HelpWithWindows | Windows Forum | RoseCitySoftware




HelpWithWindows - Home

• March 31, 2005 •

"Rootkits" Emerge as New Threat on Windows

'Rootkits' Emerge as New Thread on Windows Security researchers are warning Microsoft users that so-called "rootkits" - powerful system-monitoring programs - are posing an increased security risk to computer users.

On UNIX (type) systems rootkits have been around for years, but the latest versions of the most popular ones - with names such as "Hacker Defender", "Vanquish" and "FU" - are now more then capable of "infecting" Windows computers.

On Windows the name "rootkit" isn't really appropriate if we look at the definition of it from the UNIX world. A rootkit on the UNIX platform generally describes a collection of tools to obtain or maintain root access using stealth techniques.

If we look how specific tools from a rootkit are used in UNIX, we have tools to "obtain root", usually done by elevation of privilege. Next come the tools to get & maintain permanent access to the machine, and last but not least, tools to hide the presence of these tools.

"Translated" to the Windows platform, the tools to gain root access would be accomplished by an 'exploit tool' on Windows, exploiting known vulnerabilities on (un-patched) systems. Maintain access would be accomplished by installing a backdoor on the Windows System.

The tools that do the "hiding" on UNIX systems typically do this by replacing system binaries such as 'ps', 'find', 'top', 'netstat' and/or others. But replacing binaries on Windows is much harder, and on NT-based systems (Windows 2000 / Windows XP), nearly impossible to achieve because of Windows File Protection (WPF).

So on Windows, the 'rootkit' is a separate tool, which does the 'hiding'. It can hide nearly anything you want: files, folders, user accounts, processes, registry entries, network connections.

To get a 'rootkit' on a Windows machine requires the system to be compromised first. This could be done by most modern malware/spyware/adware, and that is what seems to be happening more & more.

Once installed on a target machine, these programs are then used to control, or find (sensitive) information from the systems they are installed on. Many of the new rootkits will run quietly in the background on infected systems. Some of these can be easily detected, but the more advanced rootkits (kernel rootkits for example) have the ability to hide themselves from the operating system.

These rootkits are invisible to most of the current detection tools such as anti-virus, network intrusion-detection and antispyware products.

How to guard against backdoors & rootkits

As explained, today's rootkits require a system to be compromised. It is very uncommon for a system to be targeted for any other reason than because it was vulnerable. So your main line of defense is to stay current on all patches available for your operating system.

Having an up-to-date anti-virus scanner installed should also help in many cases.

Looking at running services or processes on your machine would also be a good practice to do on a routine basis. On larger networks, host scanning can provide useful information to the system administrator. An application such as TCPView will allow you to locate which applications have open ports on your system.

Another Sysinternals tool called Process Explorer can be of help in identifying which program has a particular file or directory open. It shows you information about which handles, DLLs and processes that have been opened or are loaded.

Microsoft researchers have developed a new tool called Strider GhostBuster, which can detect rootkits by comparing clean & suspected versions of Windows. Technology from Strider GhostBuster may be incorporated into Microsoft products in the future. Personally, I think this would make a good addition to Microsoft's Windows AntiSpyware product!

Today, several tools to detect the presence of rootkits are available:

Once your machine has been compromised, be very careful in recovering your system from a back-up copy or the disk image! I have personally witnessed a situation, where a system had been found compromised. The system administrator proceeded to retrieve the system from a back-up copy, patched the system, and changed passwords. He considered the system perfectly safe. But he overlooked the fact that the intrusion had been made long before he made the copy containing a back-doored version. So the system was again compromised in a matter of minutes! So, I would strongly recommend checking the system whenever it is backed up, and advocate the "format & start from scratch" approach. Ask yourself: Once your system has been compromised, can you trust it again?

Conclusion

It looks as thought we will see an explosion of 'rootkit infections' throughout 2005. This seems to be the new industry crime rings are turning to, as (email) spam becomes less profitable.

On the MSR Strider Project Web site, Microsoft researchers also list some simple steps you can take to detect some of today's "ghostware".

Give your comments on this article.

         E-mail This Page


Last Updated: March 31, 2005




HelpWithWindows RoseCitySoftware
Software Products, Spotlight of the Week, Partners, RCS newsletter, Corporate Sales, List with us