Learn Me About Root-Kit Viruses

Factual Questions
1

I read about these but a lot of it is computerese going over my head.

I read that you can’t detect a root-kit virus, is this true?

I also read the only way to be sure you get rid of it, is to reinstall the o/s.

So can anyone learn me about these virii. :slight_smile:

My question is can someone give me information about them. And please make sure it’s not too complex.

I don’t have any viruses, that I know of, I just ran across the term and started reading and it interested me. What ever you care to share I’d be interested in knowing

Thank you

2

A root kit is a generic term for malware that actively tries to hide itself by modifying those parts of the operating system that you would ordinarily use to see the malware’s presence or operation.

For instance, an item of malware might be installed in a particular directory (folder) and be automatically started when the system boots by an entry in a system startup configuration file. Once you know what to look for it is easy to spot, either if the user looks, or a virus scanner goes looking. A rootkit modifies the operating system and kernel so that the system facilities that would revel the presence of the malware are blind to it. For instance the file system may have added to it a simple bit of code that blanks out the malware files from any file listing. The process viewer similarly is modified to not show the running malware process, and whenever you try to look inside the configuration files the system serves up a faked file that is not the one used a boot time. And so it goes. Network activity monitors are blinded, the file system will report the correct sizes of modified files, and in an ever escalating war, whenever a detection system adds a mechanism to detect the malware, a new new feature is added to the rootkit to either disable or disguise the result.

Within the taxonomy of malware, rootkits probably do count as proper viruses. They involve changes to the code of the target system (in the same manner that a biological virus adds itself to the DNA of an infected cell.) In some ways a rootkit is a little analogous to HIV, in that it actively attacks the defence systems of the host.

A related issue with rootkits, it the sophistication they have in hiding parts of themselves and of adding reinfection mechanisms. Because elements of the operating system have been infected, there is nothing left you can trust. If you delete files related to the malware, you can’t trust the operating system to have really deleted them, or you can’t trust the system not to still contain other code that will simply reinstall them. Worse, some modern rootkits hide components of themselves outside the normal parts of the filesystem. They can hide important components in unused parts of the disk, so they are easily available for installation, and a very nasty variant installs a re-installation program in the bootstrap sector of the disk - not a part of the the disk that is overwritten during a complete installation of the operating system, but one that is automatically executed every time you boot the computer.

Running detection software from a CD can be useful, since the CD is not writeable, and we hope has not been built from an infected source (not a complete given) we can reasonably assume it can’t be subverted, and will detect the malware. But, whether it is able to find every hiding hole the malware secretes itself in is another matter.

As they say in the classics, nuke it from space, is the only way to be sure.

3

Wikipedia has quite a simple explanation of rootkits.

There are detectors/eliminators available but I couldn’t vouch for the effectiveness of any of them.

4

Most root kit detectors are flawed because they scan all the folders in alphabetical order. Most rootkits install in C:\windows, so it takes time to get to that folder. It gives the rootkit time to notice the scan and shut it down.

I’ve had success booting with BartPE, which runs an os on a CD. The rootkit doesn’t load, so you can find it and delete it.

5

Thanks this is pretty interesting. The Wikipedia article is a bit complex still for my computer brain, but it is making more sense.

It seems to me though that root-kits can’t install automatically just by viewing a page. The wiki article seemed to indicate you had to install something you think is safe but has malware on it. Is this right?

6

Not really. The infection mechanism is independent of the infection. It is common now that malware is delivered as a Trojan (named after the Trojan Horse.) This is more a reflection of the improved security of modern operating systems, and the smaller number of easy exploits available. There was a time when operating systems shipped with so many holes that the mean time between connecting a new (Windows) computer to the Internet to it being found and infected was 20 minutes. With no action on the part of the owner. Simply due to bugs and holes in the internet protocols implementation. That said, back at that time we had a Linux system subverted within a day of an exploit being announced. Trojans may be favoured now, as probably the easiest way of introducing malware, but this does not mean that all other vectors are closed or safe. Every new facility added introduces new complexity, and more possibilities for bugs and flaws. The burgeoning cloud based computing initiatives will no doubt breed a new set of exploits and infection vectors.

7

If rootkits are so effective, why are they not more common? (Or are they a lot more common than I think?) Why doesn’t virtually all malware use them? As I understand it, most malware today is written by professionals, for profit; they would surely have the knowledge and resources to produce rootkits. If rootkits are resistant to ordinary AV software, I should have thought almost everyone would be infected with them by now.

8

Was that for computers directly connected to the internet (e.g. direct modem dial-in or connecting to a cable/DSL modem)? Did using a router with NAT make that moot?

Is there anything comparable today?

