Rootkit

The term rootkit historically came from the Unix world, where this term refers to a set of utilities that a hacker installs on a computer hacked by him after obtaining initial access. These are usually hacker tools (sniffers, scanners) and Trojan programs that replace the main Unix utilities. Rootkit allows the hacker to gain a foothold in the hacked system and hide traces of his activities.

In Windows, under the term rootkit, it is considered a program that is implemented into the system and intercepts system functions, or replaces system libraries. Interception and modification of low-level API functions primarily allows such a program to sufficiently qualitatively mask its presence in the system, protecting it from detection by the user and antivirus software. In addition, many rootkits can mask the presence in the system of any processes, folders and files on the disk described in its configuration, keys in the registry. Many rootkits install their drivers and services into the system (they are naturally also "invisible").

Recently, the threat of rootkits has become more and more urgent, as developers of viruses, Trojan programs and spyware software begin to embed rootkit technologies in their malware. One classic example is Trojan-Spy.Win32.Qukart, which masks its presence in the system using rootkit technology. Her OotKit mechanism works perfectly in,, Windows 95, and 98. ME 2000 XP

Classification of rootkits

Conditionally, all rootkit technologies can be divided into two categories:

• Rootkits operating in user-mode
• Kernel-mode rootkits

The first category is based on intercepting functions of user-mode libraries, the second - on installing a driver into the system that intercepts kernel-level functions.

Also, rootkits can be classified according to the principle of action and the constancy of existence. According to the principle of action:

• Changing algorithms of system functions execution
• Changing System Data Structures

History of the Rutkites

Speaking of rootkits, they certainly mention the etymology of the term rootkit: 'root' - a privileged administrator of the UNIX system, 'kit' - a set of tools, rootkit - a set of utilities to ensure the "privileged" access of an attacker to the system is invisible to a real administrator. Such utilities for UNIX appeared in the early 90s. and still exist, but practically do not develop.

Windows rootkits had a more functional predecessor than UNIX rootkits - namely, stealth viruses for DOS. Stealth viruses appeared around 1990. Unlike UNIX rootkits, whose main task is to let an attacker into the system and mask his actions, DOS stealth viruses, infecting files, simply hid themselves from the user and antivirus programs.

Windows rootkits appeared ten years later than stealth viruses, and what they were called rootkits, and not stealth viruses, was the merit of Greg Hoglund. He was one of the first to implement the technique of bypassing Windows system security mechanisms in the form of a utility aimed at hiding information in the system. The results of his work were published in the electronic journal PHRACK. The utility, named by the author of NT Rootkit, was subsequently used in many malware and to this day inspires researchers and rootkits.

Hogland's article is dated 1999. In it, he relies on Windows kernel research published a year earlier in the Usenet forums by a programmer from Sri Lanka. Even earlier, since 1995, Jeffrey Richter, in his book "Advanced Windows" and its fourth edition, "Programming Applications for Microsoft Windows," reveals technologies for intercepting system calls at the user level, which will later be used in many rootkits to the accuracy of the source code given in the book.

Techniques for intercepting system calls at the kernel level are publicly disclosed in two other classic programming books: S. Schreiber "Undocumented Windows 2000 Capabilities," 2001 (Sven Schreiber Undocumented Windows 2000 secrets) and P. Dabak et al. "Undocumented Windows NT Capabilities," 1999 (P. Dabak et al Undocumented Windows NT). Research on Windows system protection mechanisms continued, and following NT Rootkit, several more utilities were released that allow you to hide objects in the operating system.

In 2000, he4hook appeared - a project of a Russian programmer. The utility did not carry malicious functionality, but was a tool for hiding files and worked in kernel mode. In addition, the utility itself was not designated as rootkit.

In 2002, Hacker Defender (HacDef) was born. It is also only a tool, but it is already more powerful - with it you can hide any file, process or registry key, the settings are flexibly configured in the configuration file. Works primarily in user mode.

In 2003, Vanquish and Haxdoor appeared (aka A-311 Death and in a modified version of Nuclear Grabber). Vanquish is a tool that works in user mode and allows you to hide files, directories, as well as registry keys. In addition, it already provides a malicious function - password logging. Haxdoor is already a full-fledged backdoor, operating in core mode and using rootkit technologies for self-masking.

In 2004, FU was released - a utility for hiding processes, which implemented a fundamentally new technology based on changing the system structures themselves, and not accessing them.

