Windows Rootkits 344
GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"
Rootkits in brief (Score:5, Informative)
http://www.oreillynet.com/pub/a/linux/2001/12/14/
See this if you're having trouble printing code examples
Understanding Rootkits
by Oktay Altunergil
12/14/2001
A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Although the intruders still need to break into a victim system before they can install their rootkits, the ease-of-use and the amount of destruction they cause make rootkits a big threat for system administrators.
The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default.
Most rootkits also come with modified system binaries that replace the existing ones on the target system. At a minimum, core binaries such as ps, w, who, netstat, ls, find, and other binaries that can be used in monitoring server activity, are replaced so intruders and the processes they run are invisible to an unsuspecting system administrator.
Because most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not sufficient. Thus, the best way to make an inventory of system file information that can be used to identify suspicious activities on the server is to calculate the cryptographic checksums of these files and store this information in a safe location, such as on a CD.
Third-party tools such as Tripwire or AIDE make this process much easier and more robust by automating the calculation of these file signatures.
Here's a quick explanation of Tripwire from the organization's web site:
"Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc."
Obviously this process has to be repeated as you introduce more software and other files into your system. You can also use the RPM signatures on RPM-based systems such as Red Hat and SuSE to compare the current MD5 signatures of your files to those in the RPM installation database. Unfortunately, the RPM application itself and the local RPM database cannot be trusted to provide accurate information because intruders can potentially infect them too.
Some rootkits may also contain sniffer or keylogger applications that are used to gather passwords for other systems and listen to traffic for sensitive information. To do this, the rootkits set the PROMISCIOUS mode on the target machine's network interface card (NIC). In normal operation, a network interface card only listens to traffic that is specifically addressed to itself and traffic that is coming through the broadcast address that everyone listens to.
On a "non-promiscuous" network adapter, the packets that are addressed to other network interfaces are silently discarded without even looking at the actual data in them. However, when using directly connected computers or a network that uses basic, non-switching HUBs, your interface actually can listen to all traffic if it's in PROMISCIOUS mode.
If an intruder listens to this traffic on a relatively large network, the results may be catastrophic. To protect the whole network even when one of the machines is broken into, using direct cable connections and basic HUBs should be avoided. Switching-hubs and other more advanced networking equipment do not broadcast traffic to all the machines on the network, but only send it to the machine that is supposed to receive it, effectively protecting all the other machines on the network.
Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for a rootkit to include a utility to modify the system logs. In some extreme cases, rootkits disable logging all together and discard all existing logs. Usually if the intruders intend to use the server for an extended period of time as a launch base for future intrusion activity, they will only remove those portions of logs that can reveal their presence. Because the absence of log files or stopped logging activity is a sign of suspicious activity itself, only attackers who have adopted the hit-and-run style will choose to blindly discard all logs.
One method administrators can use to maintain logs about an intrusion attempt -- successful or otherwise -- is to devise a system that detects network anomalies and alerts the system administrators by sending them notification email messages and/or log files. Obviously, the network intrusion detection and periodic log-file transfer methods cannot be trusted after the intruder gains access to the machine.
Related Reading
Building Internet Firewalls, 2nd Ed. Building Internet Firewalls, 2nd Ed.
By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari
Arguably the most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel on the fly -- without requiring a kernel recompilation. Although the benefits of using LKMs are universally recognized, they are also subject to abuse by intruders who use the kernel module-loading mechanism for malicious purposes. Even if you reboot a system that is infected by an LKM Trojan, the LKM process will reload it during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.
According to SANS, "Kernel [LKM] rootkits do not replace system binaries, they subvert them through the kernel. For example, ps may get process information from
Although it is thought to be possible to cryptographically sign kernel modules, the best mode of prevention against this security threat is to compile all functionality statically into the kernel and disable the LKM functionality -- especially on a server system which is not likely to need additional kernel functionality at a later time.
Knark, Adore, and Rtkit are just a few of many LKM rootkits available today.
The only way to avoid rootkit installations on your system is to stop them before they enter your system. Remember that a rootkit is not designed to help an intruder gain access to a system. A rootkit is designed to make the intruders feel at home and allow them work silently on your system without being disturbed. To install a rootkit, an intruder still must gain unauthorized access to your server using traditional methods, such as exploiting known vulnerabilities or even practicing social engineering to get the password information from a well-meaning person who happens to have it.
To avoid future headaches, you should always install firewalls on your machines that are accessible via some type of a network, apply all published patches to your software, and disable any services that are not absolutely necessary. Coupling these practices with strong passwords and secure protocols, such as SSL and SSh where applicable, you can be sure that your system will never be compromised.
Well
In my next article, I'll discuss some of the tools that are at your disposal in your quest to detect the existence of a rootkit on your system. I will also talk about what you can do to clean up a rootkit after you discover it.
Oktay Altunergil works full time as a Unix Administrator and PHP Programmer.
Return to the Linux DevCenter.
oreillynet.com Copyright © 2003 O'Reilly & Associates, Inc.
Re:rootkit redundant. (Score:5, Informative)
Re:rootkit redundant. (Score:4, Informative)
But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.
