Section 5.3 Rootkits

• A rootkit is a tool that allows an intruder to obtain root privileges.
  • The favorite tool of the script-kiddy
• These are built for various reasons
  • As a tool to gain access
  • A proof of concept.
  • A "you better pay attention and lock down your systems" message.
• They generally
  • Are mostly or completely automated
  • Require little knowledge to use.
• Sometimes
  • They do something silly to alert the admins that someone has compromised their system.
• The book discusses multiple rootkits
  • On smart phones
    • Turn the phone into secret microphone.
    • Turn on and report gps location to an address
    • Turn on high energy use apps to drain the battery
    • ...
• They discuss methods used to hide programs on the system
  • They talk about a set of windows calls.
  • I will quickly discuss linux
    • opendir opens a directory
    • readdir will read the next entry from a directory
      • this returns a pointer to a directory entry structure.
  • Look at myls.cpp for example code.
    • The source code for ls is here
  • I just replace the system file (/bin/ls) with a combination of these two codes.
  • The same can be done with any system utility.
    • ps, top, df, du, ...
  • How do I defeat this?
    • Have a program that records the checksums of all "important" system files.
    • Record all checksums when the system is pristine.
      • Store these in an inaccessible remote location.
    • Regularly scan the system and check these to see if critical programs have changed.
• There is a scary story about how SONY embedded a hack into the autoexec file of a cd.
  • It disabled reporting of files with a starting header of $var$
  • So SONY did all the work for hackers, they just created $var$virus
• There is a scary story about how a microsoft patch exposed a wrapper exploit
  • The exploit had replaced a service
  • When the patch was made, the location of calls in the kernel changed.
  • And the wrapper no longer worked.
• They trace the life of the TDSS rootkits which is fascinating
  • As time passed, they evolved this to have more and more functionality.
  • Including better ways to hide
  • Encrypted communication streams.
  • Better replacement of integrity testing programs.
• In the end they point out that
  • Operating systems are complex.
  • They have extreme levels of layered protection.
  • They are still vulnerable.
  • And it is a constant battle to keep them secure.