All of the listed rootkits are key in the history of Windows rootkits. It is especially worth noting HacDef, Haxdoor and FU, which were widely distributed "wild" in conjunction with malware. Rootkits of this period (2000-2004) clearly fit into the generally accepted, but outdated classification: rootkit can function at the user level or at the kernel level, based on the modification of the system call chain (Execution Path Modification) or based on Direct Kernel Objects Manipulation. In the mid-2000s, about 80% of all rootkits were in HacDef and Haxdoor. The first among the already existing malware, where rootkit technologies began to be embedded, were multifunctional backdoors Rbot and SdBot.

A little later - around 2006 - rootkit technologies began to be embedded in popular e-mail worms (Bagle) and Trojan spies (Goldun), even later Mailbot (Rustock) appeared, which turned out to be a serious challenge for antivirus products.

After a long lull in early 2008, a new malware appeared that infected the boot sector of the disk. In antivirus databases of different manufacturers, it is called Sinowal, Mebroot, StealthMBR. This rootkit, better known as "bootkit" due to its "boot" specifics, is based on the conceptual development code eEye Bootroot (slightly modified) and is not so much an independent malware as a tool for hiding any Trojan.

Chronology of events

2021:77% of Rootkits are used by cybercriminals for espionage

Positive Technologies experts analyzed the most famous rootkit families over the past 10 years - programs that allow you to hide the presence of malicious software in the system or traces of the presence of intruders. The study showed that 77% of Rootkits are used by cybercriminals for espionage. This was reported by RT on October 12, 2021.

Rootkits are not the most common malicious. ON Cases of rootkit detection, as a rule, refer to high-profile attacks with resonant consequences - often these utilities are part of multifunctional malware that intercepts network traffic, spies on users, steals information for authentications or uses the resources of victims to conduct -. DDoSattacks The most famous case of the use of rootkit in attacks is a campaign to distribute malware, the Stuxnet main goal of which was to suspend the development of the nuclear program. Iran

Positive Technologies analysts conducted a large-scale study of rootkits used by attackers over the past ten years - starting in 2011. According to the received, in to data 44% of cases, attackers used rootkits in attacks on. state institutions Slightly less often (38% of cases), these pests were used to attack research institutes. Experts associate the choice of these goals with the main motive of cybercriminals distributing rootkits - obtaining data. So, the value for attackers is the information one that these organizations process. According to the results of the study, the top 5 most attacked industries through rootkits also included (25 telecom %), (19% industry) financial and organizations (19%). In addition, more than half of rutkits (56%) are used hackers in attacks on individuals. This is mainly targeted attacks as part of cyber espionage campaigns against high-ranking officials, diplomats and employees of targeted organizations.

Rootkits, especially those working in core mode, are very difficult to develop, so they are used either by highly qualified APT groups that have the skills to develop such a tool, or groups whose financial capabilities allow you to buy rootkits in the shadow market, "explained Yana Yurakova, analyst at Positive Technologies. - The main goal of attackers of this level is cyber espionage and data acquisition. These can be both financially motivated criminals who steal large sums of money, and groups that extract information and commit destructive actions in the victim's infrastructure in the interests of customers.

As the analysis showed, the studied families of rootkits in 77% of cases were used by attackers to obtain data, in about a third of cases (31%) for financial gain, and in only 15% of attacks, experts noted the motive for operating the infrastructure of the victim company for subsequent attacks.

According to a report by Positive Technologies, shadow forums are mainly dominated by ads for the sale of custom-level rootkits - they are usually used in mass attacks. According to company experts, the cost of finished rootkit varies from 45 to 100,000 dollars. In the United States, it depends on operating mode, target OS, terms of use (for example, malware can be leased for a month) and additional functions (most often they request remote access and concealment of files, processes and network activity). In some cases, developers propose refining the rootkit for the needs of the customer and provide service support. It is worth noting that in 67% of ads there was a requirement that rootkit should be "sharpened" under Windows. This correlates with the results of the study: the proportion of such samples in a sample of malware studied by Positive Technologies specialists also prevails, amounting to 69%.

Despite the difficulties of developing these sinisters, every year we note the appearance of updated versions of rootkits, whose mechanism of work differs from the already known malware. This suggests that cybercriminals continue to develop tools that allow masking malicious activity, and constantly come up with techniques for circumventing protection - an updated version of Windows appears, and immediately malware developers create rootkits focused on it, "said Alexey Vishnyakov, head of malware detection at the Positive Technologies expert security center. - We expect rootkits to continue to use well-prepared APT groupings, so it's not just about compromising data and benefiting financially, and the concealment of complex targeted attacks, the result of which may be the implementation of events unacceptable to organizations - from the failure of CII facilities, such as nuclear power plants, CHPs and electricity networks, before man-made disasters caused by accidents at industrial enterprises, and cases of political espionage.

Links

• 13 Alice Shevchenko. Rootkite Evolution
• RootKit - principles and mechanisms of work
• Rootkits: almost invisible malware