Rootkit Evolution
by Alisa Shevchenko - Virus analyst, Kaspersky Lab - Monday, 1 September 2008.
Origins and popularization

Hoglund’s article is dated 1999, and based on research into the Windows kernel conducted the previous year and published on Usenet by a programmer from Sri Lanka. Back in 1995, Jeffrey Richter, a Windows programming guru, disclosed techniques for intercepting system calls in user mode in his famous book "Advanced Windows" and its fourth edition, which was called "Programming Applications for Microsoft Windows". These techniques were later implemented in many rootkits, which even went as far as to copy source code directly from the book.

Techniques for intercepting system calls in kernel mode were disclosed publicly in two other classic programming manuals: Schreiber’s “Undocumented Windows 2000 Secrets", published in 2001, and "Undocumented Windows NT" by P. Dabak et al, 1999.

The first Windows rootkits

Researchers continued to investigate Windows system protection, and soon after NTRootkit was released several other tools appeared, all designed to hide objects in the operating system:
  • 2000 – he4hook, designed by a Russian programmer. The tool is not malicious, but it does hide files. It works in kernel mode. Interestingly, even the author doesn't call this program a rootkit.
  • 2002 – Hacker Defender (aka HacDef). This is also just a tool, but a more powerful one: it can be used to hide files, processes and registry keys with flexible settings in the configuration file. It also works in kernel mode.
  • 2003 – Vanquish. This tool can be used to hide files, directories and registry keys. Moreover, it has a malicious payload – it log passwords. Vanquish works in user mode.

It is immediately clear that the thoughts of those researching such issues were changing course, with the focus moving from neutral tools to tools designed with ulterior motives, including malicious ones.
  • 2003 – Haxdoor (aka A-311 Death and Nuclear Grabber, a modified variant of the same program). This is already more than a tool – it is a backdoor that uses rootkit techniques to conceal its presence in the system. It works primarily in user mode.
  • 2004 – FU – a tool to conceal processes. This tool introduces a new technique based on modifying the system structure itself, rather than modifying access to the system. It works in kernel mode.
The list above is not exhaustive, but it includes rootkits which are key to understanding the evolution of Windows rootkits, especially HacDef, Haxdoor and FU. These 3 rootkits were commonly found in the wild in tandem with other malware. Rootkits from 2000 – 2004 fit neatly into the standard (outmoded) classification system: they can function both at user and at kernel level, by using Execution Path Modification or Direct Kernel Object Manipulation.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th