|
~ By Kenneth van Wyk
I've been reading a lot about undetectable
malware androotkits —
and the like —recently. Without a doubt, these attack tools have been
iteratively improving over the years. Like most such
security
"nasties," however, a bit of safe computing goes a long way. Let's
explore a bit.
First off, let me explain what a rootkit is so we can consider the
facts and not get caught up in the hype. A rootkit is a tool, or
(more commonly) a collection of tools, that an attacker can
install
on a compromised computer. The functionality of rootkits vary
tremendously from one version to the next, and they're available for
just about any computer operating system and architecture in
existence today.
What they have in common, however, is generally a small set of
features:
- they hide their (and the attacker's) presence on the
compromised computer and
- they enable the attacker to log back
onto the compromised computer. Most rootkits include tools for
removing historical indications the attacker has been on the
computer as well, but I think of that as just one aspect of hiding
their presence.
A subtle, but important, issue here is that
rootkits typically don't have their own collection of tools for
providing the attacker with elevated privileges, but they do require
those elevated privileges to already be in place in order to install
on a victim's computer. So the attacker has to somehow get elevated
(e.g., root or administrator) privileges before a rootkit can be
installed. |
Key Terms To
Understanding Rootkits
rootkit
A rootkit is a type of malicious software that
is activated each time your system boots up. Rootkits are difficult
to detect because they are activated before your system's Operating
System has completely booted up.
malware
Short for malicious software, software
designed specifically to damage or disrupt a system, such as a virus
or a Trojan horse.
security
In the computer industry, refers to techniques
for ensuring that data stored in a computer cannot be read or
compromised by any individuals without authorization. Most security
measures involve data encryption and passwords. |
Ever since I first saw a rootkit installed a
computer during a system compromise back in the 1994-1995 time frame, I've
been watching them and following new rootkit technologies as they've been
unleashed. The earliest rootkits accomplished their goals by replacing
normal system tools on the victim.s computer with altered versions. Since
most of the early rootkits were
UNIX-based, their
(altered) tools included login, ls, ps, df, netstat, and so on — tools a UNIX
user or administrator would routinely run to look at files on a system,
processes running in memory, disk utilization and so on. The rootkit
versions of these tools did all of these things and more. Specifically, they
carried out the features I described above.
Pretty soon after these started appearing, the IT Security community got
wise and started running login, ls, ps, df, etc., from CD so they could be
sure they.re using tools that haven.t been tampered with.
So, the attackers responded by modifying the
underlying system shared libraries and leaving the tools intact. So, when ps
runs, it returns a list of all the processes on the system, except for those
owned by the attacker.not because it has been tampered with, but because the
system calls it made returned erroneous information.
More recently, rootkits have been installed as kernel loadable modules and
such. This has made things increasingly difficult for the IT Security folks
to detect rootkits, since they keep going lower (in a software abstraction
sense).
In fact, with modern microprocessor technology, any
software — legitimate
or malicious — can
pass along deceptive or erroneous data to software that calls it, so long as
it is the first in line. In other words, if your software loads first and
intercepts system calls, then you can control what others see. If someone
else comes along and can find a way to butt into the line, then they can
control what others (and you) see. That's the nature of the beast, I'm
afraid.
So what can we do about it? On the surface, the answer is simple (don't run
a rootkit or allow one to be run on your computer), but in practice it's not
quite so trivial. However, here are a few things that can help in preventing bad stuff
from happening,:
- Make judicious use of privileges.
Remember the principle of least privilege? Well, you need to put it into
practice. If your users run with privileges on their desktops, then the
environment is ripe — in fact, it is ideal — for malicious insertion of
a rootkit. Users should be able to run software, but not install
software. Likewise, when you're logged in as an administrator to do
administrative things, that's all you should be doing.
- As much as I hate security
patches, it's
still important to stay up to date with them. Sure, we've all heard this
a gazillion times, but unpatched systems provided rootkits with easy
avenues of entry to your system. Remember I said most rootkits need to
already have privileges in order to install? I'm constantly amazed by
how many people don't run some form of Windows Update on their Windows
desktops.
-
Antivirus programs,
firewalls,
and — those things — are also important layers of security, of course.
Of course, those are just a few things that
can be done. The list can't guarantee safety from rootkits and other malware,
but it sure can go a long way to reducing the risk, if the recommendations
are well-thought-out and implemented.
|
Did You Know...
A Blue Pill is an effective Hypervisor Rootkit that can do an
on-the-fly install and simply shift your operating system from
direct control of the physical computer to a virtualized state.
[Source] |
Kenneth van Wyk, a 20-year
veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC.
The co-author of two security-related books, he has worked at CERT, as well as
at the U.S. Department of Defense.
This article originally appeared
on eSecurityPlanet.
Last updated: August 25, 2006
Webopedia's "Did You Know... The Difference Between a Virus, Worm and Trojan
Horse"
While the words Trojan, worm and virus are often used interchangeably, they are
not the same. Viruses, worms and Trojan Horses are all malicious programs that
can cause damage to your computer, but there are differences among the three,
and knowing those differences can help you to better protect your computer from
their often damaging effects.
Webopedia's "Did You Know... The Differences and Features of Hardware & Software
Firewalls?"
While many people do not completely understand the importance and necessity of a
firewall, or consider it to be a product for businesses only, if your network or
computer has access to the outside world via the Internet then you need have a
firewall to protect your network, your individual computer and the data therein.
Datamation: Getting Real About Rootkits
As Windows users, it seems we are under continuous attack from viruses, trojans,
spyware and malware. It is a constant battle to keep machines free and clean. As
if there already isn't enough to worry about, rootkits are blasting onto our
desktops and servers at an alarming rate. It is important for Windows users to
educate themselves on the newest and most dangerous threat we face on the
Internet today.
Enterprise networking Planet: Security Researcher: Rootkits Common for Spyware
The chief researcher at F-Secure says the most common rootkit his company's
software is turning up serves to keep users from uninstalling obnoxious spyware. |
