SecurityFocus interviews Greg Hoglund and Jamie Butler on the state of Windows rootkits and how quickly they have evolved. Watch for some detailed Infocus technical articles on the subject of rootkits coming in October.
Could you introduce yourselves?
Jamie Butler: I am a kernel developer and contributor at rootkit.com, where I go by the name Fuzen. I really enjoyed working with Greg on the book Rootkits: Subverting the Windows Kernel. Most of my time is spent at the bit and byte level.
When did you hear about rootkits for the first time?
Greg Hoglund: Working at an ISP when the first 'rootkit' was circulating for *nix systems. At the time I thought they were a lot more mystical than they really are. But, of course then, rootkits hadn't merged with the kernel yet.
Jamie Butler: I am not sure of the exact time frame that I learned about rootkits. I guess I knew of their existence since the early UNIX Trojan system file replacements. However, I did not become active in the research until 2001 when I was working on my Master's degree. At that time, I was looking for modifications to the operating system in memory used to hide things. After that research, I realized that you could alter data structures directly in kernel memory to hide without modifying any operating system code. That is what the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise.
It's 2005 and the first book on Windows rootkits has hit the market. Why did it take so long? Was all this time needed by the community to reverse-engineer Windows internals?
Greg Hoglund: All the time wasn't really needed, it is just that no one talked about what they knew. If you had a good trick, the last thing you wanted to do is tell everyone about it so it could get fixed. Rootkits are only as good as the tricks they use. Being in the kernel lets you perform a lot more tricks. And, by the way, the system-modifications used by rootkits aren't new at all. Viruses were hooking the interrupt table in '86.
Jamie Butler: The technology that rootkits use is no different than any other device driver. The fundamental information about the operating system needed to write a rootkit has been documented in many books. The Windows Internals books from Solomon and Russinovich, the Undocumented Windows 2000 Secrets book by Schreiber, and the Windows NT/2000 Native API Reference by Nebbett are invaluable resources. Greg and I just use this knowledge, build upon it, and show how an attacker might use it for malicious purposes.
How much is the development of a rootkit influenced by OS source code unavailability?
Jamie Butler: Well, I think the fact that the source code is unavailable for the most part makes the rootkit game that much more challenging. However, source code for operating systems of the LINUX variant does exist, but rootkits are developed for LINUX too. The *NIX rootkits have not advanced as quickly as their Windows counterparts I would argue. No one wants to play tic-tac-toe. A game of chess is so much more fulfilling.
Is this rapid change happening because of the market share of Windows, or because it's a better platform for development of... rootkits?
Jamie Butler: Market share does play a big part. If an attacker writes a Windows rootkit, it can run on the majority of computers in use. Also, homogeneous computer systems make writing rootkits and exploits a lot easier. If the systems are relatively the same, the rootkit developer does not have to alter his or her code.
There are multiple versions of Windows, multiple localized versions, and an infinite number of possible patch levels. How does a rootkit developer address this moving target?
Jamie Butler: Yes, for an attacker that is writing shellcode for a buffer or heap overflow these different versions of Windows present a challenge; however, for the most part, in the kernel things behave relatively the same. Once I write code for Windows NT 4.0, it only takes a few minutes to have that ported over to 2000, XP, and 2003. Under the covers, they are very similar.
Does this mean that automatic tools such as worms could install rootkits without a manual per-host setup?
Jamie Butler: Well, that depends. It is possible to write a universal rootkit that runs on all versions of the Windows server family such as NT, 2000, XP, 2003. Notice it is possible but requires careful consideration and programming by the attacker. When you start adding third party software such as anti-virus and personal firewall products, the attacker's job becomes more difficult because these types of protection software also alter the kernel.