page-049

1,4 Who Is Building and Using Rootkits?

mcnt remote control functionality. Where does one draw the line between

rootkits and various forms of malware? The answer lies in the definition that

I presented earlier. A rootkit isn't concerned with self-propagation, generating

revenue from advertisements, or sending out mass quantities of network traf¬

fic. Rootkits exist to provide sustained covert access to a machine so that the

machine can be remotely controlled and monitored in a manner that's difficult

to detect.

This doesn't mean that malware and rootkit technology can't be fused

together. As I said, rootkit technology is a force multiplier, one that can be

applied in a number of different theaters. For instance, a botnet zombie might

use a covert channel to make its network traffic more difficult to identify.

Likewise, a rootkit might utilize annoring, a tactic traditionally in the domain

of malware, to foil forensic analysis.

The term stealth malware has been used by researchers like Joanna Rutkow-

ska to describe malware that is stealthy by design. In other words, the

program's ability to remain concealed is built-in, rather than being supplied

by extra components. For example, whereas a classic rootkit might be used

to hide a malware process in memory, stealth malware code that exists as a

thread within an existing process doesn't need to be hidden.

1.4 Who Is Building and Using Rootkits?_

Data is the new currency. This is what makes rootkits a relevant topic: Root-

kits are intelligence tools. It's all about the data. Believe it or not, there's a

large swath of actors in the world theater using rootkit technology. One thing

they all have in common is the desire covertly to access and manipulate data.

What distinguishes them is the reason why.

Marketing

When a corporate entity builds a rootkit, you can usually bet that there's a fi¬

nancial motive lurking somewhere in the background. For example, they may

want to highlight a tactic that their competitors can't handle or garner media

attention as a form of marketing.

Before Joanna Rutkowska started the Invisible Things Lab, she developed of¬

fensive tools like Deepdoor and Blue Pill for COSEINC's Advanced Malware

Laboratory (AML). These tools were presented to the public at Black Hat

Parti I 19