Archive for July, 2006
Rootkits are evil…
Well, since my last posting, I have been studying much more in detail what it was that compromised the computers systems at my work and how. Here is what I have found out. A rootkit was traditionally a label given to programs on unix/linux machines that would escalate a program or user to have root privileges… pretty much meaning un-hindered or un-restricted access to the entire machine. There are many ways for a rootkit to get on a machine, usually using a software exploitation of some sort for remote installation or exploiting a system locally with software that would have greater permissions than the working user.
Rootkits are a collection of little programs which are intended for all sorts of little nasty things, and most of the things that they do are pretty much irreversable except at great pain, and practically undetectable too. There is a common utility in rootkits which will edit the systems kernel directory listing functions which can make a certain file un-detectable to the system itself. It works like this, I could modify the kernels directory listing function to ignore files that start with a $ symbol. A file such as “$evilproc.exe” would be invisible to any programs such as Spybot/Ad-Aware or any application level program since all of them use the windows calls to get listings of files, and that kernel function had been editted. Pretty cool idea the hackers came up with, but it’s a nasty trick. Modification to the Task Manager is also possible so that it skips certain processes without listing them as running.
I found most of this information from a podcast from this website (http://www.grc.com/) called “Security Now”. It is a very good podcast and I highly recommend it. They talk about a lot of topics relating to computer and internet security issues. Guess what? Did you know that Sony made use of Rootkit technology, and even put a call-back home in it. Many of the enhanced CDs from Sony have a rootkit as part of the CD. Listen to the podcasts to see what it is all about. The next version of windows (Vista) is supposed to be re-focused on making users just users, and having to escalate to administrator status for small periods to combat things such as rootkits and spyware. We shall see…
No comments