It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.
rootkit detection tool (Score:4, Informative)
http://www.chkrootkit.org [chkrootkit.org]
runas - Re:rootkit redundant. (Score:5, Informative)
C:\>runas
RUNAS USAGE:
RUNAS [/profile] [/env] [/netonly]
program command line for EXE. See below for examples
Examples:
> runas
> runas
> runas
NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with
Re:Let's pretend I'm on linux... (Score:3, Informative)
Also, since Linux is a file based config OS, it's gonna be a damn sight easier to remove a rootkit than it would be with Win32. Having had experience (trying to) remove undesirable VXDs and so forth from Windows systems, if the driver in question is resident Windows itself tries very hard not to let you remove it, and there's no easy way to edit the registry without booting fully into the OS.
Re:Roots on Windows aren't as l337 (Score:2, Informative)
http://lists.isb.sdnpk.org/pipermail/comp-list/
Tips of using Windows rootkits (Score:5, Informative)
1: We use packers and unpackers to protect all of our payloads, along with standard de-ICEing as to make casual debuggers simply crash. Look at some of the cracking group trainers as to understand how we hide stuff.
2: Sometimes, we put utilites on the machine (like grep, ps, kill) that normally arent on Windows machines, however the Internix package makes a garbage DOS shell verrry usable
3: We hit many of the files, such as ntoskern, explorer, and others that are ran many times per session. What's better is if you can offload the code to a common library.
4: If you target a Windows 2k or XP platform, make sure to install the payload inside a system file and its backup. If you dont, windows will overwrite your trjaned package with the known good one. With the bad in the cab, you'll be guaranteed a hole. Sometimes, however, the packages cause problems with windows updates. If that kind of thing happens, it usually causes a bluescreen.
5: A smart cracker will program the trojaned executable to check a web page on the net (say geocities) and parse the html for commands to do. This way, you have no direct 'link' to the rooted system, and somebody else takes the rap. Using an anonymizing proxy is highly reccomended.
I've had no experience in writing a kernel-level NT driver, but what I hear from my pals, it's a bitch to do right. I mostly do packages/integration with known software. You'd be amazed how many kid back hats think Netbus, Sub7 or Backoriface is the way you do such things. You just do NOT WANT TO TOUCH THIS CODE, as damn near every anti-virus software will alert the user. That equals a re-Ghost (which that's a good reason to infect the main ghost image...),
I'll hang around a little while if there's any questions.
Ja ne..
Re:You have to think like an admin (Score:1, Informative)
Re:How to clean boot Windows? (Score:4, Informative)
Pretty simple.
Re:How to clean boot Windows? (Score:2, Informative)
Re:rootkit redundant. (Score:5, Informative)
Just to clear up a few things: "Run as" is not in Windows NT 4.0 (or below I would assume). In Windows 2000, you Shift-right_click to get "Run As" as an option. You cannot run another copy of Explorer.exe with it (and so you cannot access the control panel as administrator using this trick). Windows XP's fast user switching is better in this regard- no need to close programs to do something as administrator, but still not as nice as nix. Windows NT Resource kit has a command line SU utility, but I've never used it.
Re:How to clean boot Windows? (Score:2, Informative)
The link is in german and requires a lot of click-though until you hit the download. An easier location to get KNOPPIX is the ftp server, eg this one:
ftp://ftp.tu-chemnitz.de/pub/linux/knoppix/
You find KNOPPIX on many big linux distro mirrors, so go to your favourite one..
Marc
re: mount disk on another system (Score:1, Informative)
Re:Roots on Windows aren't as l337 (Score:2, Informative)
Point of clarification: W2K Professional does not have terminal services available to it, although Server and Advanced Server both do. WXP has it tho, and it's nice and easy to use.
Re:Roots on Windows aren't as l337 (Score:4, Informative)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
In the client, just append a ":" to the hostname/ip.
Look at Phrack and so on (Score:3, Informative)
The main issue is that although NT has quite good privilege separation and 2K even better (both better than a non-security enhanced Unix), 90% of the apps don't use this. That means once you're in, you have the machine.
Re:rootkit redundant. (Score:5, Informative)
Jouster
Re:Tips of using Windows rootkits (Score:2, Informative)
Most of the true windows rootkits have no names. It's just a patch/repack. We prefer NOT to put names/sigs/gr33ts on software we make. One less identifier is one less way we can be 'found out'.
Re:rootkit redundant. (Score:3, Informative)
wrong, and wrong
First, you can. Kill explorer.exe from the task manager, and then rerun it as Administrator: you'll get the Administrator's taskbar, desktop, etc.
Second, you don't need to. You can run the command prompt as Administrator, and launch all the commands you need from there, including control panel applets and MMC snap-ins (you learn soon which has what filename). Or you can start Internet Explorer (iexplore.exe) as Administrator, instead - when browsing local folders, it will turn into an Explorer workalike, with just some UI problems (it won't be able to receive update notifications, not even from itself, so you'll need to refresh directory listings manually with F5)
Re:Windows NT isn't a multiuser 'Time Sharing' sys (Score:2, Informative)
You can install Hummingbird Inetd or Interix, or use the built in but anaemic Telnet server that comes with W2K, but since NT's focus is not to be a symmetrical multi-user timesharing system, the default system most people think of as 'NT' isn't that fun to hack into.
Now, I've supported many simultaneous users on an NT box running Interix, but that's the exception. I've wondered for awhile how well Apache would run in an Interix subsystem. But it's not interesting enough that I've tried it.
Look at PSTools on www.sysinternals.com.
They let you do all kinds of wonderful things on a system as long as you have a user account with which to access it, through RPC.
Amongst other things, you can remotely install and run executables. Very handy.