Thursday, May 16, 2013

Rootkits Part 0 - What, Why and Who


Rootkit Series Part 0


Sure you have heard about rootkits before and recently there have been a few advanced rootkits in the news, but do you know how they are used, why, or how they can be detected? For most people the answer is no, and if you are someone who is interested in writing rootkits or just want to learn more about them I hope you find this series interesting and informative.

Keep in mind this series is for educational purposes only and to promote infosec education through hands on learning, if you use this info in any illegal way I am not responsible for your actions.

Lets dig in and explain WTF a rootkit is, who uses them and some basic usage.


What is a rootkit?

The term "rootkit" has been around for a while (10+ years).  You can think of a rootkit as basically
a set of programs that allow an attacker to remain undetected in a system and maintain root access.

As our good friend Wikipedia puts it:
"A rootkit is a stealthy type of software, often malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer."

The thing is rootkits for the most part are not actually malicious, the intent may be but the code itself isnt.

Rootkits are used by "Good" and "Bad" guys alike, many companies have rootkit technology on systems to monitor things, law enforcement uses them sometimes and "rootkit" technology has many other legitimate uses other than what you hear in the news or
usually think of when you hear rootkit.



So now we have an idea of what a rootkit is to an extent. Now you may be wondering about why someone would use them and what some
legit uses would be.  Ill attempt to answer that now, if anything is unclear use your good friend Google or drop me a line.

Why rootkits?

Rootkits are mainly used to maintain access to a system and remain undetected, you may be thinking well isnt that the point of a trojan and other malware (RATs, Backdoors, Etc...) well yes and no.  Rootkits are made specifically to hide activity of your malware and to maintain a high level of access as mentioned earlier they of course can be tailored for your needs just like malware.  Keep in mind if you just want to get in steal data and get out without a trace a rootkit may not be the best option, most of the time you will leave your rootkit behind and it may eventually be detected and could lead back to you or your operation (unless you are able to wipe it).

Rootkits have for the most part two main functions, they can be used as a remote command an control and/or used for software eavesdropping   There are many things you can do with rootkits but these are the most common functions as of now.

Remote Control:

Think of this as having the ability to control the remote system, this could be a command shell, sending commands, controlling files, and many other things we will go into later.

Software Eavesdropping:

This is basically as it sounds, you can sniff network traffic, log keystrokes, gather passwords, crypto keys and just watch what a user is doing.  This is very useful for gathering inelegance for further exploitation of other systems on the network and a whole plethora of other things good or bad.


WHO?

As we have mentioned there are legitimate uses for rootkits.  Law enforcement agencies may use them to "bug" a suspects computer system to gather evidence of CP, music and software piracy, computer trespass  and other computer related "crimes".

Nation States may use rootkits for military puropses. You can think of Stuxnet as a hybrid malware, it used a rootkit like component to remain undetected in systems.  Most of the major advanced attacks seen most likely used some sort of rootkit like functionality to remain hidden and undetected in the target systems.


Im sure you can think of the illegitimate uses of rootkits on your own. But ill just throw some examples of how it has been used by nation states, cyber criminals and others.

The following is a list of "legit" and not so legit uses: (these all have some sort of rootkit like component and/or functionality)

  • GhostNet
  • Zeus
  • CIPAV (FBI)
  • Magic Lantern (FBI)
  • Aurora (china?)
  • Stuxnet
  • Flame
  • Red October
  • Avatar Rootkit
  • Spyeye (actually had a component to kill Zeus)


The list goes on and on.


As you can see Rootkits are uses not just by cyber criminals but as mentioned Nation States use them for cyber espionage and other operations military and civilian. There are even companies that sell rootkits legitimately used as monitoring software.


So we now have an idea of what a rootkit is, who may be using it and some basic uses for a rootkit.

Thats all for this post, I tried to keep it short and simple, we will go into more detail of uses and will eventually write a simple rootkit for our good friend Windows and maybe *nix in later posts. Feel free to give me feedback and if I missed something or got some detail wrong let me know and as always suggestions are encouraged.

Next post we will discuss the different types of rootkits.

No comments:

Post a Comment