I've written before about the dangers of remote access Trojan horses (RATs). Briefly, these are bits of code that get onto your computer in a variety of ways and open an unused port on your PC so that remote criminal hackers (crackers) can gain access at their leisure. Root kits are a more specialized version of a RAT, in that they are virtually invisible. The good news is that more and more security vendors are recognizing the danger posed by root kits. The bad news is that root kit authors are finding more and better ways of keeping their malicious code hidden.
A simple definition of root kit is a collection of tools used by any criminal intruder to gain access to the root of a remote system, to get control of that computer, and to hide their presence. For example, if you were to search for running processes on your computer, a malicious tool might mask its presence by not allowing itself to appear. You would have no way of knowing whether you were infected.
Root kits aren't new, but their appeal is growing as more-traditional means of commandeering a remote computer become harder to exploit.
Root kits aren't new. But their appeal is growing as more-traditional means of commandeering a remote computer become harder to exploit, thanks in part to better security applications and increased public awareness of computer dangers. Root kits are designed to be stealth, to hide RATs, and to fool existing security apps into believing that all is status quo. Root kits are a moving target where the bad guys, for the moment, still hold the advantage.
How root kits work
On networked systems, crackers first search for low-hanging fruit, such as a vulnerable print server located somewhere on the periphery of a vast computer network. They then exploit a known flaw in the print server, perhaps masquerading as a printer driver. Printer drivers are currently installed in the kernel of the Windows operating system. Beginning with next year's release of Windows Vista, Microsoft plans to move device drivers out of the kernel and onto the user level. At least this one vector of attack will be shut down on systems running Vista code or later.
Another common vector uses flaws within client-side Internet browsers, such as Internet Explorer or Mozilla Firefox. Someone viewing a maliciously coded Web page with an unpatched browser could become infected. Because the root kit is, by nature, hidden from active security services, end users often don't realize that they've become infected.
Typically, once a cracker gains access to the root of one computer on a network, he or she can then install the root kit tools of choice and use the first compromised computer to scan and probe deeper into the network. In our example, starting with a print server isn't too thrilling, but with diligence, the intruder could advance to the accounts payable system or perhaps the company's crown jewels--proprietary software or media. The root kit masks the presence of an intruder and allows a cracker to operate undetected for days, weeks, even months.
Known root kits
Perhaps the best known root kit is BackOrifice from Cult of the Dead Cow (I kid you not). Released at Defcon a few years ago, BackOrifice (said to be reminiscent of Microsoft's Back Office product) is a customizable remote access app that has legitimate purposes for security researchers, but also has been used by crackers. Another well-known root kit is HackerDefender. Most of these root kits are traditional, in that they fool task managers and system process utilities into thinking the tools aren't present on an infected system. Thus, spyware writers have started using root kits to keep the antispyware apps from removing their wares.
Fortunately, there are root kit hunters available.
The bad guys stay one step ahead
At last summer's Black Hat Briefing in Las Vegas, security researchers James Butler and Sherri Sparks announced a new memory-based root kit method called Shadow Walker. The Shadow Walker root kit escalates system privileges and hides files in memory using Direct Kernel Object Manipulation to fool the Windows Event Viewer. The use of volatile memory makes later forensics almost impossible because there's no trace after a system reboot. So far this remains theory. There's also a report from IT Asian One that someone has designed the first ever Mac OS X root kit.
Fortunately, there are root kit hunters available. From Microsoft comes Strider GhostBuster, F-Secure has BlackLight, and SystemInternals offers RootkitRevealer. And Webroot SpySweeper 4.5 will hunt down and find root kits on your PC. All of these solutions attempt to detect file additions and registry changes that have been otherwise hidden from normal system utilities and security apps.
Are you personally concerned about root kits on your computer? Talk back to me.