Attack and Defense of Rootkit in Windows Vista

Bkjia.com exclusive: Rootkit is a special malware that hides information about itself and specified files, processes, and network links on the installation target, rootkit is generally used in combination with Trojans, backdoors, and other malicious programs. By loading a special driver, Rootkit modifies the system kernel to hide information.

Windows Vista's protection against malware is mainly implemented through the digital signature of the driver, user access control UAC) and WindowsDefender. The first two are particularly important for defense against Rootkit malware. Because the implementation of the hidden function of Rootkit requires driver loading, let's first talk about the driver loading Management of Vista: the installation and loading management of the Vista driver is greatly improved compared with the original Windows version, in Microsoft's design, Vista does not allow drivers without digital signatures to be loaded. In the previous Windows 2003, XP, and systems, the system prompts you when installing the unsigned or old-version driver, but it can be loaded after installation.

Out of Microsoft's expectation, the setting "drivers with digital signatures can be loaded by Vista" does not provide much protection for the Rootkit class. At last year's Blackhat conference, researchers demonstrated that in VistaX64Beta2, the drive program without a digital signature was loaded by modifying the page file on the disk. Although this vulnerability was completed by Microsoft later, however, it has been suggested that it is not impossible to break through the driver load management of Vista through technical means. However, a better way to break through the Vista driver load management is to work on the digital signatures. Security researchers have mentioned that the Vista driver's digital signature application is not strictly reviewed, you only need to have a valid application entity and pay a small amount of application fees. In this way, by registering or borrowing the name of a company, the Rootkit Author can obtain a valid driver digital signature from Microsoft, that is, it is very likely that there will be a "valid" Rootkit program with a Microsoft Digital Signature. Attackers can also use special loading programs to load programs without digital signatures. Security Company LinchpinLabs recently released a small tool called Astiv, the principle of this tool is to use a digitally signed system component to load Unsigned drivers, and the drivers loaded in this way will not appear in the normal driver list, enhanced the concealment of loading the target driver.

User Access Control (UAC) is another method for Vista to defend against malware.
On the Vista system with UAC enabled, the user's permissions are equivalent to the limited administrator permissions. If the user program wants to modify the system disk and registry, the user needs to perform a secondary confirmation of the interaction. If the user refuses or the target program is special, such as a Trojan or a backdoor, there is no UAC prompt, because access to the system directory and registry is rejected by Vista, except for a few objects that are not written to the system directory, most target programs cannot be installed successfully. Rootkit programs cannot be successfully installed due to permission issues in the UAC environment. However, in many cases, attackers may use social engineering methods to trick users into trusting the programs provided by attackers, select allow operation when prompted by UAC.

So far, we can draw a conclusion that since WindowsVista has been designed to focus on security, the level of defense against malware such as Rootkit has reached a new level, the success rate of attacks by technical means alone has been significantly lower than that of the original Windows2000/XP/2003 platform. However, we should also note that attackers will use more social engineering techniques to forge and exploit various trust relationships and cheat users in installing malware.

In Vista, how does one protect Rootkit-type malicious programs? You can refer to the following points:
1. Keep Vista's system patch version up-to-date.
2. Do not obtain software from untrusted sources, and pay attention to various system prompts when installing and using the software, especially the prompts related to digital signatures.
3. Pay attention to the UAC prompt and block dangerous operations that attempt to modify the system in time.
4. Use anti-virus software and keep the latest version of the virus database to provide additional protection for protection against malware.
5. regularly use the anti-Rootkit tool supporting Vista to scan and check the system.

Bkjia.com exclusive Article. For more information, see the source and author !]

Related Articles]

• The root cause is to completely remove the rootkit.

• Virus File: What is Rootkit virus?

• The complexity of Rootkit increases rapidly. malware may be invisible.