Inside Windows Rootkits
May 22, 2006
2006 VigilantMinds Inc. All rights reserved
- 2 -
Rootkits 101
What is a Rootkit?
Before getting too deep into the subject, it is important to understand exactly what rootkits are.
The goal of a rootkit is to provide an attacker or malicious code with a permanent, undetectable
presence on a computer. Typically, this involves hiding the presence of resources such as
processes, files, registry keys, and open ports that are being used by the malicious entity.
Additionally, a rootkit may provide a covert channel between the computer and a remote host that
is controlled by an attacker. A rootkit allows an attacker, worm, or trojan to hide from users,
administrators, as well as security software on both the computer and the network. In some
cases, it can even be used to hide from forensics experts.
History of Rootkits
While many early viruses utilized rootkit-like stealth techniques, rootkits did not appear until the
1990’s when attackers built “kits” to help them set up shop on compromised hosts. Most of these
kits were built for UNIX systems due to the dominance of UNIX on the Internet at the time.
Attackers would use the kit to gain and maintain “root” privileges on the compromised machine.
The kit would provide backdoor access, and may also replace system binaries such as ‘ls’, ‘ps’,
and ‘netstat’ with copies that would hide resources belonging to the attacker. For example, the
attacker may place a modified version of netstat on compromised machines that hides open ports
associated with backdoors. To combat these attacks, administrators began to use tools such as
Tripwire to monitor system binaries for changes. The arms race continued, and rootkits
eventually made their way into the kernel of the UNIX operating systems being targeted by
attackers. Eventually, this cat-and-mouse game made its way over to the world of Windows,
leading to many of the Windows kernel rootkits that are popular today.
How Rootkits Are Used
Network attacks can usually be broken down into the following phases:
1. Attacker discovers a vulnerability on a target system.
2. Attacker exploits the vulnerability to gain access to the system.
3. Attacker gains a stronger foothold on the compromised system by collecting information,
installing backdoors, etc.
4. Attacker utilizes system access to achieve the ultimate goals of the attack. In cases of
malware, the ultimate goals may be to steal information, disseminate spam, or launch a denial of
service attack against other systems.
5. Eventually the compromise may be discovered, and incident response will be executed.
Note that all of these steps do not occur during every attack. For example, an attacker may gain
access to a system, steal a specific piece of information, and then never return to the system
again. If the attacker was smart enough to leave no signs, the compromise may never be
detected, thus eliminating the phase of incident response. Also, if the attacker were an insider,
he or she may already have access to the system, so there would be no need to discover and
exploit a vulnerability. Nonetheless, a subset of these phases occurs in almost every network
attack.
Rootkits are usually introduced into the attack during the third phase, when the attacker attempts
to gain a stronger foothold on the compromised system. A rootkit can facilitate this phase by
providing stealth remote access to the compromised machine. It can also help to hide the
attacker's presence by hiding his or her files, registry keys, network activity, and processes, which
