Thursday, August 31, 2006

Deep Roots

When I have a new plant to add to my yard, I dig a hole deeper and wider than the rootball then back-fill a bit. The reason for that is to have nice loose soil to make it easier for the roots to get a firm hold.

That procedure is good for working in the garden, but not when it comes to security. Loose soil; that is, an unpatched, improperly protected computer, can allow a rootkit into the system. When a rootkit does infiltrate, it digs deep down through that "loose soil" and hides itself. As a result detection and removal are frequently nearly impossible. In fact, when infiltrated by a rootkit, the first recommendation usually provided to the "victim" is to consider formating the computer.

Heres a simple definition of a rootkit by PCMagzine:
A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have "root" access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder).
As I mentioned above, an unpatched computer can result in a rootkit infiltration. If you have visited the Security Garden previously, you may have seen several posts regarding MS06-040 in which I stressed the highly critical nature of that update. In his blog post, Harry Waldron provided detailed information from McAfee on a new variant of the Spybot family that includes a MS06-040 exploit as well as an extra goodie -- a rootkit.
The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability. TCP port 443 is normally used for https protocol but this worm uses it for IRC. W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

Actions that the worm may perform on receiving appropriate commands include:
  • Enumerate active process and threads on infected computer
  • Start, stop and hide processes and threads
  • Modify Microsoft Internet Explorer's start page
  • Open a local web server
  • Port scan IP addresses in a specified subnet to identify possible targets for infection
  • Open backdoor at a specified port
  • Transfer files
  • Spread via MIRC
  • Update itself
  • Restart infected machine
  • Flush ARP and DNS caches
  • Sniff network traffic
  • Create, delete and try to spread via network shares
  • Spread via AOL Instant Messenger
  • Download files from a specified URL
The Gromozon Rootkit, a particularly nasty is discussed in at Wilders Security Forums, including a the original link to Marco Giuliani's, "My pdf report", which includes an analysis of the Gromozon Rootkit.

So, what do you do if you suspect you have a rootkit on your computer? The following short list will get you started.
  • First, keep the infected machine off the internet.
  • Next, if you do online banking, shopping or bill paying, contact your bank and credit companies.

  • Change your passwords. However, do NOT change your passwords on the infected machine, rather use a neighbor, friend or family member's computer or a computer at the local public library,

  • Finally, seek help at a security forum or from a local computer repair shop.

ASAP member sites have experts who can help with rootkit removal. Particularly experienced analysts can be found at Malware Removal, Spyware Info, Spyware Warrior as well as non-ASAP sites, Bleeping Computer, Castle Cops and Geeks to Go.


No comments: