Internet and Computer Security....Some facts on rootkits and the new generation of "Stealth Malicious Softwares"
In 2005, the bar was raised in the arena of malicious software. This has never before been more evident than in the recent deployments of Windows rootkit technology within some of the latest viruses, worms, spyware, adware, and more. It has become increasingly important to understand what this threat is and what can be done to detect malicious use.
Definition of a rootkit: A rootkit is a program or set of programs that an intruder uses to hide her presence on a computer system of its chosen processes, files, and network connections from other users. Rootkits may also provide convenient backdoors through which an attacker can regain privileged access to the host at will or keystroke logging facilities for spying on legitimate users and to allow access to the computer system in the future. To accomplish its goal, a rootkit will alter the execution flow of the operating system or manipulate the data set that the operating system relies upon for auditing and bookkeeping. This enables attackers who have gained administrative control of a host to hide their presence from the host’s genuine administrators. A rootkit is not an exploit; rather, it is what an attacker uses after the initial exploit. By installing rootkits, attackers increase the ease with which they can return to and exploit a compromised host over the course of weeks or months without being detected. Most of us have reluctantly embraced the fact that vulnerabilities in our computer systems will continue to be discovered. Computer security is all about managing risk. A rootkit can tell a lot about the attacker, such as what her motivation was for pulling the trigger. By analyzing what the rootkit does, we can ascertain what the intruder is looking to steal, who the intruder is communicating with, and the level of sophistication of the intruder.
An Example : The Haxdoor family....... They all steal passwords for mail accounts and online banking and opens an backdoor. Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence (processes and files) on an infected system so that it can be detected only by using either anti-virus with kernel drivers or a rootkit detector. However,as time passes by, new variants of this malicious software will quite possibly evade any detection process. This backdoor has spying capabilities and it has lately been used to steal bank-related information (logon and passwords for online bank accounts) and other information.
MORE : Rootkits can be partitioned into two classes: those that modify the host operating system kernel and those that do not (see "Priviledge Modes").
Privilege modes: Windows is designed with security and stability in mind. The kernel must be protected from user applications, but user applications require certain functionality from the kernel. To provide this, Windows implements two modes of execution: user mode and kernel mode. Windows only supports these two modes of execution today, although Intel and AMD CPUs actually support four privilege modes or rings in their chips to protect system code and data from being overwritten maliciously or inadvertently by code of a lesser privilege. Applications run in user mode. User mode processes are unprivileged.
Kernel mode refers to a mode of execution in a processor that grants access to all system memory and all the processor's instructions. Windows will tag pages of memory specifying which mode is required to access the memory, but Windows does not protect memory in kernel mode from other threads running in kernel mode. When we look at Windows rootkits, we quickly discover that there are two major categories of rootkits corresponding to the two privilege rings of the processor: user mode and kernel mode. User mode rootkits run as a separate application or within an existing application. A kernel mode rootkit has all the power of the operating system and corrupts the entire system.
The latest threat to intellectual property comes in the shape of malicious software (malware) that is capable of infecting a computer, hiding itself until the user accesses specific files or Web sites -- in order to steal files or passwords -- and then deleting any trace of itself.