Mount a Rootkit Defense

转载 2007年09月14日 00:08:00
According to a McAfee Avert labs report, there has been a 700 percent increase in rootkit infections in the first quarter of 2006 when compared with the first quarter of 2005 (Hines, 2006). The stealth characteristics of rootkit programs are the perfect solution for the new breed of attacker who is out to steal identities or intellectual property so he can make a profit. This means that your business might be at increased risk from threats you probably don't even know exist on your network.

In this article, I take a high-level look at how rootkits work, the challenges businesses face if infected by one or more rootkit-enabled applications, and what businesses can do to protect themselves.

What are rootkits?
The first rootkits were developed for Unix systems. Named for the "root" level of access, they were used to gain administrative control over a system. Rootkits moved to the next logical platform, Linux, and then to Windows. Today, Windows is by far the preferred attack target for rootkit developers.

Rootkits typically find their way onto end user devices through email, instant messaging, and spyware pathways. They infect a system by hiding themselves from any effort by the operating system (OS) to manage them. This is possible because rootkits either replace or attach themselves to system components. They then intercept calls made to the OS for services and execute the attacker's code instead. For a better idea about the variety of rootkits and their impact on business networks, visit

There are two basic types of rootkits: user mode and kernel mode. User mode rootkits typically use the API functions to modify the path to executables. The advantage of User mode rootkits is the ease with which they can be created. Their disadvantage lies at the heart of why attackers use rootkits-user mode rootkits are somewhat ineffective at masking their activity.

Kernel mode rootkits are more difficult to develop, but they are far superior when it comes to hiding evidence of their existence. Instead of using API's, this type of rootkit usually exploits undocumented OS structures.

Before we move on, it's important to mention the VM proof-of-concept rootkit developed at the University of Michigan. Known as SubVirt, it installs underneath a Windows or Linux installation. Once this happens, no scanning engine can find it. There are some problems with getting SubVirt onto most VM instances. Let's hope this delays widespread use of this malware until we have some effective way of dealing with it.

The potential impact of rootkits on your business
Rootkits are used to collect information and send it "home" to the attacker's system. They can also recruit endpoint devices into a botnet. These actions expose your network and your business to the following:
  • Unauthorized access to sensitive information. Once a rootkit is installed on a system, data passing through, stored, or accessible from that system is vulnerable to attack.
  • Actions, including typing, are monitored. One popular rootkit application is keystroke logging. User ID's, passwords, social security numbers, banking information, etc. are compromised.
  • Infected systems usually communicate with the attacker's systems. This can result in your network being part of a Distributed Denial of Service Attack against your network or other networks attached to the Internet.
  • Any information collected is typically sent to one or more servers for direct use by the attacker, or for the attacker to sell to one of the growing organized cybercrime groups.

Rootkit defense
Rootkits are hard to defend against and even harder to locate once installed, but there are things you can do to reduce the risk of infection.
  • Use updated anti-virus software.
  • Control malware entry into your network, including spyware, by deploying anti-malware solutions at your perimeter. Examples include
    • spyware and virus filtering of email BEFORE it gets to your email servers
    • control over who uses instant messaging
    • filtering of instant messages for malware
    • block employee access to web sites known to distribute malware

  • Use personal firewall and host intrusion prevention software on your endpoint devices
  • Ensure all endpoint devices are properly patched
  • Cooperate with law enforcement agencies to help prosecute creators and distributors of rootkits
  • Deploy network intrusion detection and intrusion prevention solutions to detect the characteristic behavior of various types of rootkit attacks, and potentially block that behavior automatically.

This is a pretty good list of detection and prevention measures, but once systems are infected, it's difficult to remove the offending software. Although most if not all anti-virus vendors are making progress in this area, there are vendors with products specifically designed to remove rootkits. These include:

RootkitRevealer (Free but effective)

F-Security Blacklight

Rootkit Hook Analyzer

In closing this section, it's important to note that there's one school of thought that believes that the only way to cleanse a system of a rootkit is to erase the hard drive and rebuild the system. Since many rootkits, like many spyware applications, have the ability to reinstall from the home system, you might want to consider this. My position is one of moderation. If you find a rootkit on a highly sensitive system, I strongly recommend a rebuild. In other cases, you'll have to make the call based on the circumstances.

In either case, make sure you watch the system and the network closely to ensure your actions successfully neutralize the threat.

Rootkits attacks are growing in number, and the purpose of these attacks isn't to gain acceptance among the corps of malicious hackers. Instead, rootkit enabled applications are deployed to steal information to make a profit. Traditional anti-virus approaches are only partially effective in mounting a defense. Take the next step and deploy the technology you need to detect both the rootkits themselves and the footprints they leave on your network and endpoint devices.

dp --- hdu 4939 : Stupid Tower Defense

Stupid Tower Defense Time Limit: 12000/6000 MS (Java/Others)    Memory Limit: 131072/131072 K (Java...
  • u013371163
  • u013371163
  • 2017年03月05日 17:10
  • 88


DDRK是一个Linux结合shv和adore-ng优点,内核级别的rootkit。 DDRK中包含的文件: netstat  #替换系统中的netstat,从ssh配置文件中读取端口并隐...
  • ilovemayverymuch
  • ilovemayverymuch
  • 2015年03月15日 17:53
  • 1961

(简单dp 水过) poj 1887 Testing the CATCHER

Testing the CATCHERTime Limit: 1000MS Memory Limit: 30000KTotal Submissions: 8793 Accepted: 3139Desc...
  • Hashmat
  • Hashmat
  • 2010年09月14日 15:12
  • 1225


  • sdulibh
  • sdulibh
  • 2016年02月25日 22:37
  • 1193


出售过还原软件代码2007-07-24 16:10 类型1:过各类还原软件保护写入文件 ...
  • valiant1ster
  • valiant1ster
  • 2007年08月08日 21:35
  • 651

这文章介绍了Linux下rootkit常见玩法-Linux Rootkit Sample && Rootkit Defenser Analysis - .Little Hann - 时间 2014-

原文 主题 Linux 目录 1. 引言 2. LRK5 Rootkit...
  • qq_27446553
  • qq_27446553
  • 2016年04月14日 23:17
  • 2713

Linux Rootkit系列三:实例详解 Rootkit 必备的基本功能

前言 鉴于笔者知识能力上的不足,如有疏忽,欢迎纠正。 本文所需的完整代码位于笔者的代码仓库:
  • stonesharp
  • stonesharp
  • 2016年07月01日 09:23
  • 3258


rootkit Rootkit是一种特殊的恶意软件,它的功能是在安装目标上隐藏自身及指定的文件、进程和网络链接等信息,比较多见到的是Rootkit一般都和木马、后门等其他恶意程序结合使用。 外文名...
  • bcbobo21cn
  • bcbobo21cn
  • 2016年04月10日 14:04
  • 1487

POJ-1887-Testing the CATCHER【最长不上升子序列nlogn】

Testing the CATCHER
  • loy_184548
  • loy_184548
  • 2015年11月30日 23:40
  • 285


Rootkit隐形技术入门这篇文章的作者: 宇文 出处:51CTO摘要:在安全界,rootkit已越来越引起人们的关注,而rootkit技术的过人之处就在于它的隐形技术,本文旨在向读者打开一扇通向ro...
  • xuplus
  • xuplus
  • 2008年04月14日 20:14
  • 795
您举报文章:Mount a Rootkit Defense