Security management Toolkit

Why rootkits mean you must nuke your machine

Tags:
Malware,
Rootkit,
DRM

Matt Loney ZDNet.co.uk

Published: 17 Nov 2005 17:35 GMT

What does the lifecycle of a rootkit look like?
The first thing that happens is that a rootkit is created by a programmer. The next stage is that the system is compromised, usually not by the person who wrote the rootkit, but by another means. Rootkits do not themselves infect computers. They do not identify and exploit compromises, or scan systems. They need some other exploit to get on the system; this can be an unpatched system, a system with a weak password and so on.

Once a system is compromised, an attacker has access to the system, and can put files on it; they may put a rootkit on there to further compromise the system or to hide the compromise. They can then put other tools there to conduct the attack. Often we then see some time lag between the compromise and the attack. Attackers do not just crash system, they tend to be subtle — they may wait a week, a month or six months, before doing anything.

Finally, the attack is invoked — the attacker may use the compromised machine as a zombie, or as a mail forwarder. The problem is that they can repeat the attack until the rootkit is removed, and of course your problem is that because this is a rootkit, you don't know there is a rootkit on the system. We found on machine in a university in the US where a rootkit had been installed two years ago. What it did during those two years we don't know.

Where do rootkits come from?
We find they can be written by anyone from script kiddies to master programmers. It doesn't require great knowledge of Windows. Why? Because there are source code examples out there. You can grab downloadable source code for free, and take a look at how they work.

Hacker Defender is the most common rootkit. It is written by a guy who calls himself the Holy Father, in the Czech Republic. He has a free one, but also a version for sale, and will even create custom versions for you, which means each one is unique, and so we cannot detect it using a signature file.

How do rootkits get onto a system?
In two main ways: manual and automatically. Manual is the more common method, and this is where an attacker identifies the system, uses footprinting techniques to identify systems of interest, then loads the rootkit and executes it. This is very hard to detect because it tends to be a one-off attack, not broadcasting tons of traffic, not attacking every system in IP address order.

The automatic method is les common: it tends to rely on very noisy, undirected attacks that tend to get picked up in log files by intrusion detection systems.

Then there is the hybrid attack, which we see often in government espionage, where the attacker might identify all interesting systems in a particular environment and attack those specifically, and quietly. Recently we had one government customer whose ports were being port scanned very slowly, at the rate of one port probed every three weeks. This was a very slow and very deliberate and it was very hard to detect. But it was an attack.