Security experts now believe that trojan, spam and malware protection software cannot adequately prevent system compromise by increasingly sophisticated rootkits.
Rootkits are used to conceal the presence of trojans, hacker backdoors, and botnets by cloaking their files and processes through modifying the output of common operating system routines. They grant administrator access to a system after a hacker installs them typically through obtaining user level access by exploiting known vulnerabilities.
Intelligent Security Research Services analyst James Turner said rootkits will be increasingly used in highly targeted attacks as they become more sophisticated and form a critical part of hacker arsenals.
“We are going to see rootkits used in highly targeted attacks where hackers will source, for example, a CFO’s operating system and the typical applications they use, and then find a specific vulnerability based on these which allows a rootkit to be inserted,” Turner said.
According to Turner, information security infrastructure is heating up through increased education and simulations of information security warfare, however he said the biggest problem is getting people who have been hacked to warn the public about it.
Rootkits can be classified as; kernel-mode, which intercept kernel interface calls and alter OS kernel data to conceal rootkits from process lists; persistent, which use the system registry to execute on boot; user-mode, which can use keyloggers and infect or masquerade as OS commands; and memory-based, which rely on manual user execution to operate.
The most critical exist in unpatched exploits in common applications, according to Chris Gatford, senior security analyst at penetration testing firm Pure Hacking.
“Microsoft Word has an unspecific exploit that has been unpatched for 47 days; if I were a hacker I would certainly target these kinds of exploits because the scope is so wide,” Gatford said.
“Hackers are using the same spyware model but are distributing them with the next-level of rootkits.” Security firm Markets-Alert director Jeff McGeorge said rootkits are the frontline arsenal of hackers and are too sophisticated for rootkit revealers, and virus and spam protection software to combat.
“Rootkits are being dynamically inserted on-the-fly which means they can sit invisibly in a Web page’s source code using a Windows cloaking function, and download on to your machine without raising any attention because they disable download warnings and spyware applications from flagging them,” McGeorge said.
He said the rootkits use plug and play software drivers to gain access to the Windows kernel, where they generate dummy SSL session pages to capture user authentication details from packets, then completely uninstall and continue to monitor the victim’s ports and IP address when the user leaves the infected Web page.
Even trusted platform module [TPM] chips are useless against advanced rootkits, according to McGeorge. He said despite Microsoft’s Ben Fathi’s comments, TPMs are helpless to defend against hyperjacking, in which malware takes over an operating system negating software security applications like Kernel Patch Protection.
“A TPM takes an initial encrypted sumcheck of a hard drive and crosschecks the result against the TPM chipset on each boot, which detects additions to the kernel,” McGeorge said.
“However TPMs don’t work against dynamically inserted rootkits because you can’t do a sumcheck against the TPM when you are on the Internet and surfing around which is where the rootkits install, infect and uninstall.”
Gatford also agrees that rootkits can bypass TPM security as it is not designed for on-the-fly modifications, adding advanced rootkits can operate in system RAM.
Joanna Rutkowska, security researcher at Singapore-based Coseinc Advanced Malware Labs, said the best way to detect memory-based rootkits is to acquire a RAM image.
“Several hardware-based systems exist for acquiring an image of a computer’s RAM [such as] Tribble, Komoku’s CoPilot and RAM Capture Tool from BBN Technologies, [however] none are particularly easy to find,” Rutkowska said.
Assurance.com.au director Neal Wise said users need tight access controls to prevent rootkit infection.
“[Users need] hardware that allows security subsystems to be built on the trusted computing concept,” Wise said.
“Anti-virus programs will only detect malicious activity on the file system if it is listed in its signature database, but it really only helps with malware because rootkits need only change a few bytes to remain hidden. “You can cleanup after a rootkit by re-imaging, but you can’t ever trust it because it compromises parts of the system that everything is tied to.” He said infection by on-the-fly rootkits depends on whether a browser’s security module allows manipulation of the operating system.
Market-Alerts’ McGeorge said rootkits permanently compromise all files on a system because of infection by rootkit backups.
“There will never be a universal rootkit detector however the most powerful alternatives will be online-offline comparison scanners that integrate with anti-virus programs,” he said.
“At the moment, traditional security applications are as useful as a wooden frying pan.”
