Академический Документы
Профессиональный Документы
Культура Документы
tibbar
● Flag this blog
●
Adventures of the White Rabbit
● Next Blog
●
About me
Calendar
The world of malware and rootkits has evolved a lot over the last two years, the most significant
<< < April 2006>>> developments have been in the sophistication of rootkits.
Mo Tu We Th Fr Sa Su In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the
1 2 operating system, and allows the attacked to hide certain files and programs from the user. It
usually will also provide a hidden backdoor into the system, and will hide network connections
3 4 5 6 7 8 9 made through the backdoor from the user.
10 11 12 13 14 15 16
17 18 19 20 21 22 23 Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that
run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are
24 25 26 27 28 29 30 actually device drivers running at the highest priviledge level (ring 0).
Now generally, the kernel mode rootkits will hide files, hide network connections and the most
sophisticated ones will provide a kernel mode backdoor. This means all the functionality is held
Recent comments within a single driver (.sys file), and it is extremely difficult to detect whether one is installed on
● thchog on Reflecting on a machine.
better times
● photoshop on kernel However, the attacker will rarely be able to provide all the functionality they need purely in a
driver, and still need to rely on usermode applications, for things like ftp servers, irc bots etc...
mode ftpserver
● ﺭﻭﺹ ﻉﻑﺭon kernel mode So I thought it would be interesting to see how hard it is, to actually provide this part of the
ftpserver attackers toolkit directly within the kernel mode driver.
● DiabloHorn on Reflecting
on better times One of the developers from rootkit.com called Valerino released a kernel mode socket library,
● DiabloHorn on Reflecting that allows you to create sockets from a kernel mode driver, with reasonable ease. His post is
on better times here:
http://www.rootkit.com/newsread.php?newsid=416
● Elango on Hooking
drivers
I have used this library to create what I believe is the world's first kernel mode ircbot. It's
● rYYr on kernel mode extremely basic in its' current form and will just join a channel plus responding to its' name. But
ftpserver it is a framework that can be built upon and you could in theory write an extremely complex
● jbr on kernel mode ircbot in this fashion.
ftpserver
● jbr on kernel mode Here's a screenshot of the system internals app "DebugView" that allows you to see kernel
messages. I have set the ircbot to ouput text received on irc into the debug messages:
ftpserver
● paradox on Reflecting on
better times
more comments… As I have very limited time for development, I thought I would share this one with the world...the
source lives at:
http://tibbar.gso.googlepages.com/KIrcBot.rar
Archives
● July 2008 (1) and I have set this up in Visual Studio 2003. There are two build modes: usermode and
kernelmode.
● December 2006 (2)
● October 2006 (1) I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley
● July 2006 (1) sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a
usermode executable. The reason for doing this, is that it is notoriously hard to develop kernel
● June 2006 (1) mode applications and the test process is very slow - by allowing usermode builds, the code
● April 2006 (2) can be perfected in usermode, before beginning the kernel mode tests.
more archives… If you want to compile using the DDK, the batch file should be used.
Finally, if you want to support my releases, then I would be grateful if you could take some time
to visit any sponsors on this page that are of interest to you.
Links
● Yorn's Blog Tibbar.
● Governmentsecurity.org
● Rootkit.com Comments (25) Trackbacks (4) Permalink Recommend / Bookmark
● kd-team.com
Show trackback address
Google
Dos attack
Prevent Teardrop Attacks And Protect Your Network
TippingPoint.com/DDOS
Fix Kernel.dll
Free Download Fixes .DLL Errors 100% Guarantee
www.RegistryRepairProgram.com
Hide subcomments
❍ Reply to comment
❍ Permalink
❍ SpannerITWks (Visitor)
❍ 2006-04-07 @ 13:44:07
Hi, Well this should quieten down those peeps who say RK's are not a real threat and we can
all just ignore them. Here's more evidence - Malware Evolution: 2005, part two by Yury
Mashevsky Virus Analyst, Kaspersky Lab " An average of 6 rootkits per month were detected
in 2000, but by the end of 2005, Kaspersky Lab analysts were detecting 32 such programs a
month. This almost quadruple increase is shown in the graph below: " " Throughout last year,
kernel-mode rootkits gradually gained in popularity over user-mode rootkits " http://www.
viruslist.com/en/analysis?pubid=182974451 Spanner
❍ Reply to comment
❍ Permalink
rootkits-pour-windows
❍ Reply to comment
❍ Permalink
❍ Panic (Visitor)
❍ http://www.egocrew.de
❍ 2006-04-07 @ 22:23:13
Nice Article, i will now check your source. Well, this is the next generation, i guess....
❍ Reply to comment
❍ Permalink
❍ Steo (Visitor)
❍ http://www.antirootkit.com
❍ 2006-04-13 @ 18:26:11
Tibbar,
nice article. Will have a good look at it. Thanks,
regards
Steo.
