Basic knowledge and defense methods of rootkit

Many people think that rootkit is used as a tool to obtain the root access permission of the system. In fact, rootkit is a tool used by attackers to hide their traces and retain root access permissions. Generally, attackers obtain root access permissions through remote attacks, or obtain system access permissions by means of password guesses or forced password deciphering. After entering the system, if he has not yet obtained the root permission, then he can obtain the root permission of the system through some security vulnerabilities. Then, the attacker will install the rootkit In the compromised host, and then he will often use the rootkit backdoor to check whether other users have logged on to the system, the attacker began to clean up the relevant information in the log. Attackers can exploit this information to access other systems after obtaining the users and passwords of other systems through the rootkit sniffer.

A comprehensive understanding of rootkit:

Rootkit appeared in early 1990s. The term rootkit was first used in a security consultation report in February 1994. This security advisory is the CERT-CC of the CA-1994-01 entitled Ongoing Network Monitoring Attacks, the latest revised on September 19, 1997. Since its appearance, rootkit Technology has developed rapidly and has become more and more widely used, making detection more and more difficult.

Rootkit introduces Rootkit as a strange program, which has the stealth function: No matter when it is static (as a file) or when it is active (as a process), it will not be noticed. In other words, such programs may always exist in our computers, but we do not know that this function is what many people dream of-whether it is computer hackers or computer forensics personnel. Hackers can put Rootkit into the system after intrusion, secretly Snoop sensitive information, or wait for the opportunity to seize the opportunity. forensic staff can also use Rootkit to monitor suspicious behaviors in real time, it not only collects evidence, but also facilitates timely action.

2. Understand the attack principles of Rootkit:

To understand the Rootkit attack principles, we must start with the system principles. We know that the operating system consists of the Kernel and Shell, the kernel is responsible for all practical work, including CPU task scheduling, Memory Allocation Management, device management, and file operations. The shell is an interface based on the interaction functions provided by the kernel, it is responsible for instruction delivery and interpretation. Because the kernel and the shell are responsible for different tasks and their processing environments are also different, the processor provides multiple different processing environments called the running level (Ring ), the Ring reduces the number of computer resources that can be accessed by program commands in sequence to protect computers from Accidental damages. The kernel runs at the Ring 0 level and has the most complete and lowest-level management functions, in the shell, it can only have three levels of Ring, which has very few functions. Almost all commands need to be passed to the kernel to determine whether to execute them, once a command transmission that may cause damage to the system (for example, memory read/write beyond the specified range) is found, the kernel returns an "unauthorized" flag, the program that sends this command may be terminated, which is the source of most common "illegal operations" to protect the computer from damages, if the operating level of the shell is the same as that of the kernel, a casual click may damage the entire system.

Due to the existence of the Ring, except for programs loaded by the system kernel, the general programs called by the shell can only run at the Ring Level 3, that is, all their operation commands depend on Kernel authorization. General process viewing tools and anti-virus software are no exception. Due to the existence of this mechanism, the process we can see is actually "seen" in the kernel and commands through the relevant interfaces (remember the API ?) Feedback to the application, so that there is an inevitable data channel. Although it is difficult to be tampered with in general, it cannot avoid unexpected occurrence, rootkit is an unexpected program like "Manufacturing. Simply put, Rootkit is essentially an application that is "Beyond authorization". It tries to make itself run at the same level as the kernel, or even enter the kernel space, in this way, it has the same access permissions as the kernel, so it can modify the kernel commands. The most common is to modify the API of the kernel enumeration process, let the data they return always "miss" the information of the Rootkit's own process. The general process tool will naturally "see" the Rootkit. More advanced Rootkit also tamper with more APIs, so that users cannot see the process (process API is blocked) or files (file read/write API is blocked ), the opened port is invisible (the Sock API of the network component is blocked), and the related network packets are not blocked (the ndis api of the network component is blocked, fortunately, the data indication of the network device is not controlled by the kernel. Otherwise, I am afraid the Rootkit will make it unavailable! The system we use runs with the support of kernel functions. If the kernel becomes untrusted, can the programs that depend on it run trust it? Iii. Future development trend of rootkit:

The future development trend of rootkit is to combine with more malware, or hide itself in malware. The most serious consequence of this hiding technique is that the rootkit not only can easily hide the zombie in the system's "line of sight", but also can avoid network detection, the last line of defense for detecting the rootkit. Most companies need to open port 80 because their employees need to use the Internet. Some malicious users use this channel to transmit data. As a network manager, you should know that this port is mainly used for access rather than communication, because the network manager should scan the HTTP data communication sent by the filter on the gateway device. Of course, this requires you to properly tune your filters. Malicious communication can also be transmitted through acceptable data communication. For example, it can be attached to the sent DNS data packet. Therefore, it is recommended that the administrator closely monitor three types of communication: emergency communication, large file communication, and other abnormal communications. These three may indicate that someone is remotely executing the control command.

Traditionally, detecting rootkit on a system is much more difficult than detecting rootkit hidden in network communication, because most rootkits have higher privileges than anti-virus software.

However, we should pay attention to the interesting fact that Vmware has recently added anti-virus support with its new VMsafe Security Extension, in this way, Anti-Virus products can be run under the protection of Virtual Machine Monitoring programs, with higher privileges.

Iv. Check and defense of rootkit:

Check: a specific rootkit detection tool, such as RootkitRevealer, can identify the differences between kernel system calls and direct disk checks, and detect hidden files, registry key values, and other attributes accordingly. For example, on a Windows computer, you can find the difference between the process list of the task manager and the internal system task list.

However, note that the running level of these tools is still lower than that of rootkit. The detection program running on the user system needs to dynamically analyze the computer to see if the computer is lying. But the best way is to detect the current system from a completely clean system. Or compare the current system with another identical system to find out the difference.

Defense: rootkit requires in-depth defense. The latest kernel-level rootkit packs various types of malicious code. It can jump to the processor and jump to the system kernel during BIOS detection, it is also difficult to completely eradicate computers after they are cleared and restored. This permanent rootkit has become the most dangerous rootkit, which was clearly demonstrated by researchers at a black hat conference two weeks ago. There is also a so-called game zombie, which especially prefers multi-processor. It can run multiple threads and balance the load. Some of these botnets can steal virtual coins or goods through automatic zombie programs, and then sell real money. Rootkit can exploit firmware vulnerabilities in multiple aspects, such as starting the loader, device driver, and Flash firmware update.

Obviously, only when your network is very secure and allows attackers to bypass itself can your network be protected from the influence of rootkit. However, I'm afraid no one can provide this guarantee, but I keep some good habits in daily network management and maintenance to reduce the losses caused by rootkit to a certain extent, and promptly discover the existence of rootkit. Do not use a plaintext transmission password on the network or a one-time password. In this way, even if your system has been installed with rootkit, attackers cannot obtain more user names and passwords through network listening to avoid the spread of intrusion.

It is the best way to prevent rootkit from entering your system. To achieve this goal, you can use the same in-depth defense policies as those for malware that defends against all attacks on computers. Elements of deep defense include: virus scanning programs, regular software updates, installation of firewalls on hosts and networks, and strong password policies.