PSC Library-Newsletter Archives

ROOTKIT MADNESS

An awful lot of attention in the past few weeks has been paid to the infamous SONY rootkit and while it has focused attention on the power of kernel rootkits in general, it has also created a tremendous amount of misinformation and conjecture. We'll conveniently forget that the "SONY rootkit" has been around since summer of 2004 however. In this newsletter, we'd like to provide a bit of perspective and education on the issue and its repercussions, as well as explain to concerned BOClean customers how we have gone about handling this issue for a number of years now, and why it is a concern ONLY to vendors who need to explain why"rootkits" are news to them.

"Rootkits" have existed for numerous computer operating systems since the 1980's, however they were largely used by computer delinquents against major known server operating systems such as Novell, Solaris, Unix, Linux and were largely focused on covering the tracks of people who were performing break-ins to major networks and server systems. It wasn't until July 30, 1998 when a group known as "Cult of the Dead Cow" created a program called "Back Orifice" for which BOClean was ultimately named after being provided as a free utility included with our original NSClean software to protect against backdoors for over a year.

"Back Orifice" was the very first backdoor which had "rootkit" capabilities and marked the start of a difficult trend. Therefore, "Windows rootkits" are hardly new by any means, despite the media's lack of background in the "art" of "hacking." Back Orifice was the first Windows malware which provided the ability to conceal its presence on Windows machines by use of built-in functions in Windows which caused the original Back Orifice to not appear in the Ctrl-Alt-Del "Task manager" screen which had previously displayed all running processes.

Back Orifice concealed itself by running as a "system service" rather than a "process" and by installing itself into that particular registry startup location, was hidden by the Windows98 operating system entirely. And under Windows NT, system services were normally not displayed either although "Back Orifice" had numerous difficulties running stably under NT. And because there was a process, it was a fairly simple matter to locate and display the presence of "Back Orifice" with numerous "process listing" software. It wasn't hidden all THAT well.

With the release of Windows 2000 (Win2K) at the end of 1999, "Cult of the Dead Cow" updated their earlier backdoor as a new "BO2K" which included highly sophisticated "rootkit" capabilities. Rather than hiding behind the normally invisible processes by means of what Microsoft chose to not display, BO2K actually went into kernel memory and "hooked" into kernel functions by replacing the original locations of numerous kernel functions in ALL versions of Windows with its own "replacement functions" and then modifying the locations of the original kernel functions so that the BO2K "rootkit" addresses would be called INSTEAD of the original kernel functions.

By "hooking the kernel," BO2K's code would intercept the original calls to functions that would list filenames, processes and memory locations and point to the BO2K functions first. BO2K would then look at what information was being requested, and if it was a piece of BO2K, it would return a "no one here" whereas if it wasn't part of BO2K it would then call the ORIGINAL Windows function. This allowed BO2K to become "invisible."

There are MANY rootkits out there - VSDATANT.SYS and OTHERS, used by ZoneAlarm is a ROOTKIT. Symantec installs SEVERAL rootkits including SYMNDIS.SYS, Process Guard ITSELF is a ROOTKIT. These and numerous others install rootkits in order to hook system calls for their own purposes. When is a rootkit NOT a rootkit? When it's branded. However, rootkits have a "dark side" ... unless PERFECTLY written, the operating system has no protection for "intruders" and can become unstable, can "blue screen" or cause system instabilities.

And the MORE of them there are, the greater the chance of various rootkits all trying to hook the SAME kernel functions and relocating them can cause all sorts of mysterious problems as each one expects to be "King of the Hill" without realizing that someone else beat them to "root." Fact is, too many security vendors went the rootkit route which is why there are so many conflicts. And because they hide their rootkits, the WRONG program gets blamed when the house of cards falls. Poorly done rootkits (such as SONY's) can wreak havoc on a system. Most backdoors and other trojans have incredibly poorly written rootkits that usually hose the machine by simple "bad design." A decent amount of commercial software also does so. Ever wonder why it's a bad idea to use more than one antivirus and why firewalls and antiviruses are stepping on each other with "all in one suites?" smile.gif

And that is the PURPOSE of a "rootkit." To HOOK "system calls" for one of many possible reasons. Some rootkits hook calls to determine if a file, process or other function exists. Some use those hooks to temporarily halt the system while they have a sniff at things starting up to give the user the opportunity to determine whether they want something to continue, or not. Some rootkits have a sole purpose of hiding other things which are occurring at the "user level" such as nefarious programs.

