A European researcher has created a rootkit that can evade
detection in Windows 7 and Windows Server 2008 machines and reset
user passwords.
The rootkit, created by Csaba Barta during the past two-and-half
years, was initially a project meant for training purposes. But
Barta, a security expert for Deloitte in Hungary who works on
penetration testing and forensic cases, says he eventually
discovered he could perform new types of attacks with the rootkit,
which he plans to deliver to antivirus firms as well as to the
International Council of E-Commerce Consultants (EC-Council) for
its certified hacker training program.
Barta demonstrated the rootkit for the first time at the recent
Hacker Halted conferences in Miami and Cairo. One particularly
powerful module of the rootkit is based on the concept of a
so-called cached data attack, which had previously been explored by
researcher Brendan Dolan-Gavitt, who looked at how Windows handles
registry in memory and how a forensic investigator can extract that
from the physical memory image, according to Barta.
The cached data attack has to do with how the OS caches data in
physical memory. It lets an attacker clear and reset passwords in
memory without being detected by the operating system, for example.
"After some research on this subject, I ended up in a different
solution that allowed the rootkit to temporarily blank the password
hash even when the user is logged on. According to my knowledge,
the technique mentioned in [Dolan-Gavitt's] article was to modify
one specific instance of the hash and after that the user had to do
a logout/login in order for the OS to use the new hash," Barta
says. "The cached data attack is an attack that is based on the
fact that the OS caches data in physical memory in order to use it.
If you are able to modify this data you are able to fool the OS to
use the modified data."
Barta's rootkit works on most 32-bit versions of Windows, and its
ability to steal user privileges on the fly is especially useful,
he says. "[You can] start processes on behalf of them without being
noticed, even if detailed process tracking is turned on," Barta
says.
It also hides files and directories, performs keyboard-logging, and
can temporarily "blank" a local user's password even when he is
logged in.
"On one side we are very proud of Csaba's results, but on the other
hand it is a sad evidence of the fact that there are hidden attacks
that surface all the time," says Sean Lim, vice president of the
EC-Council. "We plan to incorporate the rootkit in the CEHv7
Training Material to make our students aware of the risks."
Barta says he will try to ensure that AV companies include the
rootkit in their scanning databases before he releases the binaries
in the CEHv7 training material.
Why the special attention to this particular rootkit? "There are
rootkits embedded in malware, but the functionality of them is
limited to certain functions," he says.
Even so, rootkits take expertise to pull off. New 64-bit versions
of Windows that digitally sign drivers make it more difficult to
plant a rootkit in the kernel, Barta notes. "One [needs] really
strong basics in using tools, such as a kernel debugger and
programming languages like assembly and C, in order to start the
implementation [as well]," he says. The attacker first must gain
administrative rights to the system, which means unleashing an
exploit, password-cracking, or socially engineering it, he
says.
Barta says he will continue to add features to his rootkit,
including adding network-layer functions, he says. But don't look
for him to release the code itself -- he says he won't do that.
"Although developing a rootkit is considered old-school, I think
that it is really interesting. By doing it you can really
understand how an OS is working. It is also a very precious
knowledge in the field of computer forensics," he says.