Security

How to Root Out Rootkits

Rootkit Toolkit

Rootkit-specific tools such as F-Secure's BlackLight and RootkitRevealer look for discrepancies between the kernel system calls and direct inspection of the disk to detect hidden files, registry keys and other properties, Dai Zovi says. For example, on a Windows machine, they work by looking for discrepancies between Windows Task Manager process list and the internal system task list.

Note, however, that these tools also operate at a lower level of privilege than the rootkit.

"Rootkit defenders running in user-land are trying to do dynamic analysis of the machine to see whether the machine itself is lying. Now does that sound smart?" asks Gary McGraw, CTO of Cigital, and editor of the definitive book, "Rootkits", by Greg Hoglund and James Butler.

Digging Deeper

The newest kernel rootkits, containing all types of malicious packaging, can also jump to processors and reboot back into the kernel at bios -- even after a computer's been cleaned and restored. Bios is the first place software starts to run, finds its startup routines such as Ethernet and flash/ROM bios extensions.

Dai Zovi says this type is called a "persistent" rootkit. Researcher John Heasman debuted such a rootkit at BlackHat 06 that hides in the Advanced Configuration and Power Interface. Heasman has also discussed similar techniques against the System Management Memory, which two researchers from Clear Hat Consulting were slated to demonstrate at last week's BlackHat.

"If you can control the processing on a computer, how do you monetize that? You sell bots for spam, identity theft and  [distributed denial of service]," McGraw says. "But the most efficient way to exploit processors for money is in online games. This is where the cutting edge of bot technology is being carried out."

Game bots are particularly fond of multiprocessors over which can be run multiple threads while balancing load, continues McGraw, who's also co-author of "Exploiting Online Games." The more games organized criminals can play or steal through automated bot programs, the more virtual goods they can acquire and sell for real money.

There are many paths from the kernel that rootkits can take advantage of to exploit the firmware -- boot loaders, device drivers, flash and firmware updates, says Bill Johnson, president and CEO of TDITX.com.

"Hardware security is not something most security technologists understand well," he adds. "It's an area they'd better get familiar with."

His company's infrastructure management tool, ConsoleWorks, logs and audits what's happening on the Baseboard Management Controller portion of the processor, which is the gateway interface into the rest of the processors on the motherboard. It manages this layer with VPN authentication and access.

Microsoft's acquisition in March of Komoku is also an indicator of deeper inspection technologies eventually coming to market. Backed by the Defense Advanced Research Projects Agency, Department of Homeland Security and the Navy, Komoku's technology and its brain trust are being absorbed by Microsoft's ForeFront and OneCare antimalware projects, says a Microsoft spokesperson.

And so rootkit technologies drive security deeper, as the game of cat chasing mouse continues.

"It's foolish to believe that we'll ever be able to make systems completely invulnerable to attack," Dai Zovi says. "However, we must make them secure enough that attacking them is not worthwhile for most criminals."

Subscribe to the Security Watch Newsletter

Comments