Wormbotdoorkit? Kitbotwormdoor? Trojwormrootbot? Malware by any other name . . . 2005 - the year of the rootkit?

Edited 2/25/2005 to examine the multiple definitions of the word 'rootkit', added information on a LUA-friendly rootkit for the LUA folks to ponder (LUA - Limitted User Account), and added some thoughts on how they could mess with AV software. :)

So this is a post I meant to make ages ago but a shiny object flew by my window and I forgot to post it.  I'd like to take a second to talk about the sad state of affairs when it comes to the way we in the security and incident response community talk about malware.  There is so much malware in the world with so many different attributes and properties and I often find myself thinking I'm talking to someone about a 'rootkit' and they are really talking about a 'backdoor server' OR they will be talking to ME about a 'rootkit' but their definition of a rootkit isn't the same as mine and after a few minutes of initial confusion we have to fall back and re-negotiate our communications session and derive some mutually agreed upon definitions. :)  At the end of this post I'm also going to make some observations about the ubiquity of malware we refer too as 'rootkits' and I will even make some predictions about the inevitable demise (of current rootkits) and rebirth - all to take place in the year 2005. :)  Intrigued?  Read on . . .

In this blog post I'm going to attempt to define some different categories of malware that people can / should use when speaking to me about malware - because they are the ones I use.  If you have better, more industry accepted definitions - feel free to post them as a comment in my blog.

Okay - so lets get started . . . I'm not going to give definitions for worms or viruses as these are both fairly well understood and well defined.

Malware:  Malware is a subset of all software that was written for malicious purposes or behaves maliciously.  Some examples of this are exploit tools (programs designed to exploit vulnerabilities), backdoor servers, rootkits, spreaders/auto-rooters, worms, viruses, some spyware and some ad-ware (more on this later) etc.  Some software that I do not consider to be malware would be things like network scanners / mappers, commonly used FTP servers, popular remote control software, etc.  These might fall into a 'grey' category of 'Potentially Unwanted Software' but probably should not be classified as 'malware'.

Exploit / 'sploit / exploit tool:  Malware designed to exploit a software vulnerability for the purpose of gaining unauthorized remote access to a machine (usually) by targeting a service listening on a port with elevated privileges.  These tools can also be designed to gain local elevation of privilege as well however by exploiting a vulnerability in the OS.

Backdoors:  Backdoors are software that allows remote unauthorized access to a machine.  Backdoors can either bind to a new dedicated port or they can share a port with another process by hijacking the winsock stack in that process.  Backdoors can wait for inbound connections or they can shovel a shell out of your network to the domain name / IP address of the attacker’s choice.  The backdoor can be implemented in the kernel as part of a device driver, or in usermode as a DLL or an EXE.  Backdoors can load via ASEP's (auto-start entry points) in the registry (there are easily dozens of ways for this to happen) or they can modify a binary on the disk and piggyback off the loading of that binary (i.e. the winlogon modification I blogged about earlier).

Spreaders:  Spreaders are tools used to 'spread' malware and potentially unwanted software to vulnerable machines.  Spreaders can be multi-threaded and usually take a range of IP addresses as input and produce a range of compromises hosts as output by leveraging the latest exploit du jur.  A spreader will typically just attempt a connection to the vulnerable port on a remote host, perform the exploit and then attempt to insert and run the shellcode of the attackers choice (the most commonly used shellcode these days seems to fetch a file from a remote URL using HTTP and save it to the local disk and then run the process).  These are also sometimes called 'auto-rooters'.

Bots:  Bots are software that can spread to other machines (like a worm) using either weak or easily guessed admin passwords or a variety of remotely exploitable vulnerabilities (as the list of remotely exploitable vulnerabilities found in Windows grows - so too does the number of ways bots are getting on machines).  Bots will typically drop either a backdoor server component or an IRC client which can facilitate remote control through outbound connection to an IRC server.  Bots can either propagate autonomously or at the behest of the person controlling the 'botnet' (collective network of bots).  Bots are one of the most critical threats to an enterprise due to the speed at which they can tear through a corporate network - especially if a domain admin logs in to a machine infected with a bot (now the bot can propagate with domain admin credentials to all machines in the domain).  Detection and clean-up are usually non-trivial and result in significant downtime.  Bot's are a pain in the ass but we've been very lucky that to date - they haven't been all that sophisticated about hiding from admins using stealth techniques / rootkit technology (keep reading).

