Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

Rootkit Evolution

by Alisa Shevchenko - Virus analyst, Kaspersky Lab - Monday, 1 September 2008.

Stealth viruses

DOS stealth viruses appeared around 1990; at the same time, if not slightly earlier, than UNIX rootkits. Unlike UNIX rootkits, which were designed to enable the authors to gain access to the system and mask their presence within it, DOS stealth viruses simply hid themselves from the user and AV programs. This is exactly what modern Windows rootkits do. The techniques used by DOS stealth viruses are very similar to the ones used by Windows rootkits today. For instance, stealth viruses rely on techniques such as intercepting system calls and masking the malicious code by serving false data on disk or memory content. Windows rootkits also use these techniques extensively.

Windows rootkits appeared about 10 years later. Rather than naming these new programs stealth viruses, or some other more logical name, they became known as rootkits, thanks to Greg Hoglund. He was one of the first to build a tool designed to hide data in the system by combining various techniques for evading system protection features in Windows. He published his results in the e-magazine PHRACK (http://phrack.org/issues.html?issue=55&id=5#article) where the tool was named NT Rootkit. It went on to be used in many pieces of malware; in fact, NT Rootkit continues to intrigue and inspire both researchers and rootkit authors to this day.

Origins and popularization

Hoglund’s article is dated 1999, and based on research into the Windows kernel conducted the previous year and published on Usenet by a programmer from Sri Lanka. Back in 1995, Jeffrey Richter, a Windows programming guru, disclosed techniques for intercepting system calls in user mode in his famous book "Advanced Windows" and its fourth edition, which was called "Programming Applications for Microsoft Windows". These techniques were later implemented in many rootkits, which even went as far as to copy source code directly from the book.

Techniques for intercepting system calls in kernel mode were disclosed publicly in two other classic programming manuals: Schreiber’s “Undocumented Windows 2000 Secrets", published in 2001, and "Undocumented Windows NT" by P. Dabak et al, 1999.

The first Windows rootkits

Researchers continued to investigate Windows system protection, and soon after NTRootkit was released several other tools appeared, all designed to hide objects in the operating system:

2000 – he4hook, designed by a Russian programmer. The tool is not malicious, but it does hide files. It works in kernel mode. Interestingly, even the author doesn't call this program a rootkit.
2002 – Hacker Defender (aka HacDef). This is also just a tool, but a more powerful one: it can be used to hide files, processes and registry keys with flexible settings in the configuration file. It also works in kernel mode.
2003 – Vanquish. This tool can be used to hide files, directories and registry keys. Moreover, it has a malicious payload – it log passwords. Vanquish works in user mode.