ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.
86-458: The ZeroAccess botnet was discovered at least around May 2011. The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems. Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems. The bot itself
172-411: A core dump , memory dump , crash dump , storage dump , system dump , or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally. In practice, other key pieces of program state are usually dumped at the same time, including the processor registers , which may include
258-438: A fatal exception in a program automatically triggers a core dump. By extension, the phrase "to dump core" has come to mean in many cases, any fatal error, regardless of whether a record of the program memory exists. The term "core dump", "memory dump", or just "dump" has also become jargon to indicate any output of a large amount of raw data for further examination or other purposes. The name comes from magnetic-core memory ,
344-687: A pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day, costing advertisers $ 900,000 a day in fraudulent clicks. Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system . It also disables the Windows Security Center, Firewall, and Windows Defender from
430-467: A router , network card , hard drive , or the system BIOS . The rootkit hides in firmware, because firmware is not usually inspected for code integrity . John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines and in a PCI expansion card ROM . In October 2008, criminals tampered with European credit-card -reading machines before they were installed. The devices intercepted and transmitted credit card details via
516-433: A symbol table , if one exists, to help the programmer interpret dumps, identifying variables symbolically and displaying source code; if the symbol table is not available, less interpretation of the dump is possible, but there might still be enough possible to determine the cause of the problem. There are also special-purpose tools called dump analyzers to analyze dumps. One popular tool, available on many operating systems,
602-611: A " perfect crime ": one that nobody realizes has taken place. Rootkits also take a number of measures to ensure their survival against detection and "cleaning" by antivirus software in addition to commonly installing into Ring 0 (kernel-mode), where they have complete access to a system. These include polymorphism (changing so their "signature" is hard to detect), stealth techniques, regeneration, disabling or turning off anti-malware software, and not installing on virtual machines where it may be easier for researchers to discover and analyze them. The fundamental problem with rootkit detection
688-422: A "rescue" CD-ROM or USB flash drive ). The technique is effective because a rootkit cannot actively hide its presence if it is not running. The behavioral-based approach to detecting rootkits attempts to infer the presence of a rootkit by looking for rootkit-like behavior. For example, by profiling a system, differences in the timing and frequency of API calls or in overall CPU utilization can be attributed to
774-414: A contiguous address-space, so a dump file was sometimes simply a file with the sequence of bytes, digits, characters or words. On other early machines a dump file contained discrete records, each containing a storage address and the associated contents. On early machines, the dump was often written by a stand-alone dump program rather than by the application or the operating system. The IBSYS monitor for
860-495: A debugger on a process's memory contents. Core dumps can be used to capture data freed during dynamic memory allocation and may thus be used to retrieve information from a program that is no longer running. In the absence of an interactive debugger, the core dump may be used by an assiduous programmer to determine the error from direct examination. Snap dumps are sometimes a convenient way for applications to record quick and dirty debugging output. A core dump generally represents
946-455: A forensic examination performed. Lightweight operating systems such as Windows PE , Windows Recovery Console , Windows Recovery Environment , BartPE , or Live Distros can be used for this purpose, allowing the system to be "cleaned". Even if the type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating system and applications is safer, simpler and quicker. System hardening represents one of
SECTION 10
#17327911577441032-426: A hypervisor-layer anti-rootkit called Hooksafe , which provides generic protection against kernel-mode rootkits. Windows 10 introduced a new feature called "Device Guard", that takes advantage of virtualization to provide independent external protection of an operating system against rootkit-type malware. A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as
1118-491: A known "good" state on bootup. The PrivateCore implementation works in concert with Intel TXT and locks down server system interfaces to avoid potential bootkits and rootkits. Another defense mechanism called the Virtual Wall (VTW) approach, serves as a lightweight hypervisor with rootkit detection and event tracing capabilities. In normal operation (guest mode), Linux runs, and when a loaded LKM violates security policies,
1204-410: A mobile phone network. In March 2009, researchers Alfredo Ortega and Anibal Sacco published details of a BIOS -level Windows rootkit that was able to survive disk replacement and operating system re-installation. A few months later they learned that some laptops are sold with a legitimate rootkit, known as Absolute CompuTrace or Absolute LoJack for Laptops , preinstalled in many BIOS images. This
