What does the lifecycle of a rootkit look like?
The first thing that happens is that a rootkit is created by a
programmer. The next stage is that the system is compromised, usually
not by the person who wrote the rootkit, but by another means. Rootkits
do not themselves infect computers. They do not identify and exploit
compromises, or scan systems. They need some other exploit to get on
the system; this can be an unpatched system, a system with a weak
password and so on.
Once a system is compromised, an attacker has access to the system, and can put files on it; they may put a rootkit on there to further compromise the system or to hide the compromise. They can then put other tools there to conduct the attack. Often we then see some time lag between the compromise and the attack. Attackers do not just crash system, they tend to be subtle — they may wait a week, a month or six months, before doing anything.
Finally, the attack is invoked — the attacker may use the compromised machine as a zombie, or as a mail forwarder. The problem is that they can repeat the attack until the rootkit is removed, and of course your problem is that because this is a rootkit, you don't know there is a rootkit on the system. We found on machine in a university in the US where a rootkit had been installed two years ago. What it did during those two years we don't know.
Where do rootkits come from?
We find they can be written by anyone from script kiddies to master
programmers. It doesn't require great knowledge of Windows. Why?
Because there are source code examples out there. You can grab
downloadable source code for free, and take a look at how they work.
Hacker Defender is the most common rootkit. It is written by a guy who calls himself the Holy Father, in the Czech Republic. He has a free one, but also a version for sale, and will even create custom versions for you, which means each one is unique, and so we cannot detect it using a signature file.
How do rootkits get onto a system?
In two main ways: manual and automatically. Manual is the more common
method, and this is where an attacker identifies the system, uses
footprinting techniques to identify systems of interest, then loads the
rootkit and executes it. This is very hard to detect because it tends
to be a one-off attack, not broadcasting tons of traffic, not attacking
every system in IP address order.
The automatic method is les common: it tends to rely on very noisy, undirected attacks that tend to get picked up in log files by intrusion detection systems.
Then there is the hybrid attack, which we see often in government espionage, where the attacker might identify all interesting systems in a particular environment and attack those specifically, and quietly. Recently we had one government customer whose ports were being port scanned very slowly, at the rate of one port probed every three weeks. This was a very slow and very deliberate and it was very hard to detect. But it was an attack.
Talkback
A rootkit exists in video memory?? Is this video memory volatile or non-volatile? If volatile then where is the rk stored if not on the HD? If non-volatile then how will a system nuke fix things?
wouldn't it solve the problem if the OS does not allow the system to hide the file and behave as a rootkit in the first place? or if it has stricter rules to govern the use of rootkits even for legitimate reasons?
This article is woefully uninformed, from the meaning of rootkit, to the suggestion that you must nuke the system rather than restoring a ghost image of the hard disk that is made on a regular basis.
"root" comes from root under Unix. The term doesn't even describe sony's code. A root kit installs over system programs and generally collects data for a hacker. Sony's program is simply a stealth program that uses traditional methods of hiding processes on Windows. Thats not a root kit. If it replaced the login program, or replaces the explorer program, it would be a rootkit. Key to a rootkit is the fact that it replaces a legitimate program with its own rendition which collects some data.
Yes, Sony's "rootkit" hides itself. But any program in windows can hide itself...it doesn't have to be root to do so, and it doesn't have to replace any program on the system to do so. It simply hooks the kernel dll calls and layers itself on top. This technique has been around since windows 3.0. But its not a rootkit.
Rootkits should be viwed exactly the same as other attacks on our PC's, they are secrative, no permission has been given for them to tresspass on our property and they are not neutral they do something to you. Sony's actions were disgraceful company's have no right to intrude and trespass without property. They should be legaly responsible for their actions. This reminds me of the Tesco tracking chip - who do they companiers think they are. Consumer boycotts are a good start they will soon cease these activities
Try reading and fixing the terribly high amount of typos in this piece!!
otherwise it's quite good!