1.2 Distilling a More Precise Definition

comprcss it, encodc it, or cncrypt it) and then encapsulate it as an internal

data structure. When the dropper is finally executed, it will drop (i.e., unpack/

decode/decrypt and install) the rootkit. A well-behaved dropper will then

delete itself, leaving only what's needed by the rootkit.

Multistage droppers do not include the rootkit as a part of their byte stream,

Instead, they'll ship with small programs like a custom FTP client, browser

add-on, or stub program whose sole purpose in life is to download the rootkit

over the network from a remote location (see Figure 1.4). In more extreme

cases, the original stub program may download a second, larger stub pro¬

gram, which then downloads the rootkit proper such that installing the rootkit

takes two separate phases.

Input Byte Stream

101010

mirFmnnmmir.'nnmmm'npinmr'mmmnnirmniftinmo

Exploit

DIQIO

EIQIOIOI

roiomoo

IHIllWmWHUIHIIIWHOHlllHMIHIlltllllWWllIlllllBB

Figure 1.4

The idea behind multistage droppers is to minimize the amount of forensic

evidence that the dropper leaves behind. This way, if an investigator ever

gets his hands on a dropper that failed to detonate and self-destruct properly,

he won't be able to analyze your rootkit code. For example, if he tries to run

the dropper in an isolated sandbox environment, the stub program can't even

download the rootkit. In the worst-case scenario, the stub program will real¬

ize that it's in a virtual environment and do nothing. This train of thought fits

into The Grugq's strategy of data contraception, which we'll go into later on

in the book.

Other Means of Deployment

There's no rule that says a rootkit has to be deployed via exploit. There are

plenty of other ways to skin a cat. For example, if an attacker has social

Part I I 9