1290-509: A music player but silently installed a rootkit which limited the user's ability to access the CD. Software engineer Mark Russinovich , who created the rootkit detection tool RootkitRevealer , discovered the rootkit on one of his computers. The ensuing scandal raised the public's awareness of rootkits. To cloak itself, the rootkit hid any file starting with "$ sys$ " from the user. Soon after Russinovich's report, malware appeared which took advantage of
1376-401: A number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X ) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of
1462-460: A process address space may contain gaps, and it may share pages with other processes or files, so more elaborate representations are used; they may also include other information about the state of the program at the time of the dump. In Unix-like systems, core dumps generally use the standard executable image- format : Microsoft Windows supports two memory dump formats, described below. There are five types of kernel-mode dumps: To analyze
1548-511: A remote host over a network (which is a security risk). Users of IBM mainframes running z/OS can browse SVC and transaction dumps using Interactive Problem Control System (IPCS), a full screen dump reader which was originally introduced in OS/VS2 (MVS) , supports user written scripts in REXX and supports point-and-shoot browsing of dumps. In older and simpler operating systems, each process had
1634-410: A rootkit might cloak a CD-ROM -emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased. Rootkits and their payloads have many uses: In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of
1720-409: A rootkit or bootkit does not compromise the system at its most fundamental level. Forcing a complete dump of virtual memory will capture an active rootkit (or a kernel dump in the case of a kernel-mode rootkit), allowing offline forensic analysis to be performed with a debugger against the resulting dump file , without the rootkit being able to take any measures to cloak itself. This technique
1806-556: A rootkit. The method is complex and is hampered by a high incidence of false positives . Defective rootkits can sometimes introduce very obvious changes to a system: the Alureon rootkit crashed Windows systems after a security update exposed a design flaw in its code. Logs from a packet analyzer , firewall , or intrusion prevention system may present evidence of rootkit behaviour in a networked environment. Antivirus products rarely catch all viruses in public tests (depending on what
SECTION 20
#17327911577441892-922: A similar way by injecting an ACPI SLIC (System Licensed Internal Code) table in the RAM-cached version of the BIOS during boot, in order to defeat the Windows Vista and Windows 7 activation process . This vector of attack was rendered useless in the (non-server) versions of Windows 8 , which use a unique, machine-specific key for each system, that can only be used by that one machine. Many antivirus companies provide free utilities and programs to remove bootkits. Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V , this type of rootkit runs in Ring ;-1 and hosts
1978-576: A snapshot of selected storage blocks, rather than all of the storage used by the application or operating system. Core dumps can serve as useful debugging aids in several situations. On early standalone or batch-processing systems, core dumps allowed a user to debug a program without monopolizing the (very expensive) computing facility for debugging; a printout could also be more convenient than debugging using front panel switches and lights. On shared computers, whether time-sharing, batch processing, or server systems, core dumps allow off-line debugging of
2064-452: A system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator . These first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information. Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems ' SunOS UNIX operating system. In
2150-402: A target application. Injection mechanisms include: ...since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs' memory space before they fully execute. Kernel-mode rootkits run with
2236-508: A trojan called NTRootkit created by Greg Hoglund . It was followed by HackerDefender in 2003. The first rootkit targeting Mac OS X appeared in 2009, while the Stuxnet worm was the first to target programmable logic controllers (PLC). In 2005, Sony BMG published CDs with copy protection and digital rights management software called Extended Copy Protection , created by software company First 4 Internet. The software included
2322-400: A user that the rootkit is beneficial. The installation task is made easier if the principle of least privilege is not applied, since the rootkit then does not have to explicitly request elevated (administrator-level) privileges. Other classes of rootkits can be installed only by someone with physical access to the target system. Some rootkits may also be installed intentionally by the owner of
2408-405: A variety of techniques to gain control of a system; the type of rootkit influences the choice of attack vector. The most common technique leverages security vulnerabilities to achieve surreptitious privilege escalation . Another approach is to use a Trojan horse , deceiving a computer user into trusting the rootkit's installation program as benign—in this case, social engineering convinces
2494-467: Is a result of direct attack on a system, i.e. exploiting a vulnerability (such as privilege escalation ) or a password (obtained by cracking or social engineering tactics like " phishing "). Once installed, it becomes possible to hide the intrusion as well as to maintain privileged access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it. Rootkit detection
2580-403: Is able to detect and remove some classes of rootkits. Also, Windows Defender Offline can remove rootkits, as it runs from a trusted environment before the operating system starts. Some antivirus scanners can bypass file system APIs, which are vulnerable to manipulation by a rootkit. Instead, they access raw file system structures directly, and use this information to validate the results from
