps:
Rootkit detection can also be accomplished by analyzing virtual memory dumps because the rootkit hasn’t got a chance to detect and block the analysis — though getting a proper dump may also require separate hardware.
Staying on top of threats like these, should they be released in the wild, you will require to stay current and updated. And if a new class of security solutions for rootkit detection emerges, then you need to know them.
What is your thought, view and opinions about the techniques to detect rootkits?
There are a number of types of rootkits that can be installed on a target system. Some examples include:
User-mode or Application Rootkits:
User-mode rootkits operate as user-level tasks, usually by invading existing processes, overwriting application memory with their own contents, or both. These are relatively easy to detect because they operate at the same layer as anti-virus programs. But Application rootkits are installed in a shared library and operate at the application layer, where they can modify application and API behavior.
Kernel-mode Rootkits:
Moving down in abstraction, these rootkits modify the operating system itself (by modifying kernel or drivers, or both) and are thus substantially harder to detect and eradicate because they can conceal themselves more comprehensively. Since these rootkits are implemented within an operating system’s kernel module, where they can control all system processes. In addition to being difficult to detect, kernel-mode rootkits can also impact the stability of the target system.
Bootkits or Bootloader Rootkits:
These rootkits gain control of a target system by infecting its Master Boot Record (MBR). Bootkits allow a malicious program to execute before the target operating system loads.
Hypervisor Rootkits:
Still lower in abstraction, these are rootkits which modify or replace a hypervisor used to govern virtual machines, each of which is running its own operating system on a shared host. These are installed between the hardware and the kernel acting as the real hardware. Hence, it can intercept the communication/requests between the hardware and the host operating system. Common detection applications that run in user or kernel mode are not effective in this case as the kernel may not know whether it is executed on the legitimate hardware. At present, rootkits of this type are not present in the wild, but proof-of-concept examples have been developed.
Firmware Rootkits:
These are extraordinarily difficult to address because they are, in a practical sense, embedded in the hardware itself — for instance, a computer BIOS or router firmware — and hence cannot be eliminated even by replacing the operating system completely. In some cases, replacing hardware may be the only plausible solution. A firmware rootkit can alter firmware of some real interactive hardware that runs firmware code to perform specific functions, such as the BIOS, CPU and GPU. Since only advanced rootkits could reach from kernel level to firmware level, firmware integrity checks are performed very rarely.
Major Rootkit Investigative Detection Techniques
Fortunately, as usual in security, it’s more of an arms race than a one-sided victory. While rootkits have gotten more sophisticated and diverse in nature, so have the tactics and tools available to deal with them. You can employ number of Rootkit detection methods, for instance, include:
1. A Trusted Host (for analysis):
To bypass the problem of a compromised OS that may have been modified to conceal a rootkit, you can simply use a different host machine, with an OS known to be secure, to do your analysis. You can attempt to boot from a CD, for instance, because it can’t be overwritten or compromised, and can be booted from.
2. Signature-Based:
This is the most common technique for malware detection. However, it is the least efficient as it is only effective for already detected and wide-spread rootkits. Signatures from known rootkits are used to detect if any of them exist on a system.
3. Behavior-Based:
Once installed, rootkits modify system performance in subtle ways that are sometimes detectable. For instance, the timing of API calls sometimes slows, and CPU utilization sometimes climbs. Some rootkit-detection software/device can identify an abnormal behavior on a computer system based on heuristics and behavioral patterns. These patterns are derived from certain activities typically found in rootkits. The advantage of the behavioral based technique compared to the previous one, is that it may detect previously unknown rootkits.
NOTE:
You can use a known clean system with otherwise identical hardware and software, to establish baselines for comparison to aid in rootkit detection.
4. Integrity Checking:
The idea here is to compare key files or Windows registry entries on a suspect host with clean examples to see if they’ve been changed in any way. You can perform Integrity checks in a system to check for unauthorized code alteration in system files. First, there is the need to run a one way function to calculate a hash for every system file when the system is still clean and then use it as baseline. When the need arises, you can perform a hash comparison between the baseline hashes and the current version’s hashes.
5. Difference-based:
Are installed binaries on a drive identical to their RAM-resident counterparts in a working system? If not, that’s a bad sign (though false positives are also possible). The Diff-Based or Cross view approach is used mostly to detect kernel-mode rootkits by comparing two different views of the system for the same information by traversing the data structures. In this case, the rootkit detector will get a view of the system and a view obtained from system utilities and then compare them. A difference in the results returned by the two approaches signals the presence of a rootkit.
6. Memory Dumps:
Rootkit detection can also be accomplished by analyzing virtual memory dumps because the rootkit hasn’t got a chance to detect and block the analysis — though getting a proper dump may also require separate hardware.
Staying on top of threats like these, should they be released in the wild, you will require to stay current and updated. And if a new class of security solutions for rootkit detection emerges, then you need to know them.
What is your thought, view and opinions about the techniques to detect rootkits?