I recently got into rootkit writing, and most of the work I've been doing has been rather similar to what seems to have been done by Sony.
I had an interesting discussion with a mentor of mine, where I asked him how come we hadn't seen more rootkits in the wild -- to which he said, that's because we haven't found them!
This is *absolutely* true... believe me, rootkits are designed not to be found, you won't see their files, their registry entries, or their processes. Even for someone well versed with rootkit technology, finding them can be very very difficult.
I figured I'd give a little intro to rootkit technology:
Basically, a rootkit is very different from a virus or worm, the key concept behind rootkits is stealth. They provide stealth features to various types of backdoors or any other code. So a worm writer might use a rootkit to *hide* his malicious code, but it's unlikely that the rootkit itself will do anything malicious, it merely provides the stealth capabilities to the backdoor.
Earlier one would consider a rootkit something as similar as say, a replacement to the 'login' binary, which will allow you in with root privs if you type in a hardcoded backdoor password. This modified binary would replace the originals. With the advent of Tripwire and similar, these are considered old news.
New rootkits are written as device drivers (in the Windows world) and as kernel modules (in the Linux world). Why is this important:
Basically, the x86 processor has a feature known as 'rings' which control the amount of privilege that code has.
We basically use two rings.. ring 0, and ring 3. Ring 3 is where all of us play -- it's known as userland... and all our code executes here, it doesn't talk directly to the hardware, it talks to Windows (that runs in ring 0) who in turn passes on our requests.
Now ring 0 is an extremely powerful place, device drivers run here, and when you run here, you are equal to the power of Windows -- and much more powerful than 'administrator'. At this level, you can change anything, hide anything, etc.
So the basic concept of a rootkit is, it will run in ring 0, and supposing you open task manager, it will intercept your query to see all running processes, filter out the processes it doesn't want you to see, and then return that information to Windows... so task manager is blind.. the same applies to a file on disk, when you open explorer, it asks windows for a list of all files in the directory. The rootkit intercepts this call, removes the files it wants to hide, and sends back the sanitized data.
In short, the kernel lies to you -- you can be administrator or whoever, you remain powerless, because you still run in ring 3!!
There are two basic ways a rootkit can work.
One is known as function hooking. Windows maintains a table of functions that perform various important tasks (such as showing you which files are on disk etc). The rootkit can come to this table, and replace an entry for any function with the address of it's own function... when you call that function, the rootkit's function executes and decides what you can see.
From what I got about the Sony rootkit, this is exactly what is happening, it's 'hooking' functions to hide processes and files. Sysinternal's rootkit revealer detected this because it tried to query a file on disk the 'normal' windows way, found it didn't exist, and then found the file existed when it queried the file through ring 0.
The other technology rootkits use (which IMHO is far scarier) is called DKOM or Direct Kernel Object Manipulation. In this case, the rootkit actually modifies Windows' internal kernel structures to hide what it wants. So if Windows internally maintains a list of processes, the rootkit will surgically remove it's processes from this list... this is much harder to detect as it is changing the 'state' of the kernel! The most famous rootkit of this type is the 'fu' rootkit, which is actually a marvel of the power of how easily the security of the Windows kernel can be subverted!
Oh yeah, if you're wondering whether your antivirus reliably detects rootkits, think again -- maybe the more common ones (such as Hacker Defender) will be detected, but chances are you won't get others caught (think about it, the antivirus runs in ring 3 -- and even if it runs in ring 0, the rootkit can look for it and intercept its calls first).
The goldmine repository for rootkit technology is
www.rootkit.com
, this is where most of the development goes on, and from where awareness about the technology (and its potential abuse) is spread. The guys at this site (especially Greg Hoglund) are among the smartest coders in this universe, and luckily -- they have a strong sense of ethics.
To summarize -- finding a rootkit on your system can be hard, even for someone intimately well versed with the technology. To the lay-person, it is virtually impossible.
Sony has absolutely no business bundling this sort of software. It's disgusting IMO.
Cheers,