2666-771: Is an anti- theft technology system that researchers showed can be turned to malicious purposes. Intel Active Management Technology , part of Intel vPro , implements out-of-band management , giving administrators remote administration , remote management , and remote control of PCs with no involvement of the host processor or BIOS, even when the system is powered off. Remote administration includes remote power-up and power-down, remote reset, redirected boot, console redirection, pre-boot access to BIOS settings, programmable filtering for inbound and outbound network traffic, agent presence checking, out-of-band policy-based alerting, access to system information, such as hardware asset information, persistent event logs, and other information that
ZeroAccess botnet - Misplaced Pages Continue
2752-801: Is considerably more complex, requiring careful scrutiny of the System Call Table to look for hooked functions where the malware may be subverting system behavior, as well as forensic scanning of memory for patterns that indicate hidden processes. Unix rootkit detection offerings include Zeppoo, chkrootkit , rkhunter and OSSEC . For Windows, detection tools include Microsoft Sysinternals RootkitRevealer , Avast Antivirus , Sophos Anti-Rootkit, F-Secure , Radix, GMER , and WindowsSCOPE . Any rootkit detectors that prove effective ultimately contribute to their own ineffectiveness, as malware authors adapt and test their code to escape detection by well-used tools. Detection by examining storage while
2838-402: Is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system , behavior-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel ; reinstallation of
2924-461: Is highly specialized, and may require access to non-public source code or debugging symbols . Memory dumps initiated by the operating system cannot always be used to detect a hypervisor-based rootkit, which is able to intercept and subvert the lowest-level attempts to read memory —a hardware device, such as one that implements a non-maskable interrupt , may be required to dump memory in this scenario. Virtual machines also make it easier to analyze
3010-476: Is more difficult to write. The complexity makes bugs common, and any bugs in code operating at the kernel level may seriously impact system stability, leading to discovery of the rootkit. One of the first widely known kernel rootkits was developed for Windows NT 4.0 and released in Phrack magazine in 1999 by Greg Hoglund . Kernel rootkits can be especially difficult to detect and remove because they operate at
3096-512: Is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering , where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen ). A second attack vector utilizes an advertising network in order to have
3182-733: Is stored in dedicated memory (not on the hard drive) where it is accessible even if the OS is down or the PC is powered off. Some of these functions require the deepest level of rootkit, a second non-removable spy computer built around the main computer. Sandy Bridge and future chipsets have "the ability to remotely kill and restore a lost or stolen PC via 3G". Hardware rootkits built into the chipset can help recover stolen computers, remove data, or render them useless, but they also present privacy and security concerns of undetectable spying and redirection by management or hackers who might gain control. Rootkits employ
3268-515: Is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected. In other words, rootkit detectors that work while running on infected systems are only effective against rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than
3354-415: Is the " evil maid attack ", in which an attacker installs a bootkit on an unattended computer. The envisioned scenario is a maid sneaking into the hotel room where the victims left their hardware. The bootkit replaces the legitimate boot loader with one under their control. Typically the malware loader persists through the transition to protected mode when the kernel has loaded, and is thus able to subvert
3440-641: Is the GNU binutils' objdump . On modern Unix-like operating systems, administrators and programmers can read core dump files using the GNU Binutils Binary File Descriptor library (BFD), and the GNU Debugger (gdb) and objdump that use this library. This library will supply the raw data for a given address in a memory region from a core dump; it does not know anything about variables or data structures in that memory region, so
3526-874: Is used and to what extent), even though security software vendors incorporate rootkit detection into their products. Should a rootkit attempt to hide during an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload itself from the system, signature detection (or "fingerprinting") can still find it. This combined approach forces attackers to implement counterattack mechanisms, or "retro" routines, that attempt to terminate antivirus programs. Signature-based detection methods can be effective against well-published rootkits, but less so against specially crafted, custom-root rootkits. Another method that can detect rootkits compares "trusted" raw data with "tainted" content returned by an API . For example, binaries present on disk can be compared with their copies within operating memory (in some operating systems,
ZeroAccess botnet - Misplaced Pages Continue
3612-559: The Brain virus intercepted attempts to read the boot sector , and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept. Over time, DOS -virus cloaking methods became more sophisticated. Advanced techniques included hooking low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files. The first malicious rootkit for the Windows NT operating system appeared in 1999:
