Windows Root kits a stealthy threat

You ain't seen nothing yet

  • alert
  • submit to reddit

Top three mobile application threats

Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning, say SecurityFocus' Kevin Poulsen.

Barron Mertens admits to being puzzled last January when a cluster of Windows 2000 servers he runs at an Ontario university began crashing at random. The only clue to the cause was an identical epitaph carved into each Blue Screen of Death, a message pointing the blame at a system component called "ierk8243.sys." He hadn't heard of it, and when he contacted Microsoft, he found they hadn't either. "We were pretty baffled," Mertens recalls. "I don't think that cluster had bluescreened since it was put into production two years ago."

Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a rare example of a Windows "root kit" - an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.

Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. Conventional backdoors like SubSeven and BO2K operate in "user mode", which is to say, they play at the same level as any other application running on the compromised machine. That means that other applications - like anti-virus scanners - can easily discern evidence of the backdoor's existence in the Window's registry or deep among the computer's files.

In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. The root kit is the man-in-the-middle, squatting between the operating system and the programs that rely on it, deciding what those programs can see and do.

It uses that position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden - MP3s, password lists, a DivX of the last Star Trek movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked.

Slanret is technically just one component of a root kit. It comes with a straightforward backdoor program: a 27 kilobyte server called "Krei" that listens on an open port and grants the hacker remote access to the system. The Slanret component is a seven kilobyte cloaking routine that burrows into the system as a device driver, then accepts commands from the server instructing it on what files or processes to conceal. "The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."

Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."

Cloaking Device Driver

Greg Hoglund, a California computer security consultant, believes intruders have been using Windows root kits covertly for years. He says the paucity of kits captured in the wild is a reflection of their effectiveness - not slow adoption by hackers. "It's happening now," says Hogland. "People don't realize that it's happening, but in the next two or three years we're going to see a lot more of this activity."

If there's an authority on Windows root kits, it's Hoglund - he's been sounding the alarm about their malicious potential since 1999, when, as a proof of concept, he wrote one himself called "NT Rootkit." Since then he's collected and analyzed three others: "null.sys," "HE4Hook," and a kit called "Hacker Defender," all of which he makes available on his Web site, Rootkit.com. (Hacker Defender, oddly, is also available for download from CNET Asia.)

"For all of those, I'm absolutely, one hundred percent positive that there's probably ten more that we haven't seen publicly," says Hoglund. The skills to write a kernel mode Trojan are not beyond the reach of the average programmer, he says; last month Hoglund taught a seminar on the topic at the Black Hat security conference in Seattle, and by the end of the two-day course, "Every student in the class was writing their own root kits. They were hiding process and files, hiding directories, and call-hooking."

Once Slanret is installed on a hacked machine, anti-virus software won't pick it up in a normal disk scan. That said, the program is not an exploit - intruders have to gain access to the computer through some other means before planting the program.

Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible. And in what appears to be an oversight by the kit's author, the device driver "ierk8243.sys" is visible on the list of installed drivers under Windows 2000 and XP, according to Symantec Security Response (SecurityFocus is owned by Symantec). McAfee reports that a running service named "Virtual Memory Manager" with a blank description field is visible on a compromised host. And, of course, there are reports that the root kit sometimes crashes servers.

Hoglund says future Windows root kits won't suffer from Slanret's limitations. And while he says the risk can be reduced with smart security policies - accept only digitally-signed device drivers, for one - ultimately, he worries the technique may find its way into self-propagating malicious code. "My street knowledge, my gut feel, is there are probably already worms or viruses doing this now," he says. "We just haven't seen them."

© SecurityFocus Online

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.