Rotten to the core…A Roundup on Rootkits

Rootkit is a common word in Computer Security. A word often spoken to describe a bad, vary bad type of malware.

A rootkit is a program that can be installed and hidden on a computer without the knowledge of its user. It can be included in a larger software package, or installed by successfully exploit vulnerabilities or by convincing the victim to execute it by a phishing email.

Generally, books and magazines talk about rootkits, but do not go deep in the description them. The argument is quite complex and requires a dose of programming skills to be completely understood.

Our intention is to approach the matter in a “friendly way” in order to offer a vision of the whole picture even to a reader without programming knowledge… So keep your seatbelt fastened, we are flying to the rootkit land.

Rootkits became known to the world at the end of the last century. The purpose of the rootkit, at time, was to conceal additional programs that would allow an attacker to "sniff" or spy on the traffic to and from a computer.
They earned the name “rootkits” because they were mainly used on Unix derived computer systems where the top-level administrative account is called “root”. Thus to “root” a system is to obtain top-level administrative privileges and hence obtain full control of the system.

Later, however, this kind of tools has grown in sophistication, changing its targets. 

Windows users have become the primary targets, and the Rootkits have escalated the cybercriminal world.

Today rootkits have improved immensely to the point that many of them are now much difficult to detect. Some are now "all-in-one" malware with a large number of features. Additionally, many current rootkits have the ability to capture sensitive information and to help cybercriminals create and manage gigantic botnets.

These botnets can then be used in a variety of ways, including spam forwarding and extortion. In the evolution, rootkits functionality, infection strategies and persistence mechanisms have changed greatly. However, the core purpose remains to assume full control of the machine by downloading additional malware.

Rootkits, today, appear as very flexible malware. This flexibility is evident by looking at the features they have inherited by other classes of malware, such as Loggers, Trojans and Stealers.

Traditionally rootkits were not necessarily malicious per se; they hid other illegal activities, but were limited in their deployment by the adoption of a multistage infection: first rootkit, then the Trojan or the Keylogger.

Today, instead, attacker may be able to access information, monitor actions, modify programs, or inject other types of malware through the Rootkit.

In some circumstances, rootkits today can be mistaken for Trojan Horses. Technically rootkits are not Trojans but their level of functionality is now equal (or better), and when an attacker has no special needs, rootkits can be used for the same purpose.

The latest rootkits are now capable to subvert the memory of other applications running on the system, presenting the applications with a false view of the underlying system. This would effectively hide the rootkit from any antivirus scanning software.

To combat these threats, defenders have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts.

Unfortunately, malware developers are perfectly informed about how a malware analyst works, what kind of tools he uses and which techniques are normally applied to check the system looking for malware.

During the times, malware writers have developed several techniques to divert and to avoid analysis of their “creatures” by the good-guys.

One of these techniques is the use of the so-called “antis”, a slang term to indicate a series of pieces of code used to detect and then evade the tools used by malware analysts, for example:

In the code snippet below (Snippet 1) we leave an example of an “antis”.

For these reasons, the analysis, in presence of a rootkit, should be performed in cycles trying to avoid false patterns or false discriminatory elements.
 

Snippet 1 – Example of “antis”
 

The strength of rootkits is the ability to hide itself. In fact, it can become invisible to the user, application programs and the entire Operating System without losing its abilities.

read more..........http://www.chmag.in/article/dec2012/rotten-core%E2%80%A6a-roundup-rootkits