3698-556: The IBM 7090 included a System Core-Storage Dump Program that supported post-motem and snap dumps. On the IBM System/360 , the standard operating systems wrote formatted ABEND and SNAP dumps, with the addresses, registers, storage contents, etc., all converted into printable forms. Later releases added the ability to write unformatted dumps, called at that time core image dumps (also known as SVC dumps.) In modern operating systems,
3784-578: The System Service Descriptor Table (SSDT), or modify the gates between user mode and kernel mode, in order to cloak itself. Similarly for the Linux operating system, a rootkit can modify the system call table to subvert kernel functionality. It is common that a rootkit creates a hidden, encrypted filesystem in which it can hide other malware or original copies of files it has infected. Operating systems are evolving to counter
3870-499: The operating system , so that the system can go back into operation immediately. Core dumps allow a user to save a crash for later or off-site analysis, or comparison with other crashes. For embedded computers , it may be impractical to support debugging on the computer itself, so analysis of a dump may take place on a different computer. Some operating systems such as early versions of Unix did not support attaching debuggers to running processes, so core dumps were necessary to run
3956-423: The program counter and stack pointer , memory management information, and other processor and operating system flags and information. A snapshot dump (or snap dump ) is a memory dump requested by the computer operator or by the running program, after which the program is able to continue. Core dumps are often used to assist in diagnosing and debugging errors in computer programs. On many operating systems,
4042-623: The Windows kernel-mode dumps Debugging Tools for Windows are used. User-mode memory dump, also known as minidump , is a memory dump of a single process. It contains selected data records: full or partial (filtered) process memory; list of the threads with their call stacks and state (such as registers or TEB ); information about handles to the kernel objects; list of loaded and unloaded libraries . Full list of options available in MINIDUMP_TYPE enum. The NASA Voyager program
4128-662: The application using the library to read the core dump will have to determine the addresses of variables and determine the layout of data structures itself, for example by using the symbol table for the program undergoing debugging. Analysts of crash dumps from Linux systems can use kdump or the Linux Kernel Crash Dump (LKCD). Core dumps can save the context (state) of a process at a given state for returning to it later. Systems can be made highly available by transferring core between processors, sometimes via core dump files themselves. Core can also be dumped onto
4214-458: The attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the login command or the updated compiler would not reveal any malicious code. This exploit was equivalent to a rootkit. The first documented computer virus to target the personal computer , discovered in 1986, used cloaking techniques to hide itself:
4300-576: The behavior of core parts of an operating system through loading code into other processes, the installation or modification of drivers , or kernel modules . Obfuscation techniques include concealing running processes from system-monitoring mechanisms and hiding system files and other configuration data. It is not uncommon for a rootkit to disable the event logging capacity of an operating system, in an attempt to hide evidence of an attack. Rootkits can, in theory, subvert any operating system activities. The "perfect rootkit" can be thought of as similar to
4386-405: The code has been modified since installation time; subversion prior to that time is not detectable. The fingerprint must be re-established each time changes are made to the system: for example, after installing security updates or a service pack . The hash function creates a message digest , a relatively short code calculated from each bit in the file using an algorithm that creates large changes in
SECTION 50
#17327911577444472-399: The complete contents of the dumped regions of the address space of the dumped process. Depending on the operating system, the dump may contain few or no data structures to aid interpretation of the memory regions. In these systems, successful interpretation requires that the program or user trying to interpret the dump understands the structure of the program's memory use. A debugger can use
4558-490: The computer user: There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3 . Hybrid combinations of these may occur spanning, for example, user mode and kernel mode. User-mode rootkits run in Ring 3 , along with other applications as user, rather than low-level system processes. They have
4644-400: The contents of the applicable memory, modern operating systems typically generate a file containing an image of the memory belonging to the crashed process, or the memory images of parts of the address space related to that process, along with other information such as the values of processor registers, program counter, system flags, and other information useful in determining the root cause of
4730-407: The crash. These files can be viewed as text, printed, or analysed with specialised tools such as elfdump on Unix and Unix-like systems, objdump and kdump on Linux , IPCS (Interactive Problem Control System) on IBM z/OS , DVF (Dump Viewing Facility) on IBM z/VM , WinDbg on Microsoft Windows, Valgrind , or other debuggers. In some operating systems an application or operator may request
4816-521: The detection software in the kernel. As with computer viruses , the detection and elimination of rootkits is an ongoing struggle between both sides of this conflict. Detection can take a number of different approaches, including looking for virus "signatures" (e.g. antivirus software), integrity checking (e.g. digital signatures ), difference-based detection (comparison of expected vs. actual results), and behavioral detection (e.g. monitoring CPU usage or network traffic). For kernel-mode rootkits, detection