These "rootkits" though, by the simple nature of how Windows works tend to be VERY small and contain only core kernel functions which are to be utilized by a higher-level program whether that program is visible to the user or not at the "user level" of the operating system's function.

ALL "rootkits" however require a STARTUP of some kind, or they will be ignored by the operating system and will never run. EVERY rootkit, no matter how clever, will leave telltale signs of its existence. This is how BOClean has been able to detect rootkits since "Back Orifice" and all which have followed. There is always SOME piece, some startup entry in the registry, or other indication that they are present. AND, in the presence of some TRULY clever rootkits, they can be detected not by what is present, but rather by what is MISSING when a memory probing antimalware program like our BOClean goes to perform its normal inspections and finds things that are supposed to be there are missing. In other words, detecting "rootkits" isn't nuclear brain science if you have been around this long enough to know WHAT to look for. And while the rootkit itself may have burrowed deeply into a system and has successfully concealed itself, there ARE signs (if you know what to look for) that will still reveal the "hidden." We've been doing this for years.

And what we learned years ago was that interjecting into the kernel space and displacing Windows' own addresses to shim in "kernel diversions" was the ultimate no-no to our major customers who KNEW it was a bad idea to fool with moving kernel functions around. SONY'S "rootkit" and the exploits of same only serve to prove the validity of the restraints we were placed under years ago by government agencies we designed BOClean to satisfy. BOClean was forced years ago to detect nasties from the USER level using propietary techniques to analyze the presence of such diversions by very unique means, without "hooking the kernel." And recently, as more and more "security companies" struggled to find a means to circumvent "rooting," they utilized the same sloppy methodolgies of Back Orifice's code. Or worse, used code developed by the very people who supplied the authors of backdoors directly.

We provided a simple manual method of detecting the infamous SONY rootkit in an article we posted to CNET ... by simply looking for a folder that didn't show normally, its mere presence or absence could determine the presence of the SONY rootkit without the need to resort to special kernel modifications. As I mentioned above, "what is missing" was the key to this one singular event. This is why BOClean had no difficulty in detecting the SONY rootkit despite the apparent difficulty other vendors seem to be having. EVERY rootkit has a startup, and only a small handful actually obscure it. They depend on a unique angle perhaps to place it, but no matter how hard you try to hide a rootkit, it CAN be found. And from the RING 3 level, not necessarily by hooking the kernel.

For all the hype over "rootkits," they are NOT news, and they are not as elusive as those who failed to notice them nearly a decade ago who now want to excuse their failure to detect them years ago now, after having fallen victim to the sheer number of them out there today. If you HAVE BOClean, we encourage you to install the SONY rootkit. BOClean will stop it when you try to install it. If you shut down BOClean and install it, BOClean WILL find it even after it's gone "deep." "Rootkits" are not, and have never been a mystery to us. To us, they're ancient history and just another piece of ordinary, insignificant malware. Just another entry in BOClean's database.

But rootkits are NOT the malware itself. Rootkits are merely a means to an end, and a small part of it. Their purpose is SOLELY to conceal the actual payloads which run in "Ring 3" or "user space" ... and when a rootkit is installed, file scanning will not find what is "missing." But the rootkits themselves *MUST* leave a telltale trace of their startup, however obscure some of them may be. If Windows can't start a rootkit, it can't hide anything. And in order to start a rootkit, there needs to be a means. Rootkits aren't as big a boogeyman as they've been made out to be, and they're not as difficult to find as might be suspected.

Except to those that never learned of them YEARS ago. If this was as serious a challenge as it's been made out to be, we would have thrown in the towel as other vendors have. To us, this is "fish in a barrel." smile.gif

Search our trojan list for the keyword "root" here, and see how many there are which are covered, compare to others: BOClean trojan listing

And to protect your system as best as possible, ALWAYS make sure that your Windows security updates truly ARE up to date, and make sure that any security software you use is the latest version and is updated first! THEN go and reinstall everything else.

But the detection of a rootkit isn't the end of the world, what ELSE is detected is what matters. For OUR customers, support@nsclean is here for you should you need us with any questions when BOClean encounters something. That's what you paid us for in the first place!