Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Anatomy of a Rootkit Hack

    By
    Cameron Sturdevant
    -
    March 21, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Last November, an eWEEK reader who is an IT executive at a large organization was notified by his companys help desk that the companys Microsoft Corp. Exchange e-mail servers had gone offline.

      Further investigation revealed that the Temp directory of the Exchange servers—along with other crucial directories and files—was suddenly missing. The result was 500GB of unavailable e-mail data.

      The problem affected dozens of users and took nearly four days to solve. The entire help desk team was pulled from daily support tasks and pressed into a server-by-server, desktop-by-desktop recovery effort. By the end of the ordeal, it was determined that nearly 40 data center servers had been affected, many of which had to be rebuilt from scratch.

      The problem? The machines had been infected by a user-level rootkit.

      /zimages/5/28571.gifClick here to read about the tools and tricks of the hacking trade.

      During an exclusive interview with eWEEK Labs last month, the IT executive described the attack and the step-by-step recovery efforts his company undertook. eWEEK Labs agreed not to name the IT executive or his organization.

      Rootkits are widely known in the Unix and Linux community, but they are a fairly new problem in the Windows operating system world.

      Indeed, at last months RSA Conference in San Francisco, a workshop focused on the emerging threat rootkits are posing to Windows. User-level rootkit hacks like the one described here are bad enough, but when it comes to a server infected with a kernel-level hack, “Nuke it from space” was the advice provided by the Microsoft employees leading the session.

      /zimages/5/28571.gifFor more on the differences between user-level and kernel-level rootkits, click here.

      The user-level rootkit that felled the IT executives servers was tailored for French language use, and thats how it evaded detection by a widely deployed anti-virus tool used at the execs company . The executive suspects that an administrative assistant given to wide-ranging Internet use was the weak link that enabled the rootkit infection once the rootkit was inside the network.

      A forensic examination of Machine Zero revealed a keystroke logger with extensive records dating back several months.

      Before this was discovered, however, a PC support technician responding to the administrative assistants report of a desktop slowdown committed a grave error—one that allowed the rootkit to spread from the users desktop to the servers. Unable to gain access to the system using the regular administrator account, the technician decided to use the domain administrator account to gain access to the PC. At this point, the rootkit was off to the races.

      Almost instantaneously, the password grabber that was part of the rootkit used the domain administrator account to infect servers on the local network. The effect was devastating to the IT executives organization in more ways than one: E-mail was knocked offline in order for the hijacked servers to act as illicit distribution points for the “Bennifer” bomb “Gigli”—dubbed into French.

      To recover from the infection, the IT executive first had the central network staff poison the DNS (Domain Name System) tables, cutting off the rootkits default connections to the outside world—in this case, several sites in France and two major American universities that, unbeknown to network managers, housed infected systems that were acting as robot controllers.

      The wily rootkit didnt make recovery easy, though.

      “We tried booting from ERD Commander [a utility from Winternals Software LP] to change the local password, but the root kit [later known as SpartaDoor and by Symantec Corp. as trojan.backdoor] checked the box preventing the user from changing the password,” the IT executive said. “We missed that trick, costing us a lot of time.”

      Next page: Rootkit fundamentals.

      Page Two

      Rootkits usually seek to divert system resources to some purpose other than that of the legitimate system owner. There are two types of rootkits, characterized by the location in which the kit operates:

      • User-level rootkits operate at the same layer as other applications, as a system user; they sometimes can be removed without requiring a system rebuild.
      • Kernel-level rootkits become part of the kernel operating system and currently are more rare than user-level kits because they are much more difficult to code; once installed, a kernel-level rootkit basically “owns” the system, so there is no reliable method to ensure that system control can be re-established.

      Source: eWEEK Labs

      Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Cameron Sturdevant
      Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×