4902-435: The exchange's transaction log, alarms and access commands related to the surveillance capability. The rootkit was discovered after the intruders installed a faulty update, which caused SMS texts to be undelivered, leading to an automated failure report being generated. Ericsson engineers were called in to investigate the fault and discovered the hidden data blocks containing the list of phone numbers being monitored, along with
4988-484: The existence of other software. The term rootkit is a compound of " root " (the traditional name of the privileged account on Unix-like operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware . Rootkit installation can be automated, or an attacker can install it after having obtained root or administrator access. Obtaining this access
5074-540: The existing rootkit on affected systems. One BBC analyst called it a " public relations nightmare." Sony BMG released patches to uninstall the rootkit, but it exposed users to an even more serious vulnerability. The company eventually recalled the CDs. In the United States, a class-action lawsuit was brought against Sony BMG. The Greek wiretapping case 2004–05 , also referred to as Greek Watergate, involved
5160-415: The file for inspection, or by making code modifications only in memory, reconfiguration registers, which are later compared to a white list of expected values. The code that performs hash, compare, or extend operations must also be protected—in this context, the notion of an immutable root-of-trust holds that the very first code to measure security properties of a system must itself be trusted to ensure that
5246-455: The first layers of defence against a rootkit, to prevent it from being able to install. Applying security patches , implementing the principle of least privilege , reducing the attack surface and installing antivirus software are some standard security best practices that are effective against all classes of malware. New secure boot specifications like UEFI have been designed to address the threat of bootkits, but even these are vulnerable if
SECTION 60
#17327911577445332-451: The guest operating system. For example, timing differences may be detectable in CPU instructions. The "SubVirt" laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is an academic example of a virtual-machine–based rootkit (VMBR), while Blue Pill software is another. In 2009, researchers from Microsoft and North Carolina State University demonstrated
5418-613: The highest operating system privileges ( Ring 0 ) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers . Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows . This class of rootkit has unrestricted security access, but
5504-616: The illegal telephone tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators. The intruders installed a rootkit targeting Ericsson's AXE telephone exchange . According to IEEE Spectrum , this
5590-596: The in-memory image should be identical to the on-disk image), or the results returned from file system or Windows Registry APIs can be checked against raw structures on the underlying physical disks —however, in the case of the former, some valid differences can be introduced by operating system mechanisms like memory relocation or shimming . A rootkit may detect the presence of such a difference-based scanner or virtual machine (the latter being commonly used to perform forensic analysis), and adjust its behaviour so that no differences can be detected. Difference-based detection
5676-562: The kernel. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords. In 2010, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 , by modifying the master boot record . Although not malware in the sense of doing something the user doesn't want, certain "Vista Loader" or "Windows Loader" software work in
5762-534: The lecture he gave upon receiving the Turing award in 1983, Ken Thompson of Bell Labs , one of the creators of Unix , theorized about subverting the C compiler in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user's correct password, but an additional " backdoor " password known to
5848-449: The memory of a compromised machine from the underlying hypervisor, so some rootkits will avoid infecting virtual machines for this reason. Manual removal of a rootkit is often extremely difficult for a typical computer user, but a number of security-software vendors offer tools to automatically detect and remove some rootkits, typically as part of an antivirus suite . As of 2005 , Microsoft's monthly Windows Malicious Software Removal Tool
5934-441: The message digest with even smaller changes to the original file. By recalculating and comparing the message digest of the installed files at regular intervals against a trusted list of message digests, changes in the system can be detected and monitored—as long as the original baseline was created before the malware was added. More-sophisticated rootkits are able to subvert the verification process by presenting an unmodified copy of
6020-432: The operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialized equipment. The term rootkit , rkit , or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted " root " access. If an intruder could replace the standard administrative tools on
6106-562: The operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud. The software also looks for the Tidserv malware and removes it if it finds it. Rootkit A rootkit is a collection of computer software , typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or
