本文探讨了根套件的增长趋势及其对企业网络构成的风险。详细分析了两种主要类型的根套件——用户模式和核心模式的工作原理,并提供了检测与预防措施。
According to a McAfee Avert labs report, there has been a 700 percent increase in rootkit infections in the first quarter of 2006 when compared with the first quarter of 2005 (Hines, 2006). The stealth characteristics of rootkit programs are the perfect solution for the new breed of attacker who is out to steal identities or intellectual property so he can make a profit. This means that your business might be at increased risk from threats you probably don't even know exist on your network.
In this article, I take a high-level look at how rootkits work, the challenges businesses face if infected by one or more rootkit-enabled applications, and what businesses can do to protect themselves.
What are rootkits?
The first rootkits were developed for Unix systems. Named for the "root" level of access, they were used to gain administrative control over a system. Rootkits moved to the next logical platform, Linux, and then to Windows. Today, Windows is by far the preferred attack target for rootkit developers.
Rootkits typically find their way onto end user devices through email, instant messaging, and spyware pathways. They infect a system by hiding themselves from any effort by the operating system (OS) to manage them. This is possible because rootkits either replace or attach themselves to system components. They then intercept calls made to the OS for services and execute the attacker's code instead. For a better idea about the variety of rootkits and their impact on business networks, visit http://rootkit.com.
There are two basic types of rootkits: user mode and kernel mode. User mode rootkits typically use the API functions to modify the path to executables. The advantage of User mode rootkits is the ease with which they can be created. Their disadvantage lies at the heart of why attackers use rootkits-user mode rootkits are somewhat ineffective at masking their activity.
Kernel mode rootkits are more difficult to develop, but they are far superior when it comes to hiding evidence of their existence. Instead of using API's, this type of rootkit usually exploits undocumented OS structures.
Before we move on, it's important to mention the VM proof-of-concept rootkit developed at the University of Michigan. Known as SubVirt, it installs underneath a Windows or Linux installation. Once this happens, no scanning engine can find it. There are some problems with getting SubVirt onto most VM instances. Let's hope this delays widespread use of this malware until we have some effective way of dealing with it.
The potential impact of rootkits on your business
Rootkits are used to collect information and send it "home" to the attacker's system. They can also recruit endpoint devices into a botnet. These actions expose your network and your business to the following:
Rootkit defense
Rootkits are hard to defend against and even harder to locate once installed, but there are things you can do to reduce the risk of infection.
This is a pretty good list of detection and prevention measures, but once systems are infected, it's difficult to remove the offending software. Although most if not all anti-virus vendors are making progress in this area, there are vendors with products specifically designed to remove rootkits. These include:
RootkitRevealer (Free but effective)
F-Security Blacklight
Rootkit Hook Analyzer
In closing this section, it's important to note that there's one school of thought that believes that the only way to cleanse a system of a rootkit is to erase the hard drive and rebuild the system. Since many rootkits, like many spyware applications, have the ability to reinstall from the home system, you might want to consider this. My position is one of moderation. If you find a rootkit on a highly sensitive system, I strongly recommend a rebuild. In other cases, you'll have to make the call based on the circumstances.
In either case, make sure you watch the system and the network closely to ensure your actions successfully neutralize the threat.
Conclusion
Rootkits attacks are growing in number, and the purpose of these attacks isn't to gain acceptance among the corps of malicious hackers. Instead, rootkit enabled applications are deployed to steal information to make a profit. Traditional anti-virus approaches are only partially effective in mounting a defense. Take the next step and deploy the technology you need to detect both the rootkits themselves and the footprints they leave on your network and endpoint devices.
In this article, I take a high-level look at how rootkits work, the challenges businesses face if infected by one or more rootkit-enabled applications, and what businesses can do to protect themselves.
What are rootkits?
The first rootkits were developed for Unix systems. Named for the "root" level of access, they were used to gain administrative control over a system. Rootkits moved to the next logical platform, Linux, and then to Windows. Today, Windows is by far the preferred attack target for rootkit developers.
