“Chishiki” is Japanese for “knowledge.” e-chishiki.com aims to bring software developers, information security professionals, IT executives and other IT pros a rich body of knowledge in the form of articles, interviews, tutorials and technical discussions. Our contributors are among the biggest names in the Indian IT industry and include noted authors, educators and practitioners.
Weekly Column - Web Application Attacks
Rootkits – The Lord of the Rings?
Vijay Mukhi
Rootkits – The Lord of the Rings ?
When the Intel chip runs a program, it is informed about the mode or the ring in which the program must be executed. Based on the mode, the program is given the authority to use the resources on the computer. The system is divided into four rings where ring 0 is the most powerful one and ring 3 is the least. Ring 1 and Ring 2 are not used at all.
Windows and Linux run programs either in ring 0 – kernel mode or ring 3 – user mode. The executable files (exe) and the libraries (dll) run in ring 3 as there are restrictions and limitations placed on what they can use of the computer resources. On the other hand, device drivers that interact with hardware and the operating system, run in ring 0. There are absolutely no rules and no controls to the programs running in ring 0. The ring 0 becomes a playfield for any intruder who writes adwares, malwares, viruses etc as the program can have unrestricted access to all available resources. What’s more, ask any techie visionary and he will tell you that sooner or later all unethical programs would be written for ring 0 unlike the situation today.
Rootkits : the Malware Epidemic that Never Happened
Rootkits started off in the unix environment system where the hacker would masquerade as root (the administrator) and gain control over the entire filesystem. A rootkit writer is basically a smart hacker who knows how to write malware for ring 0 and make his code invisible. The viruses and vaccines are generally written in ring 3 therefore they can be easily detected and eliminated; such is not the case for rootkits. However, the growth of rootkits has slowed down and we list a few reasons for the same.
Writing Code for Ring 0 ain’t Easy
Once a rootkit is installed in ring 0, the OS and the malware work at the same level and have full control of the computer resources. However, to write a rootkit for ring 0 is not that easy. One must be knowledgeable about coding in ring 0 as well as writing device driver. Even a simple cut and paste of rootkit code from the Internet does not work, let alone modifying it. Most of the hackers have simply given up the thought of rootkits due to the vast complexities involved in writing one. Though, rootkits can be written for ring 3 in the user mode which are far simpler but they are less powerful than their ring 0 cousins. Writing an E-Mail virus, a Firefox extension or a browser helper object for Internet Explorer turns out to be a child’s play in front of it.
The Undocumented Kernel
Microsoft has tried hard to close as many doors possible in ring 0. They have introduced a technology called the Kernel Patch Protection which at present works only with 64-bit Operating Systems only but not for too long.
It must be noted that the windows kernel plays a significant role when it comes to hiding or making code invisible from the Operating System. However, Microsoft has not documented the kernel code. In this way, they have tried to dissuade people from writing code based on the internals of ring 0. As a result, any attempt to modifying the kernel for rootkit coding makes Windows highly unstable. We must have rebooted a million times while testing our rootkit. To add to the problems, Microsoft updates its kernel with every new OS release. The kernel of Windows XP is very different from 2000 and from the newly released Vista, thus getting the same rootkit to work with all Operating Systems is an extremely arduous task.
No Information of New Rootkits
To make matters worse, there is very little information available on rootkits these days. There was a time when rootkit.com, a site dedicated to rootkits and device driver programs, had a mention of every rootkit under the sun. Nowadays, the rootkit writers have become a lot more professional and would rather hawk their skills to governments and crime syndicates. The rootkit world has suddenly gone underground. This is dangerous because new rootkits and malware are being misused for fishing or stealing money/data from financial institutions, companies and governments and one is completely ignorant of their presence.
Instability Caused by Rootkit Removal Tools
Coding for ring 0 and ring 3 is as different as cheese from chalk. Therefore the rules of detecting ring 0 malware and ring 3 will never be the same. The anti- virus companies are now focused on rootkit removal tools besides writing fast signature scanning tools for ring 3 malware. But with the kind of grip a rootkit holds, there is no guarantee that Windows will remain stable after its removal.
There is an open source rootkit called futo which hides programs from windows. Since the program is in public domain, it is easy to identify its workings and devise a removal tool. The problem is that if you try to unhide futo by using reversal techniques, Windows becomes unstable. The only way out is a fresh and clean format.
The rootkit world is fraught with danger as most anti rootkit removers do not guarantee that your machine will be functional after removing a rootkit. Rarely does one come across a product downloaded from the net that does not contain some malware. The latest incident of Sony rootkit confirms the great misuse of this technology.
Hypothetical Solutions
Machines can be installed with the latest patches and all the known anti-virus products duly updated, but yet there is no guarantee that there is no malware sitting on them. There is no product on earth that can certify a machine free of malware, windows included. One hypothetical way out would be to have only the OS run in ring 0, device drivers and other non Microsoft code in ring 1, exe files and applications in ring 3. Microsoft must have thought about this but the ring upgrade never happened. The minute it does, there would be mayhem and chaos in the technology world, the malware authors would be run over. The next security measure would be a total rewrite of the internals of the Windows and Linux OS. Again a far cry !
Gone are the days of the Wild west where the meanest guy who could shoot the fastest called all the shots. Today, one is completely helpless and powerless as nothing can be done to stop the hacker from stealing our money our data in spite of knowing it all. A ring 0 programmer likes to call himself the undefeated king of the cyber world as he controls our system, our money and all the resources.
Well, we hope this situation does not last too long.
