Some Observations on Rootkits
Getting hit by a live rootkit infection is among the more unfortunate fates that can befall an unsuspecting computer user. A rootkit burrows deep into the system, modifying it at a low-level in order to hide itself and other malware, and from there fights off attempts at deactivation and removal. While real-time protection can block the rootkit from becoming active to begin with, if the computer is already infected by a rootkit, things get more interesting. Antimalware technologies must use sophisticated techniques to scan for and detect, and finally to remove, a lurking rootkit. In reviewing the telemetry we receive from some of our antirootkit-related features, a few interesting things stand out.
How big is the rootkit problem?
Of all infections reported from client machines, low-level rootkits represent about 7% of infections.
Of course, measuring the prevalence of rootkits is not entirely straightforward; by definition rootkits do everything they can to remain unseen. When we added some additional checks to our default scheduled scan to look for files that are hidden from Windows API calls, some threats that had appeared relatively benign suddenly revealed that they had moved to using a rootkit to try and avoid detection:
Worst of the worst
In terms of the most prevalent rootkits we see in the wild, the Alureon family wins hands-down, accounting for more than 60% of total rootkit reports:
You can learn more about these top families in the Malware Encyclopedia:
This list includes threats that tried to run and were blocked by real-time protection. If we look at threats that had files detected as being actively hidden on disk from Windows, we get a somewhat different picture.
Rootkits in their natual habitat
Rootkits tend to hide their malicious binaries on disk in predetermined locations. Here are the most popular locations we see hidden rootkit binaries living on the hard disk:
| Rank | Location | Example |
| 1 | %system%\drivers | c:\windows\system32\drivers |
| 2 | user temp | c:\Users\username\AppData\Local\Temp |
| 3 | %system% | c:\windows\system32 |
| 4 | system drive root | c:\ |
| 5 | windows temp | c:\windows\temp |
| 6 | %windows% | c:\windows |
| 7 | install folder | location installer was run from |
Windows may not show anything unusual in these locations, but a more thorough antirootkit scan can shine a light on the hidden rootkit threats and take appropriate action.
Hidden file types
In terms of the type of file being hidden on user's computers, drivers come out on top. Since most rootkits use a kernel-mode driver, this is not surprising.
| Type | % of rootkit threats |
| SYS | 59% |
| EXE | 40% |
| DLL | 1% |
Kernel-health screening
Currently the most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel. When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel.
Here's a sample of report volume showing computers that have had their Windows kernel altered, across a recent consecutive 10-day period:
That's about 1 in 100 computers. Digging into the results, we see that a lot of software is modifying the Windows kernel for various reasons. While much of this software is not specifically malicious, modifying the kernel can lead to system instability as well as make it easier for rootkits to hide. If the kernel is already hooked by a "legitimate" program, the rootkit can hook at the next level, making it more difficult to trace the hook chain to the malicious code.
An unspoiled landscape
As Joe pointed out in his recent post on the 64-bit malware landscape, running 64-bit Windows offers even more protection for customers. For the rootkit space, the difference between 64-bit and 32-bit is even more pronounced.
|
|
In fact, it's likely that an even smaller percentage of the reported rootkit threats from 64-bit computers were actually able to successfully become active and hide anything. Enforced driver signing and features such as Kernel Patch Protection make 64-bit Windows a much more hostile environment for rootkits.
Parting thoughts
We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys. Regardless, here are a couple tips to avoid getting hit by a rootkit:
- Keep real-time protection enabled
while running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature. If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor. Keep your defenses up and you're much less likely to have headaches down the road. - Run 64-bit Windows
for the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits. While the threat landscape is constantly evolving, for now you can breathe a lot easier if you're running 64-bit Windows. If you have a choice, go with 64-bit.
Regards,
-Randy Treit
'IT 보안소식' 카테고리의 다른 글
| 안철수연구소, 오진 재발 방지 대책 발표 (0) | 2010.01.13 |
|---|---|
| 안철수연구소, 전국 일부 민원전산망 서비스 불통의 원인은 Midas 레지스트리 (2) | 2010.01.12 |
| AVG를 가장한 피싱사이트 (0) | 2010.01.05 |
| 네이트온(NateOn Messenger) 본인인증 서비스 실시 (6) | 2009.12.31 |
| 보안회사 2009 보안 이슈 정리(추가) (0) | 2009.12.30 |
댓글