, SecurityFocus 2003-03-05
Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning.
People don't realize that it's happening, but in the next two or three years we're going to see a lot more of this activity."
Mertens didn't know it at the time, but the university network had been compromised, and the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a rare example of a Windows "root kit" -- an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.
Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. Conventional backdoors like
In contrast, a root kit hooks itself into the operating system's Application Program Interface (API), where it intercepts the system calls that other programs use to perform basic functions, like accessing files on the computer's hard drive. The root kit is the man-in-the-middle, squatting between the operating system and the programs that rely on it, deciding what those programs can see and do.
It uses that position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the malware will censor the filename from the list. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden -- mp3s, password lists, a DivX of the last Star Trek movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked.
Slanret is technically just one component of a root kit. It comes with a straightforward backdoor program: a 27 kilobyte server called "Krei" that listens on an open port and grants the hacker remote access to the system. The Slanret component is a seven kilobyte cloaking routine that burrows into the system as a device driver, then accepts commands from the server instructing it on what files or processes to conceal. "The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."
Root kits are old hat in the Unix and Linux world, but are rarely found on hacked Windows hosts. "They're a scary thing," says Marc Maiffret, chief hacking officer at California-based security software-maker eEye. "In Unix that's been going on for ages, but the backdoors for Windows NT have always been trivial. I've always wondered why this isn't happening."
Cloaking Device Driver
Greg Hoglund, a California computer security consultant, believes intruders have been using Windows root kits covertly for years. He says the paucity of kits captured in the wild is a reflection of their effectiveness -- not slow adoption by hackers. "It's happening now," says Hogland. "People don't realize that it's happening, but in the next two or three years we're going to see a lot more of this activity."
If there's an authority on Windows root kits, it's Hoglund -- he's been sounding the alarm about their malicious potential since 1999, when, as a proof of concept, he wrote one himself called "NT Rootkit." Since then he's collected and analyzed three others: "null.sys," "HE4Hook," and a kit called "Hacker Defender," all of which he makes available on his Web site,
"For all of those, I'm absolutely, one hundred percent positive that there's probably ten more that we haven't seen publicly," says Hoglund. The skills to write a kernel mode Trojan are not beyond the reach of the average programmer, he says; last month Hoglund taught a
Once Slanret is installed on a hacked machine, anti-virus software won't pick it up in a normal disk scan. That said, the program is not an exploit -- intruders have to gain access to the computer through some other means before planting the program.
Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible. And in what appears to be an oversight by the kit's author, the device driver "ierk8243.sys" is visible on the list of installed drivers under Windows 2000 and XP, according to
Hoglund says future Windows root kits won't suffer from Slanret's limitations. And while he says the risk can be reduced with smart security policies -- accept only digitally-signed device drivers, for one -- ultimately, he worries the technique may find its way into self-propagating malicious code. "My street knowledge, my gut feel, is there are probably already worms or viruses doing this now," he says. "We just haven't seen them."