Windows Root kits a stealthy threat
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Windows Root kits a stealthy threat

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    181

    Windows Root kits a stealthy threat

    I found this today on www.theregister.co.uk

    Windows Root kits a stealthy threat
    By Kevin Poulsen, SecurityFocus Online
    Posted: 07/03/2003 at 10:53 GMT


    Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning, say SecurityFocus' Kevin Poulsen.

    Barron Mertens admits to being puzzled last January when a cluster of Windows 2000 servers he runs at an Ontario university began crashing at random. The only clue to the cause was an identical epitaph carved into each Blue Screen of Death, a message pointing the blame at a system component called "ierk8243.sys." He hadn't heard of it, and when he contacted Microsoft, he found they hadn't either. "We were pretty baffled," Mertens recalls. "I don't think that cluster had bluescreened since it was put into production two years ago."

    Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a rare example of a Windows "root kit" - an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.

    Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. Conventional backdoors like SubSeven and BO2K operate in "user mode", which is to say, they play at the same level as any other application running on the compromised machine. That means that other applications - like anti-virus scanners - can easily discern evidence of the backdoor's existence in the Window's registry or deep among the computer's files.

    In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. The root kit is the man-in-the-middle, squatting between the operating system and the programs that rely on it, deciding what those programs can see and do.

    It uses that position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden - MP3s, password lists, a DivX of the last Star Trek movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked.

    Slanret is technically just one component of a root kit. It comes with a straightforward backdoor program: a 27 kilobyte server called "Krei" that listens on an open port and grants the hacker remote access to the system. The Slanret component is a seven kilobyte cloaking routine that burrows into the system as a device driver, then accepts commands from the server instructing it on what files or processes to conceal. "The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."

    Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."


    Greg Hoglund, a California computer security consultant, believes intruders have been using Windows root kits covertly for years. He says the paucity of kits captured in the wild is a reflection of their effectiveness - not slow adoption by hackers. "It's happening now," says Hogland. "People don't realize that it's happening, but in the next two or three years we're going to see a lot more of this activity."

    If there's an authority on Windows root kits, it's Hoglund - he's been sounding the alarm about their malicious potential since 1999, when, as a proof of concept, he wrote one himself called "NT Rootkit." Since then he's collected and analyzed three others: "null.sys," "HE4Hook," and a kit called "Hacker Defender," all of which he makes available on his Web site, Rootkit.com. (Hacker Defender, oddly, is also available for download from CNET Asia.)

    "For all of those, I'm absolutely, one hundred percent positive that there's probably ten more that we haven't seen publicly," says Hoglund. The skills to write a kernel mode Trojan are not beyond the reach of the average programmer, he says; last month Hoglund taught a seminar on the topic at the Black Hat security conference in Seattle, and by the end of the two-day course, "Every student in the class was writing their own root kits. They were hiding process and files, hiding directories, and call-hooking."

    Once Slanret is installed on a hacked machine, anti-virus software won't pick it up in a normal disk scan. That said, the program is not an exploit - intruders have to gain access to the computer through some other means before planting the program.

    Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible. And in what appears to be an oversight by the kit's author, the device driver "ierk8243.sys" is visible on the list of installed drivers under Windows 2000 and XP, according to Symantec Security Response (SecurityFocus is owned by Symantec). McAfee reports that a running service named "Virtual Memory Manager" with a blank description field is visible on a compromised host. And, of course, there are reports that the root kit sometimes crashes servers.

    Hoglund says future Windows root kits won't suffer from Slanret's limitations. And while he says the risk can be reduced with smart security policies - accept only digitally-signed device drivers, for one - ultimately, he worries the technique may find its way into self-propagating malicious code. "My street knowledge, my gut feel, is there are probably already worms or viruses doing this now," he says. "We just haven't seen them."

    SecurityFocus Online
    So what does everyone think?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Windows Root kits a stealthy threat

    Originally posted here by SittingDuck
    So what does everyone think?
    Root kits are and always were a problem. Just don't let your server get 0wn3d. If 'they' can't hack your server and you are carefull enough not to run questionable software then you have nothing to worry about.

    Running things like tripwire will not prevent anyone from replacing your system binaries. It will however alert you that they have been altered.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmmm.. I might know who did that "trojanning" if it's the University I think it is. That aside, it's smart to pay attention to your files and look at them manually. Tripwire helps but nothing beats the human eye to seeing files that shouldn't be around. It's hard when systems are as large as Windows2K and others are but even a quick glance can help.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    But MsMittens, the main feature of the root kit, is that it can hide files from the OS, so you can't spot them. It was only the blue screen of death that gave the game away, as I belive that is dump from the kernal.

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by SittingDuck
    But MsMittens, the main feature of the root kit, is that it can hide files from the OS, so you can't spot them. It was only the blue screen of death that gave the game away, as I belive that is dump from the kernal.

    SittingDuck
    MsMittens is right. On windows services and drivers (like the one for your mouse) run in kernel mode. This means it can do (allmost) anything it wants. Can you tell if there was a driver added to your machine just by looking at the huge list of drivers that are already there on a default system? Can you tell the difference between atv04nt4.dll and say msatv04.dll?
    Most ppl can't and it will go unnoticed for some time. It will, as was the case, show up if the added 'driver' starts to misbehave.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    But why not write the root kit to hide that driver as well?
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  7. #7
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    we were discussing this earlier...
    http://www.antionline.com/showthread...hlight=rootkit

    thehorse13 had some intersting comments...
    yeah, I\'m gonna need that by friday...

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by SittingDuck
    But MsMittens, the main feature of the root kit, is that it can hide files from the OS, so you can't spot them. It was only the blue screen of death that gave the game away, as I belive that is dump from the kernal.

    SittingDuck
    Well, it had to be part of the OS in order to do a blue screen of death and nothing is "completely" hidden. Plus, that file is actually detectable by some trojan detectors (apparently the root kit is known to some AV manufacturers).

    In addition, the article states:
    As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked.
    . Well, simple math will tell you if a drive has more data on it than it should. Even looking at the directory contents of something and adding it up should indicate an error.

    Lastly, if you are suspicious the hint at the end of the article should be some good advice:
    Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    Sorry for the double post, I did have a search, guess I missed it.

    Ok lets take the general idea of a root kit, not the one in the articule(sp?)

    And in what appears to be an oversight by the kit's author, the device driver "ierk8243.sys" is visible on the list of installed drivers under Windows 2000 and XP
    To me this reads that the author messed up, and it makes it sound possible to have hidden the driver.

    If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list.
    The idea out the amount of file space is interesting, does anyone know how windows determines(sp?) the amount of file space a directory takes up. Does it ask the hard disc how much memory is taken up or does it add the file sizes together of the files it knows about (as it will not know about the files hidden by the root kit). If it is the all the figures you see will add up. Still how meny people would notice say a 100k difference when windows rounds it figures it figures up or down when it displays it's in MB or GB

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Good monitoring will prevent most of these types of attacks. The main reason being that most of these root kits will require that certain services be restarted so that they can hook into the OS properly.

    If say you are using a product such as NetIQ to watch the status of all of your services you will get an alarm at the time the rootkit attempts to install itself. You can also very easily setup alarms to monitor certain directories and if changes are detected in those directories to generate an alarm. So you have it watch \\winnt\system32 and all subdirectories, and it will catch any changes being made on the system.

    You could also do alarms where you watch the list of load dlls and if any dlls are initialized on the system that you are not aware of, and alarm is generated. There are a lot of ways to alarm on this type of attack if a hacker is able to get access.

    Also, something does not have to be "part of the OS" to cause a blue screen.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •