“Rootkit” revamped?

Wearing my “glossary guy” hat, one of the things I’ve noticed is how difficult it is to come to complete agreement on the precise definition of many terms that are used in infosec. There are, for example, three quite distinct meanings for the term “tar pit.” (And that’s in terms of networking alone.) (It is highly unlikely that we will ever be able to reduce the number of tar pit definitions to one: all the definitions came at about the same time, and all are important and equally valid.)

However, what really irks me is when defined and agreed upon terms start being misused, sometimes to the point where the original term becomes useless. There is, of course, “hacker.” (And I’ve given Hal a diatribe about “zero day” which will probably be coming out in the next ISMH.)

The latest endangered term seems to be “rootkit.” A rootkit has been defined as programming that allows escalation of privilege or the option to re-enter the compromised system with greater ease in the future. Often rootkits also contain functions that prevent detection of, or recovery from, the compromise.

Starting with the recent Sony “digital rights management” debacle, the general media now seems to be using “rootkit” to refer to any programming that hides any form of information on a system, and specifically any functions that impede the detection of malware. The latest reports are that Bagle and other malware/virus families now contain “rootkits.” Antidetection features in viruses are nothing new: there was a form of tunnelling stealth implemented in the Brain virus 20 years ago. Therefore, to use the term rootkit to refer to this activity can only degrade the value of the term.

It has been difficult to ensure that infosec specialists can at least talk to each other and exchange useful information. However, this may not last much longer if our “precious verbal essences” become contaminated.

Share
  • http://anti-virus-rants.blogspot.com kurt wismer

    hurray for the voice of reason!

    it’s actually not just the media screwing around with the definition of rootkit – greg hoglund of rootkit.com has been doing it too (see http://www.rootkit.com/blog.php?newsid=440)…

  • Sahir Hidayatullah

    Hmmmm…

    “allows…the option to re-enter the compromised system with greater ease in the future.”

    Any ‘rootkit’ that hides processes, files, registry entries etc certainly fits this bill. The old 1st gen classic rootkits such as trojaned replacements for ps, netstat and login did exactly the same thing, they helped you KEEP ROOT. A trojaned ps would hide maybe a netcat backdoor. The goal of the rootkit was NOT necessarily to provide the access, just help you MAINTAIN it. Current rootkit technology (such as the one spoken about for Bagle) do EXACTLY the same thing.

    These days, 2nd and 3rd gen rootkits hide the SAME information as the trojaned ps and netstat. They just do it more efficiently — usually in the form of a ring-0 component. Thus, any malware that incorporates the following types of technology:
    1. SSDT / IAT / Function hooking
    2. Direct kernel object manipulation
    3. DLL injection
    4. Inline-function detours etc
    CAN be considered as being a rootkit.

    This is exactly the sort of nit-picking that gets us nowhere. Please don’t waste your time denigrating the likes of Mark Russinovich & Greg Hoglund; if you bothered to follow his research, you’d realise you don’t have a leg to stand on when discussing ‘definitions’ of rootkits (I recommend the books ‘Exploiting Software’ and ‘Subverting The Windows Kernel’).

    I would recommend we updated your “precious verbal essences”� to reflect the current scenario. Either that or start blogging about how the media misuses the word ‘hacker’.

    Perhaps our time as infosec specialists would be better spent in research and specialization, rather than vocabulary twiddling?

  • http://anti-virus-rants.blogspot.com kurt wismer

    oh dear – i’ve already blogged about how the media misuses the word ‘hacker’ (and the probable reason why)…

    as for denigration – mark russinovich has admitted to parrotting the ‘rootkit’ community, and hoglund appears to have no clue that what he’s talking about predates the existence of even the classical rootkits and has been known in the malware community as stealth for a good long time…

    stealth is a more natural and intuitive term for it, while rootkit (under it’s current usage by hoglund et al) has lost all semblance of an etymological basis…

  • Sahir Hidayatullah

    Hi Kurt,
    I gave your blog a read and perhaps there is a slightly common element to both our arguments.

    For the sake of discussion I’ll use the term ‘rootkit’ as per your definition, and the term ‘stealth component’ to describe the currently disputed technologies.

    One must acknowledge that a stealth component on it’s own is absolutely useless. It does not actually do anything when not coupled to a payload that either (1) gains access or (2) escalates privilege.

    Lets take a somewhat more concrete example. The commonly used tool pwdump dumps windows hashes from the security manager, aiding in the escalation of privileges. Thus by your definition, you could term it as a rootkit, whereas I would not view it as such.

    To extend this notion further, the Metasploit framework provides you with
    (1) A means of gaining root access (using exploits)
    (2) A means of keeping access (say, a payload that adds an administrative user)
    (3) Stealth (polymorphic shellcode, encoders et al)
    Yet obviously the msf framework is not a rootkit.

    I believe the actual post exploitation process has evolved considerably from the classic days. These days, exploitation is not necessarily focussed on obtaining root on that system — it may be simply to install a socks/smtp proxy, or even drop adware. The idea of obtaining ‘root’ in the classical sense has changed. Instead the focus now is more on covering up the signatures of malicious activity that can be used to detect the exploitation of the system. THIS is where the modern ‘stealth module’ comes in — It provides the payload (smtp server/adware/etc) the ability to remain undetected and thus logically the ability to KEEP ROOT (replace ‘root’ with ‘send spam’, ‘display banner ads’ or whatever).

    I hope that didn’t get long winded :)
    I still however feel that discussions on nomenclature end up fruitless for either side (hacker/cracker will never be fully decided).

    Out of interest, I actively research and develop both offensive rootkit technology and new detection mechanisms for a living, so my opinions definetely lean towards the words usage by researchers in this field; people like Joanna Rutkowska (BH-federal-06), Jamie Butler (BH-04), Tan Chew Keong (HITB-04) etc.

    –S.

  • Pingback: Spire Security Viewpoint

  • http://anti-virus-rants.blogspot.com kurt wismer

    hi sahir,
    yes, i agree that stealth all by itself is pointless… that’s part of what makes greg hoglund’s definition (http://www.rootkit.com/blog.php?newsid=440) so eggregious… he’s basically saying a rootkit is something that hides itself and other things…

    i much prefer the excerpt from his book here (http://www.informit.com/articles/article.asp?p=408884&seqNum=3&rl=1), that states a rootkit provides 2 primary functions: remote command and control (aka a backdoor) and software eavesdropping (aka password sniffing)… this matches quite well with the analysis of the eponymous (and, i suspect, first) instance (http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html)…

    i don’t understand how he goes from there to saying rootkits are things that hide themselves and other things… any sane classification system would use the ‘primary functions’ as the defining criteria whenever possible…

    as far as the evolution of compromizing a system is concerned – if it does something different, doesn’t it deserve a different name? taking the root gaining/regaining (i don’t really like ‘maintaining’, it’s too ambiguous) properties out of a rootkit and still calling it a rootkit is like taking the self-replication out of a virus and still calling it a virus…

    of course, i have no doubt that you would prefer the new definition over the old – you’re part of the community that made the new definition… why shouldn’t you prefer it?

  • Sahir Hidayatullah

    Hi Kurt,
    I agree the ‘root’ part of rootkit definetely causes some confusion, however I disagree that one of the properties of a rootkit is to assist in gaining access, in other words exploiting the system. Rootkits always come into play after the system has already been broken into. A look at Packetstorm would back that up:
    PacketStorm.

    The key here is not about GAINING root, it’s about KEEPING root. Hiding files / processes etc help you keep root. That’s basically what it all comes down to. Lets assume an attacker sets up an FTP server with warez on a compromised box and then uses a kernel mode driver to hide the FTP server and it’s open port, this becomes a rootkit doesn’t it? This example is not contrived, it’s what’s happening in the real world. Heres a screenshot of a system compromised in exactly this way:
    http://www.rootkit.com/gal_open.php?id=1263

    –S.

  • Sahir Hidayatullah

    Whoops, forgot to close the link to packetstorm :)

  • http://anti-virus-rants.blogspot.com/ kurt wismer

    hi sahir,
    i think you’re misunderstanding the way rootkits are/were used… installing and running it on machine X allows you to regain root on X at a later date (through the use of backdoors) and gain root on Y (by sniffing passwords)… yes you install the rootkit after you break into machine X but machine X isn’t the end of the attack, it’s a stepping stone…

    as for keeping root – that is too ambiguous, it’s the same as maintaining root access (which i’ve already state a dislike for) and can be attributed to any number of behaviours, not just stealth… lots of things can help you keep root… alternative administrative acounts can help you keep root, root’s real password can help you keep root, etc…

    anyone wishing to use packetstorm as an example should consider that they keep their rootkits under a directory called penetration (which means getting in, not staying hidden)…

    your ftp example is not a rootkit… it neither helps to gain nor regain root access (in fact it seems orthogonal to root access outside of the fact that you need root in order to install it – but so do plenty of things)… you might be able to affect hoglund’s command and control with it but not his software eavesdropping so it also fails to provide at least one of the 2 primary functions he says a rootkit is supposed to provide…

    i thought we established that hiding thigs in and of itself is useless – how then can we say that the defining characteristic of a rootkit is that it hides things? it has to do more than that, it has to do something to justify the root in it’s name… hiding things is not the defining characteristic, it’s just an adaptation that makes the main function(s) more likely to succeed… the defining characteristic has to be the main function(s), not the supporting properties…

  • Sahir Hidayatullah

    Hehe, guess it’s about time we agreed to disagree eh ;)

    Either way, grabbed the RSS feeds for your blog, so we can argue over a another definition another time.

    –S.

  • http://anti-virus-rants.blogspot.com kurt wismer

    i think i can agree to that… thanks for the engaging debate…

  • Marvel

    Sahir,

    My company really requires your assistance, this is an urgent private matter. please email me or let me know how to contact you direct.