❍ Reply to comment
❍ Permalink
❍ Show this thread
■ 2008-02-21 @ 09:33:00
"Windows rootkits have been generally mixed between "usermode" rootkits - these are ones
that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits,
which are actually device drivers running at the highest priviledge level (ring 0)..."
"I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley
sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a
usermode executable. The reason for doing this, is that it is notoriously hard to develop buy
cialis kernel mode applications and the test process is very slow - by allowing usermode
builds, the code can be perfected in usermode, before beginning the kernel mode tests."
lol
■ Reply to comment
■ Permalink
❍ DefconHaya (Visitor)
❍ http://footmenfrenzy.blogspot.com/
❍ 2006-04-14 @ 13:48:47
Very interesting !
Let's just hope that kernel-mode RK's doesn't become so popular.
Good Luck !
❍ Reply to comment
❍ Permalink
❍ Reply to comment
❍ Permalink
❍ flykoo (Visitor)
❍ http://www.flykoo.com
❍ 2006-11-02 @ 17:14:12
Regards
flykoo
❍ Reply to comment
❍ Permalink
❍ airman (Visitor)
❍ http://cheapairfares.proboards86.com
❍ 2007-01-14 @ 12:16:33
❍ Reply to comment
❍ Permalink
❍ mugg (Visitor)
❍ 2007-03-09 @ 22:05:59
What's up with the 'build -D KERNELMODE' line in the batch file. DDK no likey:
BUILD: Done
❍ Reply to comment
❍ Permalink
❍ Khamis (Visitor)
❍ http://to0.net/uae/games/
❍ 2007-03-30 @ 10:43:46
thank you
❍ Reply to comment
❍ Permalink
❍ xavier (Visitor)
❍ http://monguide.mine.nu
❍ 2007-04-02 @ 12:52:12
http://www.google.com/search?hl=en&q=Windows+rootkits&btnG=Google+Search
Cheers
❍ Reply to comment
❍ Permalink
❍ Mike (Visitor)
❍ http://www.discount-cutlery.info
❍ 2007-06-10 @ 08:29:19
Cool site.
❍ Reply to comment
❍ Permalink
Roulette Killer
Very cool Blog you have here, keep it up.
Thanks,
B
❍ Reply to comment
❍ Permalink
❍ http://www.worldofmartialart.com
❍ 2007-10-05 @ 11:22:55
❍ Reply to comment
❍ Permalink
❍ KVK (Visitor)
❍ http://kvk.110mb.com
❍ 2007-10-06 @ 11:54:37
Congratulations a good site!!! Thanks. Please try site with free online games and earn money
and prizes.
❍ Reply to comment
❍ Permalink
❍ F0rg3 (Visitor)
❍ 2007-10-13 @ 20:38:21
Nice info..but i would like you to re-upload the source as it is no more available where you put
it..please kindly use rapidshare or megaupload and if you need an account ..pm me.ok?
Cheers
❍ Reply to comment
❍ Permalink
❍ Memozza (Visitor)
❍ http://fcoolpage1.bravehost.com
❍ 2007-11-07 @ 19:20:59
❍ Reply to comment
❍ Permalink
❍ http://www.worldofmartialart.com/martial_arts_blog/
❍ 2007-11-08 @ 02:55:37
❍ Reply to comment
❍ Permalink
❍ 東京 デリヘル (Visitor)
❍ http://www.fuzoku-annai1.com
❍ 2007-11-13 @ 01:37:05
Great site
❍ Reply to comment
❍ Permalink
❍ 大阪 デリヘル (Visitor)
❍ http://www.fuzoku-annai.com
❍ 2007-11-13 @ 01:38:21
Thank you
❍ Reply to comment
❍ Permalink
❍ An (Visitor)
❍ http://inacura.channelflow.org/
❍ 2007-12-15 @ 23:33:01
[...]The world of malware and rootkits has evolved a lot over the last two years, the most
significant developments have been in the sophistication of rootkits.[...]
daihatsu
❍ Reply to comment
❍ Permalink
❍ Maria (Visitor)
❍ http://music-collection.net
❍ 2007-12-18 @ 05:55:56
❍ Reply to comment
❍ Permalink
❍ fanni (Visitor)
❍ http://www.my-batteries.co.uk
❍ 2008-03-07 @ 08:12:36
Very interesting ! Will have a good look at it. Let's just hope that kernel-mode RK's doesn't
become so popular.
Good Luck
❍ Reply to comment
❍ Permalink
Google
Wireless BSD Development
device driver, protocol, BSD kernel and embedded system expertise
www.ojctech.com
Name:*
Website/URL (visible):
Remember me
✔
Related posts
● jotti scan
by tibbar on 2006-03-23 – 13:59:00
About this blog Sitemap Tag cloud blog.de blog.co.uk blog.fr blog.co.uk Sitemap
The content of this website belongs to a private person, blog.co.uk is not responsible for the content of this website.