Inside Windows Rootkits
文章作者:Chris Ries
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
Although they have been around for quite some time, rootkits have become somewhat of a
buzzword in the security industry over the past year. While rootkits have traditionally been used
by sophisticated attackers to hide their presence on compromised machines, recent worms,
viruses, and trojans have started using them to complicate efforts to detect and clean infected
machines. Microsoft recently reported that over twenty percent of the malware found by their
malicious code removal tool on Windows XP Service Pack 2 machines contained rootkit
technology. By hiding the infection, rootkits allow the malicious software to remain on the
system for a longer period of time. This enables the malicious software to steal more information,
send out more spam, launch more DDOS attacks, and ultimately make more money for whoever
is controlling it. Even some commercial software has adopted techniques used by rootkits for
protection. The most famous example of this is the Sony Digital Rights Management (DRM)
software that received intense media attention and criticism in late 2005. While the DRM
software may have been hiding itself for protection, many considered this behavior to be
unethical. Malicious software could also use the DRM software’s rootkit capabilities to hide
malicious files on infected machines.
The goals of this paper are to take a detailed look at how rootkits work, what they do, and what
can be done to detect and prevent them. Stealth techniques used by today’s rootkits will be
explained, and detection of rootkits will be illustrated using examples of malicious software found
in the wild.
Like any other area in security, the current state of rootkits is an arms race between the rootkit
authors and those responsible for protecting systems from their harmful effects. Because of this,
proof of concept rootkits are constantly being released to demonstrate new methods of bypassing
current rootkit detection and prevention mechanisms. Eventually, some of these proof of concept
rootkits are transformed into production rootkits that make their way into the hands of attackers
and malware authors on the Internet. This paper examines several current proof of concept
rootkits that may become more common in malware, as well as rootkits that have already been
released into the wild.
