The Dissection of a Rootkit

F-Secure Security Labs' new paper takes apart the dangerous and stealthy rootkit and tells us how helpless we now are against this increasingly popular form of attack.

Security analysts have been predicting that kernel rootkits, which cloak their activity by replacing a portion of a programs software kernel with modified code, are expected to continue to grow in frequency in 2007.

While rootkit-fighting technologies such as the PatchGuard kernel protection system built into 64-bit versions of Microsofts new Windows Vista operating system are arriving, most PC users will still be left open to the attacks over the next twelve months, CA has said, and even experienced PC users are vulnerable to their sophisticated techniques.

F-Secure Security Labs has been tracking and dissecting kernel malware for years; this form of attack was first spotted as far back as 1999, in the form of the WinNT/Infis attack.

F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled "Kernel Malware: The Attack from Within" (a PDF) as well as in a slide show (also a PDF).

Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.

Kernel rootkits are still a very small fraction of malware discovered, but Kasslins paper provides a stark, graphical illustration of how their use has skyrocketed post-2004.

Why the sudden surge in this frightening mode of attack?

"The high rise in popularity of kernel malware can be mostly explained by the increased motivation for malware authors to hide their creations from detection as long as possible," Kasslin writes.

/zimages/1/28571.gifClick here to read more about rootkit tactics.

"To hide even better, they have started to use kernel-mode rootkit techniques as more and more documentation, examples and fully working examples with full source code has become publicly available. However, there are other motives for malware to move to kernel, probably [the] most important ones being firewall and anti-virus scanner bypassing."

Current security solutions are generally feeble protection, Kasslin says, given that a rootkit operating in full kernel mode (as opposed to reaching up into user mode to execute activity unavailable in kernel mode, also known as semi-kernel malware) has the same privileges as the operating system itself and can cut off firewalls and anti-virus software at the knees.

"This has already been seen with rootkits and their anti-detection engines," Kasslin writes. "After the rootkit notices that it is no longer able to hide from the rootkit detector and is going to [lose] the game, it changes tactics and starts to make a direct attacks against the detector. It might take a more aggressive approach and prevents the rootkit detector from starting. Or it could directly patch the rootkit detectors code to change its inner logic."

Is there hope? Kasslin offers little. "Current security solutions, including anti-virus scanners and firewalls, have not been designed to protect against kernel malware. Prevention might be the only solution," he writes in his slide show conclusion.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.