You may have given control of your PC to someone else, and not know about it. Your virus scanners may not show any evidence of infection, but things are not right. That 100GB hard drive you thought would last a lifetime may be half-full. Your Internet usage may be higher than you expected. You may be a victim of a remote access trojan (RAT), or, as they are commonly known, a rootkit.
Rootkits have existed in Unix and Linux for some time, but they have only recently become common in the Windows’ environment. The purpose of a rootkit is to run programs on your computer without your knowledge. They can also be used to hide files of any size. It’s almost impossible to know if your computer has been hit. Before you know what is happening your PC may be making pornography available to the Internet , or a program could be waiting to log your credit card number to send to the perpetrator. Remember, they can do anything with your computer, gain access to any of your files, or run any program they like. They can even be used to compromise your virus scanner.
The reason rootkits can achieve this level of anonymity, and depth of infiltration, is because, they attack the core of the operating system (OS), known as the kernal. Once in place they fool the OS, so it will not report the offending program, or show it is running. Files are hidden because the rootkit does not report them to the OS.
The rootkit, itself, is not the problem. It is the program that it is hiding, that causes your woes. Initially your PC would have been the victim of a virus, this would have installed the rootkit. Once the rootkit is installed, another program is enabled, which does the dirty work completely hidden from view.
Fortunately there is help at hand. VICE, a free program, can be downloaded from rootkit.com. This program is the work of Jamie Butler, who specialises in rootkits, and other subversive technologies. Butler works for HBGary, a company founded by Greg Hoglund, who co-authored the book “Exploiting Software”. Both are involved in training IT staff through BlackHat , and run the “Aspects of Offensive Rootkit Technology” course. An excerpt of Hoglund’s book is available at the TechTV website (5), where there is also an excellent video of Butler and Hoglund talking about rootkits.
Once you have identified that your computer has been hit by a rootkit, you have to clean it up. Butler and Hoglund recommend removing your hard drive, and putting it into another machine. This will allow you to delete the offending files. There is another option, recommend by About.com, that is, to reformat your hard drive, and rebuild it from an uncompromised backup.
Whichever method you choose, you may want to ensure that it does not happen again. See the eStuff, protecting your PC article. You may wish to install Process Guard, from Diamond CS, to stop further unknown programs running.
Barron Mertens admits to being puzzled last January when a cluster of Windows 2000 servers he runs at an Ontario university began crashing at random. The only clue to the cause was an identical epitaph carved into each Blue Screen of Death, a message pointing the blame at a system component called “ierk8243.sys.” He hadn’t heard of it, and when he contacted Microsoft, he found they hadn’t either. “We were pretty baffled,” Mertens recalls. “I don’t think that cluster had bluescreened since it was put into production two years ago.” [SECURITY FOCUS NEWS]
History of Unix Trojan Horses [University of Washington]
Hackers can obtain user-level security privileges and install a rootkit, which is basically a collection of tools, to compromise a system or network. The rootkit will exploit a known system vulnerability or crack a password for a user with administrator-level privileges and will then cover the hacker’s tracks, making them difficult to detect. The best way to protect your network against rootkits is to know how they work and what type of damage they can do. [ZDnet]
Not every case of a successful intrusion is “crowned” with a replaced Web site on the server, data theft or damage. Often electronic intruders do not wish to create a spectacle but prefer to avoid fame by hiding their presence on compromised systems, sometimes leaving certain unexpected things. They use sophisticated techniques to install specific “malware” (backdoors) to let them in again later with full control and in secret. [Windows Security]
Nothing unusual running on your system? Don’t bet on it. A small piece of code called a rootkit may be lurking in the recesses of your system. Every week I write about evil people and the evil software they write. But nothing scares me like rootkits. [eWeek]
My client’s PC had been experiencing strange symptoms that included slow performance, a CD-ROM tray that opened and closed at random, strange error messages, and inverted screen images. After I severed his Internet connection and followed my typical malicious software (malware) hunting steps, I located the culprits – two Remote Access Trojans (RATs). [Microsoft TechNet]