6192-626: The principal form of random-access memory from the 1950s to the 1970s. The name has remained long after magnetic-core technology became obsolete. Earliest core dumps were paper printouts of the contents of memory, typically arranged in columns of octal or hexadecimal numbers (a " hex dump "), sometimes accompanied by their interpretations as machine language instructions, text strings, or decimal or floating-point numbers ( cf. disassembler ). As memory sizes increased and post-mortem analysis utilities were developed, dumps were written to magnetic media like tape or disk. Instead of only displaying
6278-533: The rootkit and illicit monitoring software. Modern rootkits do not elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities. Most rootkits are classified as malware , because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords , credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example,
6364-515: The same security level as the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations. Any software, such as antivirus software , running on the compromised system is equally vulnerable. In this situation, no part of the system can be trusted. A rootkit can modify data structures in the Windows kernel using a method known as direct kernel object manipulation (DKOM). This method can be used to hide processes. A kernel mode rootkit can also hook
6450-500: The security features they offer are not utilized. For server systems, remote server attestation using technologies such as Intel Trusted Execution Technology (TXT) provide a way of verifying that servers remain in a known good state. For example, Microsoft Bitlocker 's encryption of data-at-rest verifies that servers are in a known "good state" on bootup. PrivateCore vCage is a software offering that secures data-in-use (memory) to avoid bootkits and rootkits by verifying servers are in
6536-516: The suspect operating system is not operational can miss rootkits not recognised by the checking software, as the rootkit is not active and suspicious behavior is suppressed; conventional anti-malware software running with the rootkit operational may fail if the rootkit hides itself effectively. The best and most reliable method for operating-system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g.
6622-552: The system APIs to identify any differences that may be caused by a rootkit. There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media. This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternative operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned and critical data to be copied off—or, alternatively,
6708-586: The system or somebody authorized by the owner, e.g. for the purpose of employee monitoring , rendering such subversive techniques unnecessary. Some malicious rootkit installations are commercially driven, with a pay-per-install (PPI) compensation method typical for distribution. Once installed, a rootkit takes active measures to obscure its presence within the host system through subversion or evasion of standard operating system security tools and application programming interface (APIs) used for diagnosis, scanning, and monitoring. Rootkits achieve this by modifying
6794-557: The system switches to host mode. The VTW in host mode detects, traces, and classifies rootkit events based on memory access control and event injection mechanisms. Experimental results demonstrate the VTW's effectiveness in timely detection and defense against kernel rootkits with minimal CPU overhead (less than 2%). The VTW is compared favorably to other defense schemes, emphasizing its simplicity in implementation and potential performance gains on Linux servers. Core dump In computing ,
6880-474: The target operating system as a virtual machine , thereby enabling the rootkit to intercept hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by
6966-529: The threat of kernel-mode rootkits. For example, 64-bit editions of Microsoft Windows now implement mandatory signing of all kernel-level drivers in order to make it more difficult for untrusted code to execute with the highest privileges in a system. A kernel-mode rootkit variant called a bootkit can infect startup code like the Master Boot Record (MBR), Volume Boot Record (VBR), or boot sector , and in this way can be used to attack full disk encryption systems. An example of such an attack on disk encryption
7052-475: The user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system. In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component
7138-452: Was "the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch." The rootkit was designed to patch the memory of the exchange while it was running, enable wiretapping while disabling audit logs, patch the commands that list active processes and active data blocks, and modify the data block checksum verification command. A "backdoor" allowed an operator with sysadmin status to deactivate
7224-465: Was probably the first craft to routinely utilize the core dump feature in the Deep Space segment. The core dump feature is a mandatory telemetry feature for the Deep Space segment as it has been proven to minimize system diagnostic costs. The Voyager craft uses routine core dumps to spot memory damage from cosmic ray events. Space Mission core dump systems are mostly based on existing toolkits for
7310-524: Was unaffected - meaning the botnet could still be updated at will. Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud . Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012. The machines used for click fraud simulate clicks on website advertisements paid for on
7396-544: Was used by Russinovich 's RootkitRevealer tool to find the Sony DRM rootkit. Code signing uses public-key infrastructure to check if a file has been modified since being digitally signed by its publisher. Alternatively, a system owner or administrator can use a cryptographic hash function to compute a "fingerprint" at installation time that can help to detect subsequent unauthorized changes to on-disk code libraries. However, unsophisticated schemes check only whether
#743256