Breaking down the Rootkit

My last post regarding my Rookit project was based on the research that I have been doing into it, though I feel comfortable enough to say that I haven’t gone about it in the easiest way possible. Lets stop and and actually think about what a Rootkit is, shall we?  Well straight off the name provides a clue, and that it is not one tool, but many. In this way, I can effectively break down the development of my Rootkit, instead of jumping straight into the deep-end (will I ever learn?) . Initially, the core functionality of the Rootkit has to be decided on. For my project, I have decided on the following as the core functionality that my Rootkit requires:

1. A mechanism for injecting the Rootkit. By this I mean a way to make it run, I could go along the lines of a virus and embed the code to start the Rootkit in a commonly used application. However, due to the easy of injection Loadable Kernel Modules (LKM’s) in  Linux (providing you have root) , a kernel based rootkit seems not only powerful, but achievable.

2. Way to ensure that the Rootkit is run after a re-boot. LKM’s that are required by the kernel are loaded, leading me to assume that there is some form of list of required LKM. The Rootkit’s LKM could be added to a list like this, or a legitimate LKM could be replaced. This however is likely to cause major dependable issues and very well might knock over the box.

3. Healing; A way to stop any  user or application from removing rootkit files. This is not strictly needed, but easy to implement at a basic level.

4. Evasion mechanism. Probably one of the harder features to implement. Requires ether the hooking of call tables or the patching of legitimate functions. It is considered a key part of any Rootkit however,  and worth implementing correctly.

5. A Brain per-say, code that governs the logic and operations of the Rootkit.

Other parts of the rootkit such as opening ports and listening for connections can be added later on. By breaking what is a complex piece of software down, we can see that it is made up of simpler modules.

Divide et impera (Divide and conquer)


About 1337hound

2nd Year Ethical Hacker at the University Of Abertay Dundee. President of Abertay's Ethical Hacking Society. Members of Abertay's Open Society. Member of TAYLUG. View all posts by 1337hound

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: