Chapter 1 / Empty Cup Mind

Wondershare

engineered his way to console access, he may simply use the built-in FTP cli¬

ent or a tool like wget� to download and run a dropper.

Or, an attacker could leave a USB thumb drive lying around, as bait, and rely

on the drive's AutoRun functionality to execute the dropper. This is exactly

how the agent,btz worm found its way onto computers in CENTCOM's clas¬

sified network.'®

What about your installation media? Can you trust it? In the pathologic case,

a rootkit could find its way into the source code tree of a software product be¬

fore it hits the customer. Enterprise software packages can consist of millions

of lines of code. Is that obscure fiaw really a bug or is it a cleverly disguised

back door that has been intentionally left ajar?

This is a scenario that investigators considered in the aftermath of Opera¬

tion Aurora." According to an anonymous tip (e.g., information provided

by someone familiar with the investigation), the attackers who broke into

Google's source code control system were able to access the source code that

implemented single sign-on functionality for network services provided by

Google. The question then is, did they just copy it so that they could hunt for

exploits or did they alter it?

There are even officials who are concerned that intelligence services in other

countries have planted circuit-level rootkits on processors manufactured over¬

seas.'� This is one of the dangers that results from outsourcing the develop¬

ment of critical technology to other countries. The desire for short-term profit

undercuts this county's long-term strategic interests.

A Truly Pedantic Definition

Now that you have some context, let's nail down the definition of a rootkit

one last time. We'll start by noting how the experts define the term. By the

experts, I mean guys like Mark Russinovich and Greg Hoglund. Take Mark

Russinovich, for example, a long-term contributor to the Windows Internals

9. http;//w WW. griii.org/software/wget/.

10. Kevin Poulscn, "Urban Legend Watch: Cyberwar Attack on U.S. Central Command," Wired,

March 31, 2010.

11. John Markoff, "Cyberattack on Google Said to Hit Password System," New York Times,

April 19, 2010.

12. John Markoff, "Old Trick Threatens the Newest Weapons," New York Times, October 26,

2009.

10 Part I