Chapter 1 / Empty Cup Mind

data exfiltration (e.g., Specter Pro and PC Tattletale). What distinguishes a

rootkit from other types of software is that it facilitates both of these features

(C2 and surveillance, that is), and it allows them to be performed surrepti¬

tiously.

When it comes to rootkits, stealth is the primary concern. Regardless of what

else happens, you don't want to catch the attention of the system admin¬

istrator. Over the long run, this is the key to surviving behind enemy lines

(e.g., the [ow-and-shw approach). Sure, if you're in a hurry you can pop a

server, set up a Telnet session with admin rights, and install a sniffer to catch

network traffic. But your victory will be short lived as long as you can't hide

what you're doing.

Thus, at long last we finally arrive at my own definition:

"A rootkit establishes a remote interface on a machine that allows the

system to he manipulated (e.g., C2) and data to be collected (e.g., sur¬

veillance) in a manner that is difficult to observe (e.g., concealment). "

The remaining chapters of this book will investigate the three services

mentioned above, although the bulk of the material covered will be focused

on concealment: finding ways to design a rootkit and modify the operating

system so that you can remain undetected. This is another way of saying that

we want to limit both the quantity and quality of the forensic evidence that

we leave behind.

Don't Confuse Design Goals with Implementation

A common misconception that crops up about rootkits is that they all hide

processes, or they all hide files, or they communicate over cncrypted Inter

Relay Chat (IRC) channels, and so forth. When it comes to defining a rootkit,

try not to get hung up on implementation details. A rootkit is defined by the

services that it provides rather than by how it realizes them. As long as a

software deliverable implements functionality that concurrently provides C2,

surveillance, and concealment, it's a rootkit.

This is an important point. Focus on the end result rather than the means.

Think strategy, not tactics. If you can conceal your presence on a machine

by hiding a process, so be it. But there are plenty of other ways to conceal

your presence, so don't assume that all rootkits hide processes (or some other

predefined system object).

12 . Part I