Trojan:  This is an interesting term as you don't usually hear 'trojan' by itself when referring to software / malware - you usually hear 'backdoor trojan' uttered collectively i.e. both words spoken together referring to one thing.  I am officially deprecating this term with my blog post because I hate it. :)  I don't like it. I think it’s ridiculous.  When I hear 'backdoor trojan' used by people, they are *really* just describing software that acts as a backdoor.  Great so drop the word 'trojan' from what you just said since it only confuses people like me.  Trojan implies 'trojan horse' which when applied to software would probably have to mean 'software disguised as something it is not so that when a user 'opens' it, they receive something they were not expecting' (or something).  If that is true - backdoor functionality is only one of *many* payloads that could be delivered via a modern day trojan horse program - and thus referring to a 'backdoor' as a 'trojan' is very imprecise if not just flat-out wrong.  If anything the word 'trojan' refers to a 'delivery vehicle' which itself is almost un-interesting (at least to me) for anything other than root cause analysis (i.e. determining how you got hacked).

Rootkits:  Alas - we have arrived at the most hotly debated (IMHO) definition.  The term 'rootkit' has been around probably longer than Windows and they are a unique and interesting class of malware.  It is my understanding that the term originated 'back in the day' for the Unix platform and when applied to that platform the term means 'a collection or 'kit' of tools used to obtain OR maintain root access' (there is some debate in the community whether rootkits are used to obtain root access or to simply prolong root access by employing stealth techniques).  The definition seems to be repurposed or updated every few years so depending on when you last checked your definition may not be current. :)  The two schools of thought on definition of a rootkit seem to center around obtaining 'root' privileges vs. maintaining 'root' privileges.

If you subscribe to the theory that rootkits were used for elevating privileges (obtaining root), then rootkits for Unix almost always implied EoP via exploitation of some vulnerability and part of the kit may have included a 'trojaned' copy of common system tools that provided stealth to avoid detection by the system admin after root was obtained to maintain root access as well. 

Rootkits for Windows have been slowly gaining in popularity for almost a decade now but this class of software on the Windows platform has evolved to the point of being fairly different (in its implementation) from its Unix brethren - yet the same general name is used and this greatly confuses people with experience with rootkits on both platforms.  So let’s break down the Unix 'obtain root' definition of a rootkit into its sub-categories.  You have three distinct behaviors in the 'kit' or collection of software.  First you have the elevation of privilege - this would be accomplished by an 'exploit tool' on the Windows platform.  Next the kit will usually seek to establish permanent access to the machine - this may be accomplished by installing a backdoor on the Windows platform.  Finally the kit may seek to hide the presence of the backdoor using stealth techniques and this was traditionally carried out by 'trojaning' a system binary like netstat or 'ps' but trojaning of system binaries on Windows almost never occurs (may believe becuase of closed source and WFP).  These three distinct functionalities may have been traditionally referred to as the 'rootkit' (as stated - some people do not believe rootkits are used to elevate priv's to root, some people do) but on Windows typically the word 'rootkit' is used to discuss a specific sub-set of malware that provides stealth functionality i.e. the ability to hide stuff and nothing more (i.e. the third functionality mentioned above). 

On Windows an exploit tool is usually used to gain remote access to the machine, the shellcode is then run in the context of the exploited process and is used to download a backdoor server / component to the compromised machine and then run it (typically from an HTTP site which itself may be compromised).  In addition to the backdoor a piece of software known as a 'rootkit' may also be downloaded to the machine for the sole purpose of hiding the backdoor and any other tools uploaded to the server by the remote attacker.  So the most basic definition of a rootkit for Windows is a piece of software designed to hide other software.  An automated intrusion (using a spreader and a backdoor server downloaded to the compromised Windows host by the spreader) need not involve the use of a rootkit (a different piece of malware used to hide the backdoor).

Properties of rootkits for Windows

Soo . . . some people feel that rootkits on Unix / Linux are a collection of tools designed to elevate privileges and setup backdoors in automated fashion whereas others maintain that they are more like rootkits for Windows as noted - and that they just hide stuff and do NOT facilitate elevation of privilege (thus making the name imply that it's more about 'maintaining' root vs. elevating to root).  In fact for a rootkit on Windows to work fully (providing hiding / stealth for all users of the system) - it must be installed by an administrator or from a process with administrator or SYSTEM privileges but the rootkit itself does not provide for exploitation - only hiding.  In other words - you have to have already compromised the security of the box (or tricked a user into running one) before installing any of today’s rootkits as they all require privileges to do things that only administrators have (if they want to hide truly effectively from all users / tools).  

