Building malware defenses: From rootkits to bootkits

Today's rootkits draw their power from having access to the kernel of the operating system. These "kernel-mode" rootkits run at the same lower level as all other trusted system processes, thus granting system control and providing effective ways to remain hidden.

The rootkit's powerful way of maintaining system access while remaining undetected has posed a challenge to the security community. To prevent kernel-mode malware and digital rights management (DRM) violations, Microsoft has enforced a policy with its Vista OS, requiring digital signatures for all device drivers. The security mechanism, however, has been criticized because it prevents legitimate 3rd parties from developing device drivers. Although the policy is also thought to be partially responsible for Vista's incompatibility with several peripheral devices, Vista's driver-signing policy has challenged others to create a variant of rootkits, reminiscent of boot sector viruses.

The 'bootkit'
Before the days of mass interconnectivity, malicious code traveled on portable storage media, like a CD-ROM or floppy disk. The malware, usually a virus hidden in the boot sector of a disk, acted as a digital parasite, infecting the host PC when introduced at the boot process. The infection would corrupt the machine by altering a hard drive's Master Boot Record, the boot sector code of any boot disk, or the disk partition table (DPT). While rarely seen today, the boot sector virus comes to mind when discussing the new rootkit technology that may defeat Vista's device driver signature requirement.

A "bootkit" leverages its kernel access and stealth by manipulating the boot process. Functionally, bootkits are no different than rootkits. They differ, though, in how they gain access. Traditional rootkits use elevated privileges while the OS is running. Bootkits, however, are installed from the boot sector of an external device and remain in memory throughout the system's boot process. This concept was first introduced in 2005, when security researchers from eEye Digital Security developed a method of exploiting the BIOS during startup. Their "BootRoot" project introduced custom boot sector code, allowing subversion and persistent real mode access to the Windows NT kernel.

In April of this year, at BlackHat Europe, researchers at India's NV labs introduced the "VBootkit", which also allows kernel subversion via custom boot code. Despite some of the controversial similarities between the two, the newer VBootkit contained some modified instruction code to work with Microsoft Vista's updated startup process, one whose boot loader architecture has changed. Regardless of which boot platform is used, however, there are several bootkit techniques that exploit this startup process.

For more information: In this Q&A, security expert Ed Skoudis discusses several tools that can remove rookits or prevent their installation.    Information security threats expert Ed Skouids discusses what needs to be done to stop variants of the Storm worm. Learn how rootkit and rootkit hypervisors can affect an operating system.

The bootkit's custom boot sector code hijacks the startup routine after the ROM BIOS code executes, but before the true Master Boot Record (MBR) loads. Once loaded into the memory, the code executes a software interrupt instruction, also known as "hooking." It hooks to INT 13, an instruction which allows subsequent sector reading. Once accomplished, the bootkit utilizes a number of patching sequences throughout the boot process to change its structure and manipulate logical flow.

Several methods of code modification are employed at various stages to bypass digital signatures and checksums. In order for the bootkit code to remain undetected, a number of detours are used for its own relocation in memory. Rootkits can also recalculate and replace checksums, bit values that can be used to verify a file's integrity.

Once resident and undetectable in kernel space, a rootkit can execute additional payloads. At the very least, a covert channel is established, providing the malicious hacker with unrestricted access to the victim's machine. A rootkit's additional executable payloads may include ways to harvest usernames and passwords, disable certain applications (often security suites), use the machine as proxy for attacks or further spread its own rootkit.

These machine code methods used to manipulate instructions in kernel space demonstrate the severity of this malware subclass. While software exists for rootkit detection and removal, the bootkit stresses the importance of prevention. Its means of boot process injection emphasizes the need for implementing physical access policies to an overall security strategy.

Protection from bookit technology means protecting the machine's boot process. The system's BIOS can be configured to disable any boot devices other than the hard disk. Furthermore, to prevent any unauthorized changes, the system BIOS can be password-protected. Physically locking the computer case will restrict access to the motherboard containing the BIOS chip and its CMOS battery, both of which could be used to clear the BIOS password. For systems located in public areas, consider removal of external media components, such as floppy and CD/DVD drives. It may help to disable USB/FireWire ports and even configure specific machines to only operate in kiosk mode.

Regardless of their means of entry to a computer's kernel space, rootkits are a very powerful and real threat. While they account for a small fraction of 'in the wild' malware, most security software is a step behind and cannot detect their presence. Perimeter protection, enforcement of restricted user privilege levels, combined with a tight control of running services will provide a strong network defense against rootkit penetration. It is important for those responsible for IT security to follow the trends of rootkit technology in addition to the evolution of developers' defensive techniques.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Emerging Information Security Threats,   Malware, Viruses, Trojans and Spyware,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Emerging Information Security Threats Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.