Windows Root kits a stealthy threat

You ain't seen nothing yet

  • alert
  • submit to reddit

SANS - Survey on application security programs

Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning, say SecurityFocus' Kevin Poulsen.

Barron Mertens admits to being puzzled last January when a cluster of Windows 2000 servers he runs at an Ontario university began crashing at random. The only clue to the cause was an identical epitaph carved into each Blue Screen of Death, a message pointing the blame at a system component called "ierk8243.sys." He hadn't heard of it, and when he contacted Microsoft, he found they hadn't either. "We were pretty baffled," Mertens recalls. "I don't think that cluster had bluescreened since it was put into production two years ago."

Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a rare example of a Windows "root kit" - an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.

Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. Conventional backdoors like SubSeven and BO2K operate in "user mode", which is to say, they play at the same level as any other application running on the compromised machine. That means that other applications - like anti-virus scanners - can easily discern evidence of the backdoor's existence in the Window's registry or deep among the computer's files.

In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. The root kit is the man-in-the-middle, squatting between the operating system and the programs that rely on it, deciding what those programs can see and do.

It uses that position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden - MP3s, password lists, a DivX of the last Star Trek movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked.

Slanret is technically just one component of a root kit. It comes with a straightforward backdoor program: a 27 kilobyte server called "Krei" that listens on an open port and grants the hacker remote access to the system. The Slanret component is a seven kilobyte cloaking routine that burrows into the system as a device driver, then accepts commands from the server instructing it on what files or processes to conceal. "The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."

Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."

Cloaking Device Driver

Greg Hoglund, a California computer security consultant, believes intruders have been using Windows root kits covertly for years. He says the paucity of kits captured in the wild is a reflection of their effectiveness - not slow adoption by hackers. "It's happening now," says Hogland. "People don't realize that it's happening, but in the next two or three years we're going to see a lot more of this activity."

If there's an authority on Windows root kits, it's Hoglund - he's been sounding the alarm about their malicious potential since 1999, when, as a proof of concept, he wrote one himself called "NT Rootkit." Since then he's collected and analyzed three others: "null.sys," "HE4Hook," and a kit called "Hacker Defender," all of which he makes available on his Web site, Rootkit.com. (Hacker Defender, oddly, is also available for download from CNET Asia.)

"For all of those, I'm absolutely, one hundred percent positive that there's probably ten more that we haven't seen publicly," says Hoglund. The skills to write a kernel mode Trojan are not beyond the reach of the average programmer, he says; last month Hoglund taught a seminar on the topic at the Black Hat security conference in Seattle, and by the end of the two-day course, "Every student in the class was writing their own root kits. They were hiding process and files, hiding directories, and call-hooking."

Once Slanret is installed on a hacked machine, anti-virus software won't pick it up in a normal disk scan. That said, the program is not an exploit - intruders have to gain access to the computer through some other means before planting the program.

Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible. And in what appears to be an oversight by the kit's author, the device driver "ierk8243.sys" is visible on the list of installed drivers under Windows 2000 and XP, according to Symantec Security Response (SecurityFocus is owned by Symantec). McAfee reports that a running service named "Virtual Memory Manager" with a blank description field is visible on a compromised host. And, of course, there are reports that the root kit sometimes crashes servers.

Hoglund says future Windows root kits won't suffer from Slanret's limitations. And while he says the risk can be reduced with smart security policies - accept only digitally-signed device drivers, for one - ultimately, he worries the technique may find its way into self-propagating malicious code. "My street knowledge, my gut feel, is there are probably already worms or viruses doing this now," he says. "We just haven't seen them."

© SecurityFocus Online

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.