Mount a Rootkit Defense

转载 2007年09月14日 00:08:00
According to a McAfee Avert labs report, there has been a 700 percent increase in rootkit infections in the first quarter of 2006 when compared with the first quarter of 2005 (Hines, 2006). The stealth characteristics of rootkit programs are the perfect solution for the new breed of attacker who is out to steal identities or intellectual property so he can make a profit. This means that your business might be at increased risk from threats you probably don't even know exist on your network.

In this article, I take a high-level look at how rootkits work, the challenges businesses face if infected by one or more rootkit-enabled applications, and what businesses can do to protect themselves.

What are rootkits?
The first rootkits were developed for Unix systems. Named for the "root" level of access, they were used to gain administrative control over a system. Rootkits moved to the next logical platform, Linux, and then to Windows. Today, Windows is by far the preferred attack target for rootkit developers.

Rootkits typically find their way onto end user devices through email, instant messaging, and spyware pathways. They infect a system by hiding themselves from any effort by the operating system (OS) to manage them. This is possible because rootkits either replace or attach themselves to system components. They then intercept calls made to the OS for services and execute the attacker's code instead. For a better idea about the variety of rootkits and their impact on business networks, visit

There are two basic types of rootkits: user mode and kernel mode. User mode rootkits typically use the API functions to modify the path to executables. The advantage of User mode rootkits is the ease with which they can be created. Their disadvantage lies at the heart of why attackers use rootkits-user mode rootkits are somewhat ineffective at masking their activity.

Kernel mode rootkits are more difficult to develop, but they are far superior when it comes to hiding evidence of their existence. Instead of using API's, this type of rootkit usually exploits undocumented OS structures.

Before we move on, it's important to mention the VM proof-of-concept rootkit developed at the University of Michigan. Known as SubVirt, it installs underneath a Windows or Linux installation. Once this happens, no scanning engine can find it. There are some problems with getting SubVirt onto most VM instances. Let's hope this delays widespread use of this malware until we have some effective way of dealing with it.

The potential impact of rootkits on your business
Rootkits are used to collect information and send it "home" to the attacker's system. They can also recruit endpoint devices into a botnet. These actions expose your network and your business to the following:
  • Unauthorized access to sensitive information. Once a rootkit is installed on a system, data passing through, stored, or accessible from that system is vulnerable to attack.
  • Actions, including typing, are monitored. One popular rootkit application is keystroke logging. User ID's, passwords, social security numbers, banking information, etc. are compromised.
  • Infected systems usually communicate with the attacker's systems. This can result in your network being part of a Distributed Denial of Service Attack against your network or other networks attached to the Internet.
  • Any information collected is typically sent to one or more servers for direct use by the attacker, or for the attacker to sell to one of the growing organized cybercrime groups.

Rootkit defense
Rootkits are hard to defend against and even harder to locate once installed, but there are things you can do to reduce the risk of infection.
  • Use updated anti-virus software.
  • Control malware entry into your network, including spyware, by deploying anti-malware solutions at your perimeter. Examples include
    • spyware and virus filtering of email BEFORE it gets to your email servers
    • control over who uses instant messaging
    • filtering of instant messages for malware
    • block employee access to web sites known to distribute malware

  • Use personal firewall and host intrusion prevention software on your endpoint devices
  • Ensure all endpoint devices are properly patched
  • Cooperate with law enforcement agencies to help prosecute creators and distributors of rootkits
  • Deploy network intrusion detection and intrusion prevention solutions to detect the characteristic behavior of various types of rootkit attacks, and potentially block that behavior automatically.

This is a pretty good list of detection and prevention measures, but once systems are infected, it's difficult to remove the offending software. Although most if not all anti-virus vendors are making progress in this area, there are vendors with products specifically designed to remove rootkits. These include:

RootkitRevealer (Free but effective)

F-Security Blacklight

Rootkit Hook Analyzer

In closing this section, it's important to note that there's one school of thought that believes that the only way to cleanse a system of a rootkit is to erase the hard drive and rebuild the system. Since many rootkits, like many spyware applications, have the ability to reinstall from the home system, you might want to consider this. My position is one of moderation. If you find a rootkit on a highly sensitive system, I strongly recommend a rebuild. In other cases, you'll have to make the call based on the circumstances.

In either case, make sure you watch the system and the network closely to ensure your actions successfully neutralize the threat.

Rootkits attacks are growing in number, and the purpose of these attacks isn't to gain acceptance among the corps of malicious hackers. Instead, rootkit enabled applications are deployed to steal information to make a profit. Traditional anti-virus approaches are only partially effective in mounting a defense. Take the next step and deploy the technology you need to detect both the rootkits themselves and the footprints they leave on your network and endpoint devices.


DDRK是一个Linux结合shv和adore-ng优点,内核级别的rootkit。 DDRK中包含的文件: netstat  #替换系统中的netstat,从ssh配置文件中读取端口并隐...
  • ilovemayverymuch
  • ilovemayverymuch
  • 2015年03月15日 17:53
  • 1739


一 首先参阅资料搞一次Rootkit实施 参阅 在命令提示符(cmd.exe)下输入如下...
  • bcbobo21cn
  • bcbobo21cn
  • 2016年04月12日 17:27
  • 2837


关于rootkit小资料 一,前言 二,简介 三,rootkit的一些以公开的隐藏技术 四,一些隐藏技术的应对方法 五,about ring0 rootkit 六,rootkit的检测...
  • bcbobo21cn
  • bcbobo21cn
  • 2016年04月13日 17:39
  • 1858

hdoj 4939 Stupid Tower Defense【dp】

题目:hdoj 4939 Stupid Tower Defense点击打开链接 来源:2014 Multi-University Training Contest 7 题意:塔...
  • y990041769
  • y990041769
  • 2014年08月14日 10:00
  • 843

跟我来用cocos2d-x做一个游戏 Sky Defense

游戏截图 Sky Defense 是cocos2d-x by Example Beginner's Guide,第4章的游戏示例。 先从GameLayer::init()说起,游戏的大部分初始化,都是...
  • yuprxk
  • yuprxk
  • 2013年11月27日 22:18
  • 1383

Defense4All 粗翻

Defense4All:教程内容 [ 隐藏 ] 1 简介 2 Defense4All设计 3 部署替代 4 Defense4All在ODL环境中 5 框架视图 6 应用视图 7 O...
  • NachtZ
  • NachtZ
  • 2017年05月28日 08:07
  • 1000

An investigation into defense against SPIT

The article provides a brief overview of defense against Spam over Internet Telephony with classific...
  • xfhelen
  • xfhelen
  • 2016年08月08日 12:39
  • 235

HDU 4939 Stupid Tower Defense(DP)

题意略。 sil
  • u012962816
  • u012962816
  • 2014年08月12日 21:23
  • 460

HDU4939:Stupid Tower Defense(DP)

Problem Description FSF is addicted to a stupid tower defense game. The goal of tower defense gam...
  • libin56842
  • libin56842
  • 2014年08月15日 13:26
  • 1309

多校联合——Stupid Tower Defense

  • u012794562
  • u012794562
  • 2014年08月13日 10:40
  • 366
您举报文章:Mount a Rootkit Defense