Rootkits typically find their way onto end user devices through email, instant messaging, and spyware pathways. They infect a system by hiding themselves from any effort by the operating system (OS) to manage them. This is possible because rootkits either replace or attach themselves to system components. They then intercept calls made to the OS for services and execute the attacker's code instead. For a better idea about the variety of rootkits and their impact on business networks, visit http://rootkit.com.
There are two basic types of rootkits: user mode and kernel mode. User mode rootkits typically use the API functions to modify the path to executables. The advantage of User mode rootkits is the ease with which they can be created. Their disadvantage lies at the heart of why attackers use rootkits-user mode rootkits are somewhat ineffective at masking their activity.
Kernel mode rootkits are more difficult to develop, but they are far superior when it comes to hiding evidence of their existence. Instead of using API's, this type of rootkit usually exploits undocumented OS structures.
Before we move on, it's important to mention the VM proof-of-concept rootkit developed at the University of Michigan. Known as SubVirt, it installs underneath a Windows or Linux installation. Once this happens, no scanning engine can find it. There are some problems with getting SubVirt onto most VM instances. Let's hope this delays widespread use of this malware until we have some effective way of dealing with it.
The potential impact of rootkits on your business
Rootkits are used to collect information and send it "home" to the attacker's system. They can also recruit endpoint devices into a botnet. These actions expose your network and your business to the following:
- Unauthorized access to sensitive information. Once a rootkit is installed on a system, data passing through, stored, or accessible from that system is vulnerable to attack.
- Actions, including typing, are monitored. One popular rootkit application is keystroke logging. User ID's, passwords, social security numbers, banking information, etc. are compromised.
- Infected systems usually communicate with the attacker's systems. This can result in your network being part of a Distributed Denial of Service Attack against your network or other networks attached to the Internet.
- Any information collected is typically sent to one or more servers for direct use by the attacker, or for the attacker to sell to one of the growing organized cybercrime groups.
Rootkit defense
Rootkits are hard to defend against and even harder to locate once installed, but there are things you can do to reduce the risk of infection.
- Use updated anti-virus software.
- Control malware entry into your network, including spyware, by deploying anti-malware solutions at your perimeter. Examples include
- spyware and virus filtering of email BEFORE it gets to your email servers
- control over who uses instant messaging
- filtering of instant messages for malware
- block employee access to web sites known to distribute malware
- spyware and virus filtering of email BEFORE it gets to your email servers
- Use personal firewall and host intrusion prevention software on your endpoint devices
- Ensure all endpoint devices are properly patched
- Cooperate with law enforcement agencies to help prosecute creators and distributors of rootkits
- Deploy network intrusion detection and intrusion prevention solutions to detect the characteristic behavior of various types of rootkit attacks, and potentially block that behavior automatically.
This is a pretty good list of detection and prevention measures, but once systems are infected, it's difficult to remove the offending software. Although most if not all anti-virus vendors are making progress in this area, there are vendors with products specifically designed to remove rootkits. These include:
RootkitRevealer (Free but effective)
F-Security Blacklight
Rootkit Hook Analyzer
In closing this section, it's important to note that there's one school of thought that believes that the only way to cleanse a system of a rootkit is to erase the hard drive and rebuild the system. Since many rootkits, like many spyware applications, have the ability to reinstall from the home system, you might want to consider this. My position is one of moderation. If you find a rootkit on a highly sensitive system, I strongly recommend a rebuild. In other cases, you'll have to make the call based on the circumstances.
In either case, make sure you watch the system and the network closely to ensure your actions successfully neutralize the threat.
Conclusion
Rootkits attacks are growing in number, and the purpose of these attacks isn't to gain acceptance among the corps of malicious hackers. Instead, rootkit enabled applications are deployed to steal information to make a profit. Traditional anti-virus approaches are only partially effective in mounting a defense. Take the next step and deploy the technology you need to detect both the rootkits themselves and the footprints they leave on your network and endpoint devices.
扫一扫
80
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