9

Probably the most famous rootkit is that which Sony burned into the company’s music CDs to intentionally infect customers’ computers.

10

It was simply a lack of consideration for security. The OS were perfectly accomodating to software that would modify any part of the system.

11

What about finding the computer in the first place–does/did connecting to the net with an NAT-capable router change the outcome?

12

Not in the least. It was simply part of a system of greater interconnectivity that further exposed the OS security holes.

13

You can use Microsoft System Sweeper (Bing) to remove rootkits. You need to burn it onto a CD and boot from the CD. Of course, it may not be able to remove all root kits but it is worth doing if you see weird issues with your PC.

14

This post won’t teach you anything about computers, but may teach you some English. It should be “So can anyone teach me about these viruses.”

15

Rootkits are hard to write. Whilst most malware is written by professionals, there is actually a lot less original malware around than you might imagine. There is a huge amount of cloned and slightly varied malware, all based upon the same base code. There are kits that allow much less skilled programmers to construct malware. Programmers also take malware from the wild and modify it to carry their own payloads. Not all of them are all that skilled, and there can be errors and bugs, others may add new features. At base you get the “script kiddies” who copy without understanding. (Again much less of this as general security has improved.) Also, rootkits are big. So there is a role for much smaller leaner malware. This affects the infection vector. The nature of the malware affects the sophistication too. A simple keylogger or mailing contact list stealer can be successful with much less protection than a botnet member, since they only needs to run for a short while to do their main job.

The few really good professional writers expect to make serious money, so there is incentive to use other freely available (or steal and modify) simpler code. Eventually there are still many people who don’t use virus protection, or even bother to keep their operating systems up to date, and these are easy prey, and don’t really require a great deal of sophistication to infect. So there are ecological niches for all forms of malware.

16

In addition to what Francis Vaughan said, making a malware package have a complete rootkit makes it significantly larger and more complicated. So it it harder to deliver it to the computer, takes longer for the install process to work, and there are significantly more ways that it can go wrong. All of which makes it more likely that the rootkit will be detected during the install or fail to install at all.

Keep in mind that K.I.S.S. is very important in software of all types, even malware. No one, even a malware writer, writes perfect code. So keep things stripped down, keep it to known working components, etc.

A basic spam email server or DDoS attacker doesn’t need much from the machine so why bother with the extra headaches. But if you’re stealing bank account info, using it as vector for child porn or some such, then maybe you want to bundle it up a little tighter.

Also keep in mind that rootkits are detectable. They are just harder to find using mundane tools.

17

Pardon my continual questions, but in the spirit of a “learn me” thread–huh?

Here is my (oversimplified) conception that needs adjusting:

When I connect to the Internet directly, my computer’s IP address is visible to the Internet. A malicious bit of code crawls through a block of IP addresses, sending each one a series of commands/probes. When it reaches my computer’s IP address, it says something to the effect of “is port x/security hole open? If so, then execute the following commands to make life miserable.”

When I connect through a router with a NAT, the outward-facing IP address only goes as far as the router. Since the router doesn’t have the same security holes that a Winbox does/did, it neither responds to the “is port x open” nor passes the questionable packets on to a computer in its network (unless the computer asked for them by visiting an infected site). So, my conception goes/went, leaving a computer attached to the Internet (but going nowhere except to trusted, uninfected sites) is safe from the scenario of “There was a time when operating systems shipped with so many holes that the mean time between connecting a new (Windows) computer to the Internet to it being found and infected was 20 minutes.”

The only thing I can think of is that the malicious code is a two-step process, first looking for/exploiting holes in the NAT system then moving on to exploit holes in the individual computer’s operating system.

The above was written from a set-me-straight POV, not trying to be combative or argue with people who know what the hell they’re talking about.

18

This about it. Unless you are exploiting a hole in the network interface that would allow manipulation of an unspecified IP, you would first determine a valid IP, then push some malware down. But there is little vulnerability to a push anymore. And most of that is unnecessary because the machine will be transmitting it’s IP in legitimate communication, and if it downloads any software that is infected, the network interface won’t help without much more intelligent ‘firewall’ type of protection.

The basic problem is that people want to download code from untrusted sources, and the OS have holes that allow software to alter the OS, or the boot code. Even in a protected ‘sandbox’ within the system, malware can be destructive to anything an application has access to. So if you are downloading updates to an accounting system, all the OS level protection in the world may not stop the malware from altering or deleting files.

19

Yes, connecting to the internet behind a router should be safer than going directly on the internet. Years ago, Windows used to ship with the firewall turned off by default and was quite vulnerable especially if a router was not used.

20

Google for Combofix.

IMHO the best rootkit killer.