For all the users out there running as a LUA (limitted user account) who feel 'safer' having read that rootkits require Admin or SYSTEM rights to work properly; have no fear - there is a rootkit (NTIllusion) that works just fine as a regular user account (but would provide stealth only for processes running in the context of that user).

The 'stuff' they hide can be anything - you can hide a file, a folder, a user account, a group, a process, a port, a registry entry, a network connection or all of the above and the hiding is traditionally done without any modification to the tools used to enumerate this information (i.e. the binary on the disk is left un-modified).  Anything you can think of as a security practitioner that you might examine to find evidence of a compromise can be hidden by an advanced rootkit.  Rootkits range from the very simple process hiding rootkits (early examples of the FU rootkit simply took a PID to hide and didn't hide any files or folders or registry entries etc.) to the very . . . feature complete rootkits like Hacker Defender and YYT_HAC rootkits which can hide just about everything AND come bundled with built-in backdoor servers (negating the need for a separate backdoor to be hidden).

And now we have arrived at the quandary that people face when trying to discuss malware like Hacker Defender or the YYT_HAC rootkit.

Are these rootkits?  Yes - using the modern Windows-specific version of the definition - it hides / stealth’s stuff - but it was not the software actually used to compromise the host (i.e. it's not an exploit and does not elevate privileges).

Is it a backdoor?  Yes - these rootkits contain a backdoor server component and also come with a special backdoor client that can be used to communicate with the backdoor server.

Could a rootkit like this be dropped by a self-propagating or propagate-on-demand bot?  Yes - this malware or the technology employed by this malware could easily be picked up by the next version of Agobot/Gaobot/Phatbot/Polybot/Sdbot/Rbot/Spybot families of malware.  Here's a thought - what if this rootkit got on your machine before the AV vendor updated their signatures and then hid the directory the signatures come down in?  Would the AV software still work and be able to detect anything?  Most likely not - not if it can't find the signatures being hidden by the rootkit - something to ponder.

What would you call a bot that installed a backdoor server that was stealthed by a rootkit?  Is it a botdoorkit?  A doorbotkit?

I don't have a particular desire, nor do I see a particular need to be able to quickly summarize complex malware in one easy to consume 'buzzword' which is what I feel people often try to do.  Malware is getting increasingly more full-featured and increasingly more complex and I think it's time we stop trying to classify what is obviously a collection of independently developed 'malware' (i.e. programs developed by different groups of people for different purposes with different functionality) being dropped onto compromised hosts using a single word like 'backdoor' or 'trojan' and instead we should focus on the attributes and properties of the pieces of malware we have identified on the system and refer to them based on their functionality - but before we do that, we must first agree on what it is we're talking about and thus my proposed definitions above.

And finally - I predict that 2005 will be the year the Windows 'rootkit' finally goes 'mainstream' . . . in that I mean more people than ever (including the mass media) will be exposed to the term this year (we already exposed the media to this threat at RSA a couple weeks ago) and we will start to see rootkit stealthing technology and techniques picked up by ever increasing amounts of potentially un-wanted software and ad-ware /spyware in an effort to combat increasingly more effective antivirus and antispyware software. 

Think I'm wrong?  It's already happening - you just may not be aware of it:
894278 You receive a Stop 0x00000050 error on a blue screen

Think about it - Spyware/Adware is the new 'spam'.  It's the new billion-dollar industry being used by sophisticated crime rings to make money - do you really expect them to just go down without a fight?  Especially when it's so easy to hide using rootkit technology?  Especially when spam is becoming less and less profitable as people become better and better at fighting it?

I also predict that if rootkits are are the Windows equivalent of 'the world that has been pulled over your eyes' (to quote Morpheus) that 2005 will be the year the Matrix gets reloaded. :)  Why do I say that?  Very smart people have developed very effective tools - tools that can be used to expose rootkits and the processes, files and folders that they hide and 2005 will be the year these tools go mainstream. 

Think I'm wrong?  It's already happening - you just may not be aware of it:

Check that site periodically in the coming weeks / months - we are fighting back!

And it's not just Microsoft preparing to release kick-ass anti-rootkit tools - there will be more - this year.  You can count on it.  I will of course update this blog when I hear about new anti-rootkit tool releases.

This unequivocal defeat of the hiding techniques employed by the most popular rootkits will force the miscreants back to the drawing boards this year (actually they never sit still and are always working on new techniques and they already exist but we just haven't forced them into using them widely yet) and they will come up with new hiding techniques (or use the ones already well known) - and the game will continue - culminating in an eventual reloading of the Matrix. :)


- The Previous One